Over the years we have come across many financial frauds, some sophisticated some simple. The common factor is that there was always a victim, whether it be a corporate entity or individuals. Here is a look at some of the different types we have seen.
We are giving you these case studies to highlight how easy it can be to fall for one of these frauds. At the end of the day good segregation of duties and systems and controls can reduce the risk of fraud at the corporate level and good vigilance and scepticism can limit the risk of falling for frauds targeted at individuals.
This was a fraud perpetrated on a large corporate retail entity. The FD at this entity received a call from the bank to say that they had intercepted one of the entity’s cheques and had deemed it to be a fake. When asked why they thought it was a fake the bank said “it was printed on the wrong paper”.
The cheque in question had the correct cheque number sequence on it (in fact the actual cheque number was still in the cheque book unused) and the signature was a good attempt at matching the FD’s signature.
Basically someone (either internally at the client or at a supplier) had noted the current cheque number sequence, added a few numbers on in the sequence and had then printed a cheque on a home computer and passed it off as a genuine cheque from the entity.
The client was very lucky to have caught this as banks only check a small proportion of cheques that they process.
Retail vouchers redeemable at numerous outlets can be a source of fraud risk. At this client one of the employees in charge of receiving vouchers back from stores, reconciling them and destroying them was found to have been stealing over £70,000 worth of these vouchers for personal use. She tried to cover the theft by adjusting balances in the nominal ledger to hide the inconsistencies in reporting between stores and what head office processed.
An improvement in systems and segregation of duties was put in place following this case.
Many examples of till fraud exist but in this case the cashier was receiving cash takings from customers and rather than putting the cash in the drawer she pocketed the cash and then processed a “returns credit” or “cancelled sale” on the till to show that the sale had been reversed and not transacted.
This fraud was eventually picked up by a review of margins at the client which showed when these thefts started as there was a distinct drop in gross margins recorded in the store.
Payroll starters and leavers
Payroll is one of those high risk areas for any business. One of the key focus points is on controlling starters and leavers. Segregation of duties and clear systems should reduce the risk in this area but ask yourself:
· Do you know all of the names on your payroll and do you know they all still work for you?
· Who has control of adding or removing personnel from the payroll system?
· Who has control of adding or changing bank details for personnel on the payroll?
Website – ID Theft
This case was a sophisticated ID theft – not from an individual but from a corporate entity. And not just a corporate entity but one that was actually listed on a public exchange.
In this case the FD was alerted to a problem when he grew increasingly suspicious of the number of IT equipment related invoices he was receiving at head office chasing for payment.
Long story short the perpetrators in this case had completely mirrored the business’s website and had it live on the internet with an address just a few digits different to the genuine one. In fact it was a “.org” rather than a “.com”. What the perpetrators then did was to file at Companies House a paper form changing the registered address of the business. The new address was later found to be a lock-up in the NE well away from the company’s actual head office.
The perpetrators had then embarked on a purchasing spree for IT equipment on credit by referencing the well-known name of the client and pointing suppliers to the fake website which showed the head office (lock-up). Some of these suppliers when they started chasing for payment had found the genuine website (knowingly or otherwise) which is why the FD started to receive invoices for payment.
Needless to say the lock-up in the NE was empty with no sign of the goods or the perpetrators.
It is now possible to set up Companies House such that they do not accept paper copies of any form – all done through the online filing codes. This should make it harder for someone to change company details without the knowledge of management.
We couldn’t finish without a nod to the email scams that we all receive.
Now most of you and the team here at Deans Forensics will probably spot most of these email scams from a mile away, many of which are poorly worded etc etc.
However, we have just come away from the UK200 Annual Conference where one of the speakers was a lady that described herself as a Social Engineer. Nothing to do with social media if that is what you are thinking. In fact what she does as a job is to infiltrate businesses either physically or digitally. (All done under engagement from the executives at the said business to test their robustness to an actual attack).
We came away from this talk, both impressed with what she and her team do but also really concerned with the ease with which they achieved their goal. Even management teams who knew they were going to be attacked by her still fell for the attack.
A classic example of digital infiltration was a management team who had been told by the owner that they were going to be digitally attacked at some point. This would therefore have heightened the suspicion levels of these execs and you would think they would spot a scam easily.
Well they didn’t. They all fell for it.
As an example of what the sophisticated scammers can do one of the execs at this business was found to be on social media. From that the social engineers found that she had a dog and found out the name of the dog and where they lived and walked. From that they worked out where the most likely vet practice was.
That exec was caught because she received an email from “her vet” telling her that her dog by the name of “x” was due his annual check up and that she needed to book this in. On seeing this email thumbnail with this personal data in she clicked on the email to open it up to read. In so doing she ignited a little spyware bot that was hidden in the email and she was caught.
Remember not all email scams are the general phishing attacks that originate in Nigeria etc. Some are very personalised, sophisticated and clever.