Prevent and detect insider cyberattacks

In one recent cybercrime scheme, a mortgage company employee accessed his employer’s records without authorization, then used stolen customer lists to start his own mortgage business. The perpetrator hacked the protected records by sending an email containing malware to a coworker.

This particular dishonest worker was caught. But your company may not be so lucky. One of your employees’ cybercrime schemes could end in financial losses or competitive disadvantages due to corporate espionage. 

Best practices

Why would trusted employees steal from the hand that feeds them? They could be working for a competitor or seeking revenge for perceived wrongs. Sometimes coercion by a third party or the need to pay gambling or addiction-related debts comes into play.

Although there are no guarantees that you’ll be able to foil every hacking scheme, your business can minimize the risk of insider theft by implementing several best practices: 

Restrict IT use. Your IT personnel should take proactive measures to restrict or monitor employee use of email accounts, websites, peer-to-peer networking, Instant Messaging protocols and File Transfer Protocol.

Remove access. When employees leave the company, immediately remove them from all access lists and ask them to return their means of access to secure accounts. Provide them with copies of any signed confidentiality agreements as a reminder of their legal responsibilities for maintaining data confidentiality.

Don’t neglect physical assets. Some data thefts occur the old-fashioned way — with employees absconding with materials after hours or while no one is looking. Typically, a crooked employee will print or photocopy documents and remove them from the workplace hidden in a briefcase or bag. Some dishonest employees remove files from cabinets, desks or other storage locations. Controls such as locks, surveillance cameras and restrictions to access can help prevent and deter theft.

Treat workers well. Create a positive work environment and treat employees fairly and with respect. This can encourage loyalty and trust, thereby minimizing potential motives for employee theft.

Wireless risk 

In addition to the previously named threats, your office’s wireless communication networks — including Wi-Fi, Bluetooth and cellular — can increase fraud risk. Fraud perpetrators can, for example, use mobile devices to gain access to sensitive information. One way to deter such activities is to restrict Wi-Fi to employees with special passwords or biometric access.

For more tips on preventing employee-originated cybercrime, or if you suspect a fraud scheme is underway, contact us for help.

© 2020 Covenant CPA

For most retailers, this is the most profitable season of the year. However, customer returns in January can cut deeply into December revenues — particularly if the returns are fraudulent. U.S. retailers suffer annual losses of $18.4 billion from fraudulent returns, according to data analytics company Appriss and the National Retail Federation (NRF). And as antifraud technology company Signifyd has found, the pandemic is encouraging higher retail return rates — as much as 80% higher than before COVID-19 hit. Such a shift is likely to mean even more fraud.

Old dog, new tricks

Return fraud isn’t new. Dishonest customers have long “returned” items they stole or purchased elsewhere for less to stores willing to issue full cash refunds. But growth in online sales has magnified return fraud risk for retailers. The NRF reports that 38% of retailers have observed an increase in the number of buy online, return in-store transactions. And of these retailers, 29% reported an increase in fraudulent returns.

However, retailers that allow shipped returns face even greater risk of losses. In one common scheme, customers buy expensive items, then ship back cheap knockoffs or random objects that approximate the size and weight of the original merchandise. If a retailer issues a refund before its employees open and inspect the returned item, the business probably will end up out-of-pocket.

Entire networks dedicated to return fraud have sprung up on the Web. Many offer to help consumers profit off real purchases by making phony returns. In times of financial insecurity, such siren calls may convince ordinarily honest people to become fraud perpetrators. 

How to act

It’s critical that you use up-to-date return and inventory management systems designed to prevent fraud and shrinkage. But perhaps the most important way to fight return fraud is with a formal merchandise return policy that specifies:

  • A timeframe for returns — for example, 30 or 60 days from the purchase,
  • Any required documentation, such as the original receipt,
  • Whether returns are eligible for a cash refund or only store credit,
  • Whether the return must include the original packaging,
  • Whether returns must be made in person, even if merchandise was purchased online,
  • The condition of the returned goods (most retailers prefer “as new” or “as sold”),
  • What customer information you need, such as address and phone number, and
  • A reason for the return.

You may only want to accept returns if the merchandise is defective. But of course, many customers expect flexible return policies and may take their business elsewhere if yours is too rigid.

Post your return policy at registers, on receipts and on your website. Require that a manager approves any exception made to this return policy.

