Yinka Saunders was not the most obvious of fraudsters. The 24-year-old law graduate was earning £29,500 in her role as a trainee tax consultant at professional services firm PricewaterhouseCoopers. Unfortunately, she had an ‘expensive boyfriend’, whose credit card debts led her to steal £34,000 over ten months from her employer, by submitting false taxi and train expenses.
Following her prosecution at the Old Bailey last month, a repentant and tearful Saunders was sentenced to six months in prison. Her former colleagues were said to be stunned by her crime, which has ended a promising career.
Similar stories appear in the media with depressing frequency, but they represent only the tip of the iceberg. A survey commissioned this year by risk consultancy Kroll, and conducted by the Economist Intelligence Unit, found that four out of five companies had suffered some form of corporate fraud in the past three years.
A trail of deceit
Admittedly, research on this topic gives only a partial picture, but the few indicators we have point in the same direction. KPMG issues its Fraud Barometer every six months, recording the number of frauds coming to court with a value of more than £100,000. The value of such crimes from January to June this year was almost £500 million, representing annualised growth of 29 per cent over the past four years.
What comes as more of a surprise is how much of this fraud is perpetrated by insiders like Saunders. In Kroll’s survey, the most frequently cited reason for increased exposure to fraud was high staff turnover – which surpassed complex IT arrangements, entry into new markets and increased collaboration between firms.
‘The trouble is, most directors of businesses don’t focus on employee fraud,’ says Andrew Durant, managing director of consultancy firm Navigant. ‘You tend to trust the people you work with, and it’s psychologically much easier to focus on someone you don’t know – an outsider – as the problem.’
Durant is prepared to stick his neck out when it comes to estimating how much fraud is perpetrated by, or with the assistance of, insiders: ‘I’d say 90 per cent. To commit fraud you need trust and you need knowledge, and you get that from being inside the business.’
If Durant’s right, the current obsession with cybermafia and teenage hackers from Eastern Europe could be missing the mark. Those are real risks, but employee fraud is far more likely to happen to your business.
None of this would come as a surprise to Rebecca Maniatt, whose recruitment business Tyman was unlucky enough to be hit twice by fraud. The first time, her business credit card was cloned, and £2,000 was stolen from a cashpoint. Fortunately, her bank restored the money within three weeks.
The second time the business could have been seriously compromised. ‘It was with an employee who had been with us three or four months,’ Maniatt explains. ‘I caught her copying three databases and uploading them on to her email. I didn’t do anything straight away; I just went on the system and found out what was going on. When she came in next morning, I had a meeting with her and we parted company.’
The most puzzling aspect of the incident for Maniatt was the woman’s reaction. ‘She admitted it immediately,’ she states. ‘She didn’t feel it was a big issue.’
According to Durant, guidelines about what’s acceptable from an employee should be made clear as soon as possible. ‘In some of the cases we investigate, the excuse is: “I didn’t know it was wrong,”’ he states. ‘You need a strong code of conduct which says this is right, this is wrong and these are the consequences. Otherwise people will make up their own minds.’
Maniatt’s experience chimes with that of corporate fraud investigator Anne Green. Now with information services group Experian, she has been fighting corporate fraud for over 14 years. Green was previously a private investigator covering everything from industrial accidents to divorce cases. She says there are three groups of people who are most likely to commit fraud, the first being younger employees.
‘Often, these young and naïve employees don’t fully appreciate the consequences of their actions,’ says Green. ‘They commit fraud for friends, family or criminal gangs – sometimes for nothing, sometimes for money or other rewards. Some even do it for love.’
The second class of fraudster is the ‘inside man’, who is ‘planted to learn the secrets of the company’, claims Green. ‘It’s something you read about in old spy novels, but it does happen,’ she says.
Thirdly, there is the senior manager participating in more costly and complicated frauds that might involve procurement, mergers and acquisitions, or insider trading.
As with any investigation into a crime, it’s important to enquire into motives, and it’s something most fraud investigators have a view on. Durant says he has seen a change in the motives for employee fraud over his career.
‘Until about 12 years ago, I found the motivations for fraud were divorce, gambling, drugs, paying school fees – basically, financial need,’ says Durant, adding that looking for signs of financial strain could help identify suspects. ‘I’d now say that 60 per cent of frauds result from pure greed.’
Other reasons include dissatisfaction with an employer, exemplified by a case Green recalls. ‘It started when the man who committed the fraud went to ask for a pay rise and they said no,’ she says. ‘That’s not a reason to commit fraud, but he became disgruntled and it all stemmed from that.
‘His boss travelled a lot and left him with a book of blank cheques so he could pay suppliers. He realised that nobody ever checked the content of bank statements, only the balance.’
The fraudster embezzled £2 million over 15 years. ‘It should have come to an end when the company brought in dual accounting controls,’ says Green. ‘But he decided he would be the dual control – both parts of it.’
Green’s anecdote points to another obvious but often overlooked fact: it is in a company’s finance function that fraud is most likely to occur. Research from KPMG suggests that 42 per cent of fraudsters work in, or are responsible for finance.
Barry Schofield, a former police investigator who started his own business, Investigator, in 1994, identifies another category of employee-turned-fraudster: the would-be business rival.
‘Some people want to set up in competition and make more money – cut out the middleman, as it were,’ he explains. ‘What they tend to do is download data from the company to a CD or memory stick, then take that home to start their own business in competition with what they are already doing.’
Such fraudsters may resign their position immediately, says Schofield, but more often they will continue their day job to give them an escape route in case their own venture collapses. He adds: ‘They commonly set up their operation at arm’s length with the help of a friend or business associate, or maybe even an existing competitor. They will then jump ship at a time when their business can support them comfortably.’
Clearly, whatever form employee fraud takes, prevention is better than the cure – and that starts with recruitment. According to Experian, 28 per cent of the CVs it checks for its clients contain inaccuracies, while two per cent are ‘pure fiction’. For Green, verifying the information on CVs not only exposes the budding fraudster, but also blows the cover of the professional ‘inside man’, since he is often obliged to fake his qualifications and experience to secure a job.
The second line of defence lies in strong internal controls. This includes making your expectations clear to staff and warning them of the consequences of non-compliance, as Durant mentions. It also means letting them know exactly what controls are in place, says Green. ‘Controls should be overt, like a speed camera,’ she states. The controls themselves can range from segregation of duties in sensitive areas, like accounting, to limiting access to valuable information, depending on where the business is most exposed to risk.
Keeping information safe
The rise of the knowledge economy means that information is of more value to fraudsters than ever before. This could be anything from intellectual property (IP) to client lists or pricing information, as Experian’s Ann Green explains.
‘Typically, a car hire business would concentrate all of its security around the cars,’ she says. ‘But all of its customers fill in a form, and the forms themselves have a value to a criminal. Companies have to realise that information is a commodity, the same as cash in the till.’
Navigant’s Andrew Durant agrees. ‘IP theft has really taken off in the past two years. A lot of it is in digital format, which makes it very portable and easy to steal, whether on a flash drive, an iPod or camera, or by emailing it to themselves.’
Again, the danger is more likely to come from inside the organisation. According to a survey from PwC, former employees and their partners committed 28 per cent of information security attacks, while current employees accounted for a further 33 per cent.
Fortunately, a few common sense measures can limit risk, as the Government has learned to its cost in recent months. Durant advocates restricting access to data on a ‘need-only’ basis, blocking the use of portable devices and webmail, and checking the computers of departing staff for evidence of copying or stealing.