When a company is hit by fraud, more often than not, it’s an inside job. A typical internal fraudster’s traits may or may not be spotted by the trained eye previous offenses, a gambling addiction, financial problems, the list goes on. But the unwitting accomplice is an equally dangerous threat to any business, as illustrated by a trend in some of Kroll’s most recent fraud reports.
A Recipe for Corporate Fraud
Kroll has seen several particularly effective types of fraud, perpetrated by unsuspecting employees who are simply trying to go the extra mile for his or her boss. These individuals are usually trustworthy people, keen to impress their CEO and most importantly, they usually work for foreign subsidiaries of international companies. They’ve never been to the head office; for them it’s just a glossy image on the website. As for the CEO and the CFO, the closest they’ve come to them is reading their profile on the Internet, or hearing them speak on a webcast, often in a language that’s not their mother tongue.
In these cases, the deception begins when the employee receives a call, out of the blue, from somebody senior at the head office. To them, the voice at the end of the line belongs to someone very important who, until now, has never given them the time of day. Suddenly, they’re taking them into their confidence, asking for help with a matter so important, so confidential, that it needs to be kept away from HQ, hence why they’re being contacted.
It might be an acquisition, a tax issue, a deal, an asset purchase; whatever the reason, it’s urgent and the circle of knowledge must be kept tight. All the unwitting employee needs to do is make a couple of wire transfers, which will be returned within a few days. A lawyer will be in touch with the details, but the transaction is so confidential at this stage, it is best if communications are kept off the company IT network. If the employee could just provide their private email address, the wire instructions will be sent through straight away by a lawyer.
And so it starts. The long serving, diligent employee feels honored and trusted by the senior manager to assist in executing a business critical transaction. Of course they’re nervous and unsure, but they also have a growing feeling of self-importance. Innocently, and totally out of character, they wire hundreds of thousands of Euros to accounts in foreign countries: Cyprus, China, Hong Kong, Dubai, somewhere far afield and most importantly, outside their jurisdiction. These are typically significant sums, but not normally enough to raise alarm bells, or fall outside daily banking transfer limits. With barely even a thought, the employee bypasses their own controls, because they are being told to do so and they believe it’s in the interests of the company.
During the course of a few days, maybe a week, the employee is subject to constant pressure; a barrage of calls to their mobile and work numbers from the “CEO”, at all hours of the day and night. Can they send confirmation of the transfer? Has it gone through? Are they sure? They’ll receive further instructions shortly for the next payment. Constant thanks and appreciation for all that they’re doing for the company. He’ll make sure he personally thanks them when he’s next in town. And so it continues. The second transfer request is always for much more, and is sent, again to a foreign account.
Eventually, the burden becomes too much, and the employee tells their immediate boss, to seek reassurance. At this point, it quickly becomes clear to the mortified employee that the person on the end of the phone was not the CEO, but instead, a member of an organized, criminal network, who has been specifically targeting him and his peers, as part of a fraud.
At the point that Kroll is called in to investigate, the main objectives are to recover the cash or assets lost and help the company work out who was involved. The victim’s colleagues are incredulous that the victim could have been so naïve and behaved so out of character.
Recoveries are often possible, if a company acts quickly and obtains the right civil orders in time to freeze the funds. But the fraudsters are clever. They know that the involvement of multiple jurisdictions will complicate and slow down the effectiveness of local legal system. The civil orders often provide information as to the beneficiaries of the accounts which, when investigated, will typically link back to known criminal networks.
So What Can Corporations Do to Protect Themselves?
Controls are only effective if your employees feel empowered to question authority without recourse. But there’s a wider and more concerning point that Kroll has identified.
Before contacting the employee, the fake CEOs – the fraudsters – were able to glean enough information from a few simple Google searches and pretext calls to reception and other staff, to drop in some well thought out comments and reassure the employee that they were genuine.
Knowledge of who their direct reports were, mobile numbers, working hours, even banking relationships and who was on holiday. How? From the company’s website, by connecting endless LinkedIn profiles of employees who diligently set out their responsibilities, and from innocent comments made by unwitting personal assistants and receptionists.
These cases not only highlight the need for rigorous internal controls and regular training but also stress the importance of protecting sensitive information about your company and employees. Information that may seem perfectly harmless in isolation, but when pieced together, it can create an all too realistic illusion to tempt even your most loyal and conscientious staff to unwittingly expose your company to fraud.
A version of this article was originally featured in Global Banking and Finance Review, March 2013.