You can’t afford it

Depending on the size of your business, return fraud could cost you thousands or millions of dollars, an amount you can’t afford during this uncertain time — or anytime. Make sure your return policy is airtight and that employees consistently apply it. Contact us for help with fraud or unusual financial losses.

© 2020 Covenant CPA

Most fraud-prevention guidance advises owners and manager to monitor employees. But what exactly does this mean? Are you legally entitled to monitor employee computer use? What about security cameras in the workspace? Can you search an employee’s desk if you suspect the person is hiding something? The simple answer is that to stay on the right side of the law, your business must be careful about invading employee privacy.

Their rights

Many employment laws apply to employees’ privacy rights. In general, they attempt to balance employers’ interests in minimizing losses and injuries and maximizing production with employees’ interests in being free from intrusion into their private affairs.

By adopting and clearly communicating employment policies, your company can, within limits, establish its authority to conduct searches and surveillance that might otherwise be deemed intrusive. But before you communicate your policies, check with your attorney to ensure they don’t violate any federal or state laws.

Your rights

In most cases, federal law allows employers to monitor employees’ use of company-owned electronic devices (including tracking web use) without their knowledge. But you need to have a legitimate business reason to do so—for example, to prevent losses from fraud. You’re also generally allowed to read both work-related and private employee emails if they’re accessed on work devices.

If your company clearly states a policy to monitor communications, an employee is usually considered to have consented by remaining in the job or by using electronic devices. Keep in mind that some state laws may have more restrictive consent rules.

Other surveillance

In general you can also monitor business-related phone conversations to and from the workplace. However, you can’t monitor personal calls and must hang up as soon as it’s apparent the call isn’t work-related. There’s one exception to this rule: if the employee has given you permission to listen in.

As for camera surveillance, you’re allowed to install cameras in your company’s offices or production areas, but usually not in “private” areas such as restrooms and locker rooms. And surveillance records must be kept confidential. Only individuals who must know the information to properly perform their duties should have access to evidence of possible wrongdoing.

Physical searches require more care. If possible, you should consult with your attorney before performing a body search. When searching a worker, don’t threaten or apply physical force or restrain or otherwise prevent the employee from leaving the workplace. Aside from possible referral to law enforcement, keep any physical search results confidential to prevent leaks that could form the basis for libel or slander suits.

Threat is real

The threat of lawsuits for violating employee rights is real and such litigation can end up being very expensive. So, of course, is the risk of fraud losses. To walk this thin line, work with your attorney, and if you suspect fraud, enlist the help of a forensic accounting expert.

© 2020 Covenant CPA

Americans generally feel generous during the holidays and usually are eager to donate to worthy charitable causes. At the same time, they’re so busy and rushed with holiday activities they don’t necessarily vet charities that ask for support. Fraud perpetrators masquerading as nonprofits usually find easy pickings.

Charity scammers use every available channel to defraud charitable donors — door-to-door appeals, telemarketing campaigns, email messages, slick looking websites and even through social media “friends.” To ensure your donations reach the genuinely needy, exercise healthy skepticism and take precautions.

Know your nonprofit

The best and easiest way to avoid becoming a charity scam victim is to donate only to charities you already know and trust. However, by doing this, it’s possible you could exclude new or lesser-known charities from consideration. So if you want to donate to an unknown group, ask the organization to provide as much information as possible — including its tax ID number. Then verify the charity’s status with the IRS and its activities and financials on watchdog sites such as charitynavigator.com and charitywatch.com.

Also make sure you understand how the charity intends to use your donation. This is just as true for established nonprofits. If it isn’t clear where your donation will go or if the charity’s representative seems to dodge the question, walk away.

Best practices

Here are some other tips to help you avoid becoming a charity fraud victim:

Don’t answer suspicious calls. Caller ID makes it easy to ignore calls from numbers you don’t recognize. Unfortunately, perpetrators may mask their phone numbers with the names and numbers of legitimate charities. The simple solution: Tell the caller you don’t donate money over the phone and hang up.

Ignore suspicious emails. Don’t open unfamiliar and unsolicited emails or click on any links they include.

Avoid in-person sales pitches. Place a “No Solicitors” sign at your front door to discourage con artists. If you inadvertently open the door to a stranger, inform the person that you don’t donate to charities unless they send information in the mail. Fake charities usually won’t.

