Security

Don’t let the bast**ds in

Hardly a day goes by without a warning or headline about scams. Employee frauds, push payment, or errant suppliers short-changing customers, the level of activity is rising, despite the actions of authorities to stamp out the problem.

Print is not without its own frauds.

Back in April 2020, Printweek reported on Sarah Cockburn, an account manager for Glasgow printing company, James McVicar Printers, between January 2013 and July 2019. During that time, she used the company’s systems to make 799 payments totalling £239,207 to bank accounts in her name. 

Cockburn was only caught after an investigation by the company into a missing British Gas payment of £28,000. As a result of the loss, the company had to sell its main printing press and freeze salaries. Some staff left the company as a result and could not be replaced at the time. Owner James McVicar had to invest £70,000 from his private pension and premium bonds and released £60,000 in capital from another company he owned to support the business.

A lot of focus recently has been on fraudulent activity committed against individuals. In its November 2022 report, Fighting Fraud: Breaking the Chain, the House of Lords Fraud Act 2006 and Digital Fraud Committee said that, in the previous 13-month period, 89% of fraud victims were individuals rather than organisations or businesses. 

But having said that, Andrew Northage, a partner in the Regulatory & Compliance team at Walker Morris still considers fraud to be a significant threat in corporate environments. He cites the UK findings of PwC’s Global Economic Crime Survey 2022 which “showed that 64% of businesses had experienced fraud, corruption or other economic/financial crime in the previous two years, up quite significantly from 56% in 2020”.

He also refers to BDO’s recent FraudTrack 2023 report, which notes that the total monetary value of reported fraud in the UK in 2021 – £10bn – was skewed by cases around government Covid-19 support schemes. And a recently published National Audit Office report, Tackling fraud and corruption against government, said that the government’s annual reports and accounts estimate fraud against the taxpayer rose from £5.5bn in total over the two years before the pandemic to £21bn in total over the two years since the start of the pandemic. He says that “HMRC expects to have recovered only £1.1bn by the time it winds down its Taxpayer Protection Taskforce”. Further, Northage details that the Insolvency Service announced mid-April that 459 directors were disqualified in 2022-23 for abusing the Bounce Back Loan Scheme. 

David Kearns, managing director of Expert Investigations, considers fraud to be prevalent across all business sectors: “In 23 years of investigating employee dishonesty it’s affected all sectors, including manufacturing, services sector, professional services, utilities, transport and logistics, healthcare, etc.”

He adds that, according to the Association of Certified Fraud Examiners’ (ACFE) Report to the Nations 2022, a worldwide report based on asset misappropriation fraud, “we do not know how prevalent fraud is as so much is undiscovered, unreported and so not investigated.”

For Northage, the pressures of the economic climate on both businesses and individuals, combined with factors such as the increasingly rapid rise of digitisation and the move to more remote working patterns, continue to provide internal and external fraudsters with the motivation and opportunities to commit fraud against corporates.

And Kearns agrees. He sees new technologies such as artificial intelligence making the commission of fraud easier, more targeted, and more convincing to unsuspected victims. He feel, however, that “the current economic crisis may well encourage those struggling to commit fraud, but as yet there is no evidence to support this”. That said, his private view is that “employees may turn to fraud to assist in them continuing their material-based lifestyle during the financially difficult time as they do not wish to make personal sacrifices themselves”.

A question of opportunity

The opportunities for committing fraud in a corporate environment depend to a large extent on where the areas of weakness are in structures and defences.

For Northage, typical frauds include cybercrime, business impersonation fraud, supplier/supply chain fraud, mortgage fraud, employee fraud such as payroll fraud and false accounting, and money laundering. He adds: “The increasingly rapid rise of digitisation has facilitated fraud across borders and can make it difficult to trace perpetrators.”

Another area of concern for Northage is the rise of ‘greenwashing’, the practice of making exaggerated claims about an organisation’s environmental credentials and the sustainability of its products, services, and environmental impact. Most wouldn’t think of this as out and out fraud, but it is and as he says, “with the focus very firmly on companies’ compliance with ESG requirements, this is certainly an area to watch”.

