By Kurt Rothmann, Senior Partner, Financial Lines Group at JLT Specialty
Companies are often not doing enough to protect themselves from a fraud epidemic that costs businesses millions a year.
Last year fraudulent employees cost British businesses at least £40m, according to a survey by ActionFraud, with cases steadily rising over the last decade according to fraud prevention body Cifas, and the true extent is thought to be far greater. Crime surveys in England and Wales show incidents of fraud are substantially higher than official reporting. These figures should make businesses alive to the dangers they face.
Dealing with employee fraud
Although employee fraud is relatively common, many companies are reluctant to put measures into place that could prevent it from happening. Whilst the most common form of this fraud is theft of cash, companies simply do not want to believe that their employees are capable of fraud. This means they are reluctant to cover the risk of such an event happening.
The claim that this reluctance could be general organisational weakness seems to be borne out by research conducted by the Association of Certified Fraud Examiners (ACFE) which found that the most prominent organisational weakness was a lack of internal controls, which is then compounded by the fairly modest uptake of crime insurance cover. This is an indictment of business security in general. Essentially, organisations are leaving themselves exposed and vulnerable to losses that go straight to the bottom line. With the ever-changing nature of fraud risk, the level of exposure can be substantial.
Fraud, fraud and more fraud
Another threat that organisations face is a growth in third party fraud. Solicitors are seeing a particular surge in what is called social engineering fraud. Social engineering is a broad term that refers to the scams used by criminals to trick, deceive and manipulate their victims into giving out confidential information and funds.
A good example is ‘Friday afternoon fraud’. With many property transactions being completed on Fridays, the fraudster will either phone up or email the solicitors’ offices pretending to be a party involved in a transaction, and persuade the employee to send funds to a different account. Weak internal controls means these can be overlooked in the Friday afternoon rush, leading to a loss. QBE found 150 successful cases of this type of fraud amongst UK law firms in the 18 months before the first quarter of 2016, costing £85 million, with ten times as many failed attempts.
Avoiding this can be as simple as seeking independent verification before changes are authorised. No matter how much the purported vendor or supplier might be trying to stress that it is urgent and needs to be changed immediately, performing these checks is essential.
There is also the increasingly popular ‘Fake President’ scenario, where a fraudster will contact the senior finance officer pretending to be the CEO, and request an immediate transfer of funds under the pretence of a secret urgent deal. In a scam that cost both the chief executive and the chief financial officer their jobs, Austrian aerospace manufacturer FACC lost €50 million in 2016.
However, even though checks and levels of sign off for payments are important in these situations, they are not sufficient on their own. When a CFO is targeted they will pressure those underneath them to authorise urgent payments. Verifying this initial contact to confirm the identity of the person requesting payment is vital. This can be as simple as insisting on calling the person back on a number not supplied in the call. This may sometimes be embarrassing, but it is a relatively straightforward approach that may prevent a career ending mistake.
There is also the traditional threat of first party fraud, which can include employees charging their company for fake invoices or ghost employees, diverting payments from legitimate invoices into another account, or workers taking bribes from suppliers to allow them to overcharge or award contracts.
The risk of these occurring can increasingly be prevented or discovered internally through proper use of audit functions or IT systems related to payments.
If a company suffers a major social engineering or fraud loss that isn’t properly protected, concerns may be raised about the directors’ management of the company and around the internal controls and procedures and broader risks management strategies. Shareholders and other affected parties can hold the directors accountable for not having fulfilled their duties in this regard. This secondary exposure is something boards and directors should take seriously, as ultimately, they could be held liable and exposed to the costs of defending against litigation or dealing with an investigation.
With these risks uncovered, risk management and constant vigilance must be at the forefront of every director’s thoughts. They must ensure they have robust controls and systems in place to make sure they are able to monitor and react to their risk in real time. Good due diligence is also important. With technology becoming ever more sophisticated, the way fraud is conducted does too. The expectations placed upon directors and the ever-increasing regulatory burden means there is no excuse to not be prepared for any event.
One final piece of this risk management should be to consider crime insurance protection as a last line of defence if the fraudster manages to bypass all other preventative measures.