Don’t bend to pressure. No matter how compelling the sales pitch, or how “urgent” the charity’s need, take time to review and research it. Tell solicitors that you’ll get back to them later. Be particularly wary about pitches in the aftermath of natural disasters and other emergencies.

Donate with credit cards. Using credit cards to make charitable donations provides a level of protection because you usually can dispute fraudulent charges. If you discover a discrepancy when reviewing monthly statements, contact the charity and your credit card company immediately. Debit cards generally offer less protection against unauthorized charges. And paper checks are easy to counterfeit.

Heinous crime

Charity fraud is a particularly heinous crime because it hurts both the charitably inclined and those in need of help. If you suspect someone is perpetrating a scheme, stay away from the fraudster and report the person to law enforcement.

© 2020 Covenant CPA

Is your business vulnerable to identity theft?

According to data company Dun & Bradstreet, business identity theft increased more than 250% in the first half of 2020. You can thank the pandemic — and the government’s release of relief and recovery funds to qualified U.S. businesses — for this remarkable number. In a more typical year, crooks use stolen business identities to file fraudulent tax returns, apply for credit and empty bank accounts. However they might try to use your company’s information, there are steps you can take to reduce the risk.

Protecting sensitive information

Thieves often use malware to infect computers and gather sensitive data from businesses. They also create fake websites that trick employees into entering login and password information. To protect against these tactics, deploy patches when prompted and maintain up-to-date security software. Store all sensitive digital files such as financial statements, invoices, bank statements and aging schedules in secure, password-protected locations.

Also, secure paper documents in locked file cabinets. When you no longer need sensitive paper documents, destroy them using a cross-cutting shredder. If you need to shred a significant volume of paper, hire a reputable service to destroy documents on your premises.

Regularly review records

So that you can act on suspicious activity before it leads to financial losses and reputation damage, monitor official records and other public information. For example, keep an eye on your business credit as well as the personal credit reports of owners. Also regularly review business records and professional license information with state, county and city registrar offices.

Bank accounts deserve special attention. Reconciling bank accounts daily is your best bet. If a fraudulent transaction posts to your business’s account, you must notify your bank within a certain time period to not be liable for the transaction. Also note that criminals often use wires to move stolen money overseas and beyond the reaches of U.S. law enforcement. If you never send wires, instruct your bank to block that capability from your accounts.

Don’t forget employees

Finally, don’t forget to involve employees in your fight against business identity theft. Coach everyone from executives to rank-and-file workers about the threats facing your company and how they can do their part to ensure sensitive data doesn’t fall into the wrong hands. Contact us for help strengthening your internal controls.

© 2020 Covenant CPA

Management overrides of internal controls can make your company more vulnerable to fraud. This is true even when managers have innocent intentions — for example, they don’t feel they have time to follow proper accounts payable procedures because a vendor is requesting immediate payment. Your company is at even higher risk of fraud losses if a senior manager intentionally ignores the rules to manipulate financial statements.

Warning signs

Management overrides of financial controls can be difficult to detect. However, there are several warning signs that a manager isn’t fully adhering to the policies and procedures your organization has adopted. For instance, a manager may fail to call attention to business risks or dispute an auditor’s findings regarding his or her department. A senior manager may be unwilling to discuss issues that could require financial adjustments or insist on releasing overly optimistic reports on current or future performance.

Such behavior doesn’t prove that fraud is occurring. However, it suggests that you need to improve or open new paths of communication and consider retraining managers on the importance of internal controls. If you do suspect fraud, you must be willing to investigate — regardless of whom it might implicate.

Encouraging honesty

To prevent management overrides, build a culture that encourages honesty and supports employees who speak up when they suspect something’s wrong. Think about whether your managers experience pressure that unwittingly encourages fraud. For example, if your industry has seen increased business failures, some employees may think they need to keep profits at specified levels. They might also feel stressed if their compensation depends on achieving stretch goals for cash flow or operating results.

Employees a level or two below senior managers are most likely to observe management overrides. Give them access to a confidential hotline and they’re more likely to report fraud before it seriously harms your business. And if you extend your hotline to vendors and customers, you’ll increase your chances for learning of improprieties early.

A difficult year

This year has been challenging for businesses of every size and in every sector. With many employees working from home and some companies downsizing, managers may be tempted to take short cuts they wouldn’t under ordinary circumstances. Or worse, managers with access to financial statements may feel pressure to fudge numbers to improve your company’s public profile or boost their own compensation. We can help identify flaws in your fraud-prevention program and design policies that even those bent on fraud will have trouble overriding.