And then there are the risks that follow on from the move to remote working patterns; this has affected the value of typical fraud prevention and detection measures “if,” as Northage comments, “they haven’t been updated to reflect the change in working practices post-pandemic”.

It shouldn’t be forgotten that fraudsters have become ever-more sophisticated in recent years. Firms, reckons Northage, can be considered ‘at fault’ if they don’t put in place robust processes. He’s bothered that “not all companies have the necessary controls in place to effectively manage fraudulent activity from outside and from within”.

Interestingly, Kearns refers to the ACFE report’s findings and says that “the latest report shows in 29% of cases there was a lack of control measures and in 20% of cases control measures were overridden – literally half of victims made themselves the victim”. These figures, he says, have been consistent over the past 20 years.

Indeed, he sees the majority of employee-related frauds following on from an employee identifying an opportunity to commit a fraud. This may be because, as he puts it, “there may be no control systems in place that prevent the fraud or those in place are not adequate and the employee simply overrides them”.

He expands on this and notes that current and previous ACFE reports have found that “where more than one employee is involved in a fraud it takes longer to identity the matter and the median loss is higher than an employee acting alone”. He continues: “The majority of frauds I see are simplistic in their nature and could have simply been prevented. Whilst systems are introduced and technology evolves there still remains an opportunity for an observant employee to identify the weaknesses in control measures.”

Discovery

The worrying part of fraud is that the majority aren’t ever discovered – at all. PwC’s Global Economic Crime and Fraud Survey 2022 noted that “51% of surveyed organisations say they experienced fraud in the past two years, the highest level in our 20 years of research”. But what of the other 49%? Are they really trouble-free?

Here Northage says that fraud “is typically [discovered] through the measures that businesses have in place as part of their internal controls – not necessarily related to fraud detection – such as audits, and also as a result of whistleblowing”. He adds, “generally, the larger and more sophisticated the company, the greater the awareness and scrutiny”.

Kearns backs Northage’s assertion and suggests that 42% of cases are in fact discovered by tip off with a third of those coming from employees. His key advice? “Do not ignore a tip from a supplier, vendor, subcontractor, neighbour or elsewhere.”

Another cause for concern for Kearns is the small firm. He says that “there can be more vulnerabilities in a small privately run business as it may not have resources to address potential attack risks.” He therefore advises businesses of any size to work from the ‘broad and general to the specific’. He considers it “negligent to believe ‘it will not happen to us’, ‘all of our staff are honest’, ‘we are a family business’. Over 23 years I have heard this on a weekly basis only for a business to become a victim of employee dishonesty and fraud.”

A typical fraudster and fraud?

When asked about a typical fraudster and fraud, Northage focuses on internal or employee fraud. He prefers not to talk about a ‘typical’ fraudster as “even the most diligent employee can become a fraudster if the conditions are right”. Instead, he says that “there are certain indicators that companies can look out for, based on the ‘fraud triangle’ of opportunity, motive or pressure (including from a third party) and justification or rationalisation.”

Similarly, Kearns says that fraudsters don’t carry swag bags and neither do they wear a Zorro mask or striped top: “The ACFE report, based on 2110 cases from 113 countries, does not give any insight into the makeup of a fraudster or dishonest employee – there is no typical fraudster or dishonest employee”.

But for Northage, senior staff or those subject to less managerial or other oversight, and/or those with access to the company’s financial systems or key assets, are more likely to fall within the higher risk category, together with disgruntled employees or those working their notice period. He says: “Behaviours to look out for include personal or financial problems or unusual spending habits, being secretive about their work, working long hours and/or not taking holidays, paying more attention than usual to a particular company customer or supplier, and becoming aggressive when challenged.”

Fundamentally, Kearns believes that managers and directors need to understand the risk and the mindset of a potential offender and then build a process and strategy to lower the risk.

Devastating impact

There’s no way to sugar coat this. Fraud can be devastating for companies, and in some cases can lead to insolvency.

Aside from financial losses caused by the fraud itself, Northage says that “the most damaging consequence tends to be the reputational damage caused to the company and the loss of trust of customers and third parties that it deals with. And if the fraud was committed by a senior employee, that can exacerbate the damage”.

