To Stay Secure, Think Like a Fraudster

The longer a fraudster has been at a school, the larger the losses and the less likely he or she will be suspected. Knowing what motivates fraudsters can supplement internal controls in mitigating risk.

Jul 15, 2019

From the July/August 2019 Net Assets Magazine.

https://s3.amazonaws.com/higherlogicdownload/NBOA/UploadedImages/e9dVY7iTTAG9XVbpqDmw_Think%20Like%20a%20Fraudster.jpg

By John Buckley, AAFCPAs

Take the case of one private secondary school, where the business officer was accused of cutting checks worth more than $50,000 to pay for personal travel expenditures. He entered the transactions into the school record as payments for school travel. Because the hotels and airlines were the same companies the school used for professional development, fundraising visits and its annual gala, the misappropriation was difficult to detect. No one thought to suspect the employee. The culprit made other personal purchases to upgrade his lifestyle and even bought gifts for another school employee. Eventually pleading guilty, the business officer repaid the nearly $100,000 he had embezzled, while the business office made changes to its segregation of duties to prevent something similar from happening again.

Fraud and corruption are no less likely to occur in educational settings than in any other sector. The “Varsity Blues” scandal that broke earlier this year, in which wealthy parents and corrupt college counselors and administrators collaborated to admit unqualified students to top institutions, is a prime example. Schools must have measures in place for both prevention and detection.

One way to minimize exposure to fraud is to think like a fraudster. Internal controls are crucial, but they do not guarantee security. All it takes is one person perceived as trustworthy to develop his or her own agenda, and cracks in the system will grow.

For example, a seemingly secure expense process can rely on separating roles: one person requests a check for a vendor, another processes it, a third signs the check, and yet another mails it. When a well-established member of the staff, however, insists special circumstances require him or her to handle more of that chain, colleagues might be inclined to defer. That alone can open the door to fraud.

The reality is that when employees decide to defraud their employers, they are usually committed to following through. When you start thinking like a fraudster, you can quickly see that there are weaknesses to exploit.

The Slow Approach

Often, a fraudster’s endeavor can be summed up by the convergence of three points of the “fraud triangle”: pressure, opportunity and rationalization.

Fraudsters are not necessarily thinking about opportunities when they first settle into a new role. In fact, the factors that motivate them take time to develop. They may resent how they are treated in comparison to others; for example, they may be unhappy about their financial package or status in the organization. Outside the organization, they may have come under financial pressure. Once that pressure builds, they can seek out opportunities and rationalize their dishonest actions. They know the cracks in the system, and they believe they deserve more, regardless of ethics or the damage they may cause to their employer.

Fraudsters often share traits that fuel their behavior. They can be arrogant and greedy, likely to self-promote their accomplishments and lack empathy. They may also be focused, driven and very sharp — it takes a high level of mental agility to pull off fraud. Of course, not all employees with these characteristics are guilty of fraud, but the right combination of qualities will support their schemes. In fact, 85 percent of fraudsters display at least one of these behavioral red flags, according to the 2018 Report to the Nations by the Association of Certified Fraud Examiners (ACFE).

Fraudsters are likely to put in extra effort to appear friendly, hardworking and go out of their way to be perceived as a valuable member of the organization.

To make the most of the opportunity, fraudsters need to establish trust among colleagues and the institution. They are likely to put in extra effort to appear friendly, hardworking and go out of their way to be perceived as a valuable member of the organization.

When their reputation is credible, it becomes much easier for fraudsters to capitalize on the goodwill of those around them. That may be why patience benefits those committing fraud. It takes time to understand the system and create the relationships that will lead to success. Consider that most frauds run over a substantial period — 16 months is the median — and those employees who are most established do the most damage, according to the ACFE report.

While the majority of fraud cases are perpetrated by those with one to five years in the organization, the median losses from those cases is about $100,000, according to the report. But those with six to 10 years of tenure inflict a median loss of $173,000, and above 10 years the damage goes up to a median of $241,000. The more secure and senior, the more trust and access a fraudster enjoys.

Favorite Schemes

A fraudster’s endeavor may begin with the simple realization that he or she can succeed. The fraudster sees patterns in the process, sees where the opportunities are and how he or she can hide fraudulent actions. With the right approach to concealing fraud, schemes can range from limited campaigns to complex initiatives that involve multiple parties.

Modest, straightforward schemes may feel safer and more justifiable. For example, a camp director at an independent school found that credit card refunds were not given a close look; the director embezzled thousands of dollars by charging fake refunds back to his own credit card over the course of a summer season.

When colleagues start working together, things get more complicated, and the scale of fraud can increase significantly. The median loss when fraudsters collude is $339,000 — more than four times greater than the median loss from a single perpetrator, according to the ACFE Report.

Consider how damages piled up in a recent vendor collusion case. A facilities manager had authority to both select and pay contractors for a window replacement project across a school campus. The manager conspired with multiple vendors in a bid-rigging scheme, which awarded vendors with lucrative subcontracts in exchange for kickbacks to the facilities manager. The manager also mixed in a fake vendor, establishing her own shell company to “win” part of the bid and funnel a portion of the budget directly to her own account.

Scaring a Fraudster

Unlikely to halt fraudulent behavior on their own, fraudsters’ fear of being caught is their biggest deterrent.

Most cases of fraud end when damage is discovered, even if cases are not reported. Unlikely to halt fraudulent behavior on their own, fraudsters’ fear of being caught is their biggest deterrent. This means that thinking like a fraudster is crucial, but it does not replace having strong controls. Good processes provide a structure so that you know where to look and can piece together a fraudster’s trail.

Email is a good place to set controls. At one school, someone outside the school community intercepted an email conversation between the school and a contractor. The school didn’t notice that the familiar email address had just one additional letter tucked into it. The fraudster pretended to be the contractor and told the school that he was having trouble with his bank and would the school please send payment to a different bank with a different routing number. The email recipient was astute enough to call the contractor and check on this, so a crisis was averted. But the school now has a policy of either calling and speaking to anyone making a payment change request or meeting with him or her in person to verify the information.

The controls you use should be preventative — in place at the beginning of a process to stop fraud before it happens — and detective, which allow you to find a perpetrator quickly afterward. For example, having two signers on checks is preventative; reconciling bank statements is detective.

Good internal controls should be implemented and observed, not just put in writing as a way to “check the box.” Schools must consistently follow and adhere to these procedures, and they should not deviate or make exceptions without considering the consequences. And they have to be modeled by those at the top of your organization, who should behave ethically and follow procedure. Doing so will create a culture of compliance that can make fraud more apparent during routine operations.

To minimize risk, remember the fraud triangle. Be aware that pressure, opportunity and rationalization may lead colleagues who are perceived as steadfast down the wrong path.

John Buckley, CPA, CGMA, is a partner and leader of AAFCPAs’ Education Division.

Download a PDF of this article.



​​​