© 2020 Covenant CPA

Ghost stories can be good fun, particularly this time of year. Ghost employees, on the other hand, are trouble for employers. They may be just as fictional as the paranormal activities in your favorite scary book or movie, but if you have ghost employees on your payroll, you have fraud. And if you have fraud, you have potentially significant financial losses.

Anatomy of a scheme

Ghost employee schemes usually are perpetrated by employees who have easy access to payroll records. If your company’s internal controls are loose enough to be exploited, a greedy or disgruntled staffer could invent an employee, put this “person” on the payroll and direct deposit paychecks to a bank account in the ghost’s name.

It may seem like it would be easier to hide ghost employees in large companies. In fact, small businesses, where a single employee may handle all the payroll accounting, are more vulnerable. In some cases, perpetrators enlist friends or relatives to forge endorsements or deposit checks. In others, no assistance is necessary. The thief simply exploits weaknesses in the payroll system.

Look for traces

Ghost employees are just one way for dishonest employees to manipulate your payroll system. Perhaps the easiest scam to perpetrate is to overpay withholding or payroll taxes. The government sends a refund to your company, and the employee deposits it in an account in his or her name. Other methods of defrauding your payroll system include falsifying hours, increasing commission rates and filing false workers’ compensation claims.

The good news is that ghost and other payroll schemes usually leave traces. Look for:

  • Paychecks with no tax, Social Security, health insurance or retirement plan deductions,
  • Dual endorsements on paychecks, and
  • Duplicate names, addresses or Social Security numbers in payroll records.

Also scrutinize higher-than-budgeted payroll expenses, and unusual spikes in the number of payroll checks presented for payment.

To prevent this type of fraud, segregate your business’s payroll duties. If one employee writes checks, reconciles statements and keeps the books, that employee may be tempted to steal. Divide the duties among more than one employee. You might also consider outsourcing your payroll process. If that’s not practical, make sure your computer system is secure and that all records are password-protected and access-limited.

How we can help

Ghost employees go unnoticed in many companies because employees are trusted too much and internal controls are only haphazardly applied — if they exist at all. We can audit your internal controls and suggest improvements to prevent losses. And if you suspect a ghost employee is haunting your business, contact us immediately.

© 2020 Covenant CPA

Forensic accountants are engaged for a wide variety of assignments, among them investigating fraud, auditing internal controls and quantifying damages associated with legal disputes. All of these require attention to detail and a diverse set of skills including mathematical, technological, legal and investigative. But the accounting landscape and client needs are constantly changing. Here’s how the profession has adapted to digitization in the 21st century and how it’s applying the latest technological solutions.

Embracing the digital revolution

Technology has radically changed how forensic accountants do their jobs. Businesses used to be awash in paper. Today, most companies run on a digital backbone and discourage employees from printing to save money and reduce environmental damage. Consequently, forensic accountants must be able to gather, analyze and make sense of vast amounts of electronic data.

In addition to processing company data to, for example, calculate financial ratios, build spreadsheets and determine legal damages, many experts routinely attempt to recover data that perpetrators have deliberately deleted. During an investigation, a forensic accountant might:

  • Search for and piece together deleted files,
  • Analyze suspicious user activity on company servers,
  • Identify relevant electronic files within a company’s network, and
  • View suspected perpetrators’ social media accounts.

Newer developments, such as cloud-based storage solutions and a shift from working in offices to working remotely, mean that forensic accountants now must look outside the traditional confines of a company’s IT perimeter.

Glimpse of the future

As for the future, artificial intelligence (AI) increasingly looks like it will play a significant role. Most forensic accountants must harness vast amounts of electronic data to do their jobs. Expenses associated with a forensic investigation can quickly add up.

AI and machine learning enable forensic accountants to continue to deliver cost-effective services. These tools allow experts to analyze large data sets faster and can even “make decisions” such as determine what constitutes a suspicious invoice and flag those records. Or AI might review a set of contracts, seeking certain words or features that suggest higher risk. In general, the more records an AI system reviews over time, the more it “learns” and the higher its accuracy rate.

Other tools

Other technologies predicted to play a greater role in forensic accounting in the future include predictive analytics, blockchain, robotics and bots. But whatever tools forensic accountants use, the underlying issues — fraud and legal disputes — remain basically the same. If you or your business is grappling with these issues, contact us.