On top of that there’s the effect on staff morale and the significant time and costs involved in investigating and dealing with the incident and hiring new staff. Business owners can be faced with no other option than to either let go of staff or invest their own money to keep the business afloat – as was the case with James McVicar Printers.

As to organisations that have failed, famous examples include Polly Peck (1990), BCCI (1991), Maxwell Communication Corporation (1992), Worldcom (2002), Bernard L. Madoff Investment Securities (2008), Patisserie Valerie (2018) and Wirecard (2020). There are more, but each of these was typified by the activities of senior management abusing systems.

Of course, the impact of a fraud will vary according to the size of a business, its financial strength, the industry sector. Even so, Kearns has witnessed cases in which charities have seen significant falls in donations – and one even closed.

It shouldn’t be forgotten that senior management risk criminal sanction for their (in)activity in this sphere. Indeed, Northage explains that “depending on the nature and circumstances of the fraud and the extent of the director’s involvement in it, they could face regulatory investigations, disqualification, imprisonment, fines, claims brought by the victim or victims of the fraud, shareholder action... The list goes on.”

And to prove the point, Asil Nadir (Polly Peck) went to prison for 12 years, Bernie Ebbers (Worldcom) for 25 years in 2005, and Sam Bankman-Fried (FTX) faces 115 years in prison if convicted of all eight counts that include multiple types of fraud – he’s on a $250m bond release.

It should be said, as Northage highlights, that as part of a package of proposed audit and corporate governance reforms, “there are plans to introduce a requirement for directors to make a statement on the steps they’ve taken to prevent and detect material fraud”. Further, in an additional attempt to crack down, the government has also very recently announced plans to introduce a new ‘failure to prevent fraud’ offence for large organisations. Northage says: “This will make organisations liable where a specified fraud offence is committed by an employee or agent, for the organisation’s benefit, and the organisation didn’t have reasonable fraud prevention procedures in place.”

Ultimately…

At the end of the day, as Kearns comments, “prevention is better than cure as it can be very difficult to prove dishonesty once it has occurred”. But what worries him is that businesses do not seem to have the appetite to gather evidence and prosecute; many deal with the matter internally and move the problem on.

Both Northage and Kearns advocate proactivity, the reduction of risk, and the education of staff – in particular – that fraud will not be tolerated and will be pursued by the law. Add to this an action plan for the unthinkable and firms will put in place the best possible defence. 


What firms need to do to protect themselves

Andrew Northage of Walker Morris provides his top tips:

  1. Have robust fraud prevention and detection measures in place, to protect against the risk of both internal and external fraud.
  2. Have a clear strategy for the steps that will be taken if things do go wrong. This should be reviewed and updated regularly.
  3. Think about the business and look for high-risk areas and vulnerabilities before producing an anti-fraud and whistleblowing policy. This must be clearly and regularly communicated to employees, who should be given regular training including what the consequences of committing fraud will be.
  4. Carry out thorough background checks when hiring new employees and consider introducing periodic checks and appropriate ongoing monitoring of all employees. Make sure the process for departing employees is managed too. Show employees that fraud is taken seriously, from the top down.
  5. Think about the controls and checks and balances that need to be in place (keeping in mind remote working patterns).
  6. Separate sensitive duties and financial and other authorisation procedures and have a clear supervisory structure (including for management and other senior staff).
  7. Deploy systems to identify unusual behaviour or transactions. Apply this to those the firm does business with too - and carry out appropriate due diligence checks. 
  8. The culture of the business and the controls put in place should be designed to prevent the conditions that lead to employees committing fraud – don’t provide them with the opportunity, motive, or justification. Regularly test controls – don’t leave it until something goes wrong. 
  9. If an incident occurs, activate the well-practised fraud response strategy - act promptly. Involve the necessary people internally and externally immediately a fraud is discovered. Communicate appropriately with the necessary authorities, customers, third parties, employees, and the media to minimise the impact and provide reassurance. Analyse what went wrong and review and update policies and procedures accordingly.