© 2020 Covenant CPA

Not all shell companies are dishonest. Despite their often-sinister reputation, these paper-only companies may be used legitimately to hold another business’s assets. Or they may be the “empty container” left after a company downsizes or is acquired. That said, some fraud perpetrators use shell companies to embezzle funds, evade taxes, dodge debts and commit other illegal acts.

For many businesses, the biggest threat posed by illegitimate shell companies is that unscrupulous employees will use them to perpetrate billing fraud. Here’s how to spot a shell scheme in your midst.

Under cover

Employee-perpetrated shell company schemes take one of two forms. In the first, an employee sets up a shell company to send out — and collect on — fictitious bills. Perpetrators don’t have to send the bills for nonexistent goods and services to the company for which they work. But it’s easier, and can help them evade detection, if they do.

Consider, for example, an accounting staffer who knows that his company rarely scrutinizes invoices for less than $3,000. He applies for a “doing business as” (DBA) certificate from his state for a fictitious business and opens a business account at a local bank. Now he can bill his employer for services that cost less than $3,000 per invoice.

In the second type of scheme, an employee sets up a shell company to sell products to his or her employer at a marked-up price. Because the employee’s shell company has no overhead or expenses, the employee can pocket the proceeds.

Invoices contain clues

Shell company schemes can go undetected for a long time, particularly if the fraudsters are savvy enough to attempt to cover their tracks and don’t get too greedy. Most perpetrators, however, leave a paper trail of invoices that, when scrutinized, is suspicious.

For example, invoices may vaguely define their products or services, arrive more than once a month and show an increased number of purchases over time. Addresses are important. Fake companies usually use a post office box as a return address. But less clever (or more arrogant) thieves may use their actual home address.

Shell company scams work only if the crooked employee can pay the invoices or get the shell company authorized as a legitimate vendor. A quick credit check on a new vendor will reveal whether it has an operating history and deserves greater scrutiny. Job rotation, mandatory vacations and a strict separation of duties in critical areas, such as your accounting department, can help prevent financial losses from shell company schemes. 

Investigating suspicions

Contact us if you think an employee is committing fraud with a shell company. We can examine invoices and other records, interview suspects and witnesses, and review your internal controls to get to the bottom of any suspicions.

© 2020 Covenant CPA

Forensic accountants have many tools to help them find evidence of hidden assets or fraud. But one of the most effective, particularly in divorce matters or legal disputes with former business partners, is a lifestyle analysis. This method involves developing a financial profile of a subject and then examining mismatches between the person’s known resources and lifestyle.

Financial profiling

Forensic accountants develop a financial profile of a subject by examining:

Bank deposits. The expert reconstructs the subject’s income by analyzing bank deposits, canceled checks and currency transactions, as well as accounts for cash payments from undeposited receipts and non-income cash sources, such as gifts and insurance proceeds.

Expenditures. Here, the expert analyzes the subject’s personal income sources and uses of cash during a given time period. If the person is spending more than he or she is taking in, the excess likely is unreported income.

Assets. Experts assume that unsubstantiated increases in a subject’s net worth reflect unreported income. To estimate net worth, an expert reviews bank and brokerage statements, real estate records, and loan and credit card applications.

Tracing income

Proving that a person has unreported income is one thing. Tracing that income to assets or accounts that can be used to support a legal claim or enforce a judgment is another story. To do this, forensic accountants may scrutinize the assets noted above, as well as insurance policies, court filings, employment applications, credit reports and tax returns.

Tax returns can be particularly useful because people have strong incentives to prepare accurate returns. For example, they may fear being charged with tax evasion if they lie to the IRS. As a result, tax return entries often reveal clues about assets or income that someone is otherwise attempting to conceal. Another potentially fruitful strategy is to interview people with knowledge about the subject’s finances, such as accountants, real estate agents and business partners.

Note that building a financial profile of someone other than a spouse in a divorce matter or a former business partner in a legal dispute can be challenging. In the case of occupational fraud suspects, experts may know the individual’s salary and have access to publicly available information such as real estate sale and purchase records and court filings. But they need a court’s authorization to request bank and tax records and other personal data.

Can’t fool the experts

The good news is that people who try to conceal income and assets usually can’t fool experienced fraud investigators. Contact us to conduct a lifestyle analysis.

© 2020 Covenant CPA