When the value of a stock skyrockets, its investors may think they’ve hit the jackpot. But if the stock in question is part of a “pump-and-dump” scheme, investors may, in fact, lose their shirts. Here’s how to avoid getting taken by this type of investment fraud.
A penny for your stocks
In the typical pump-and-dump scam, a fraud perpetrator buys shares in an inexpensive, relatively illiquid stock (often referred to as a “penny” stock) whose price will react dramatically when trading volume increases. Then the crook makes false or misleading statements to encourage people to sink their savings into the stock and drive up its price. When it hits a certain dollar amount, the fraudster sells, locking in short-term gains and causing the stock to crash. Investors are left with what often are worthless shares.
This summer, the FBI uncovered an international pump-and-dump scheme that netted its perpetrators $15 million in profits over a five-year period. The criminals bought millions of shares in small, thinly traded companies, then staffed call centers to hype the stocks to senior citizens. The scheme might have continued indefinitely if not for the fact that one of the crooks’ “co-conspirators” wasn’t the greedy stockbroker he claimed to be, but an undercover agent.
Hot tips, cold shoulder
As the above case suggests, investment scammers often target seniors with retirement savings to invest. Novice investors who aren’t familiar with how the stock market works are also popular marks. However, even experienced investors can get snared when offered a “hot tip.”
You can help avoid becoming a victim by following some common-sense guidelines. For example, never buy a stock based on an email or telephone solicitation, no matter how compelling the sales pitch. Simply hang up the phone or delete the message.
If you’re intrigued by the sound of an investment, do your research to determine whether the company is 1) legitimate, and 2) a good investment opportunity. Also pay attention to the stock’s trading volume. The more thinly traded a stock, the greater the potential for fraudulent manipulation.
Too good to be true
The bottom line: When an investment sounds too good to be true, it probably is. If you’d like to invest (say, for retirement or other financial goals), but don’t know how to pick stocks or build a portfolio, work with a reputable financial advisor. There are no guarantees in investing, but your advisor can help you steer clear of scams and invest only in securities that meet your criteria.
© 2019 Covenant CPA
When it comes to reducing fraud loss and duration, active detection methods (such as surprise audits or data monitoring) are far more effective than passive methods (such as confessions or notification by police). This was a major finding of the latest Association of Certified Fraud Examiners (ACFE) Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse. Yet many companies fail to use active methods to their full potential.
Active vs. passive detection
The ACFE study found that frauds detected using passive methods tend to last longer and produce larger losses than those detected by such active methods as:
- IT controls,
- Data monitoring and analysis,
- Account reconciliation,
- Internal audit,
- Surprise audits,
- Management review, and
- Document examination.
These active methods of detection can significantly lower fraud durations and losses. For example, frauds detected by IT controls had a median duration of five months and a median loss of $39,000. By comparison, fraud detected through notification by police had a median duration of 24 months and a median loss of $935,000.
Surprise audits and proactive data monitoring and analysis can be especially effective ways to fight fraud. On average, victim-organizations without these antifraud controls in place reported more than double the fraud losses and their frauds lasted more than twice as long as victim-organizations with these controls in place. Yet only 37% of the organizations in the ACFE study had implemented surprise audits or data monitoring and analysis, however.
Close-up on tips
The ACFE categorized tips — the leading fraud detection method — as “potentially active or passive,” because they may or may not involve proactive efforts designed to identify fraud. Organizations that use hotlines for reporting misconduct detected fraud by tips more often (46% of cases) than those without hotlines (30% of cases).
More than half of tips came from employees, but nearly one-third came from outside parties, such as customers and vendors. To ensure that tips are used as an active detection method, an organization should set up a hotline and promote its use among employees, supply chain partners and others. If possible, users should be able to make anonymous reports.
Don’t wait for fraud to find you
Occupational fraud poses a significant threat to organizations of every type and size. Waiting to react until fraud rears its head can result in serious financial losses. Instead, adopt active detection methods that can be deployed continually. Contact us for help.
© 2019 Covenant CPA
As more people use mobile phones, more fraud perpetrators target these devices. According to Javelin Strategy & Research, between 2017 and 2018 the number of fraudulent mobile-phone accounts opened grew by 78%. Schemes in which thieves open a phone account in your name and use it to access your bank account, sign up for credit cards and gain access to personal information are only some of the recent fraud trends. Fraudsters have plenty of ways to defraud consumers through their phones.
Why they’re vulnerable
One of the reasons mobile phones are so vulnerable is that phone security hasn’t kept pace with traditional computer security. Mobile devices rarely contain comprehensive security measures, and mobile operating systems aren’t updated as frequently as those on personal computers.
Yet users routinely store a wide range of sensitive information — including contact information, emails, text messages, passwords and identification numbers — on their phones. Geolocation software can track where phones are at any time, and various apps can record personally identifiable information. Hackers can target a phone and use it to trick its owner, or the owner’s contacts, into revealing confidential information. Or phones can spread viruses to computers — a big problem for companies with “bring your own device” policies.
How thieves get in
Sometimes attackers obtain physical access to a device. More frequently, a hacker achieves virtual access by, for example, sending a phishing email that coaxes the recipient into clicking a link that installs malware.
Apps can be dangerous, too. A user might install an app that turns out to be malicious or a legitimate app with weaknesses an attacker can exploit. A user could unleash such an attack simply by running the app.
What you can do
Encryption is probably the most highly recommended defense against mobile phone fraud. When data is encrypted, it’s “scrambled” and unreadable to anyone who can’t provide a unique “key” to open it. Two-step authentication is also advisable. This approach adds a layer of authentication by calling the phone or sending a password via text message before allowing the user to log in.
Phone owners should always activate PINs or passwords, and other options such as touch ID and fingerprint sensors if available. Conversely, users should disable Bluetooth and Wi-Fi when not in use, and set Bluetooth-enabled devices to be nondiscoverable.
Also request a freeze on the credit information that’s used to open a mobile-phone account with the National Consumer Telecom & Utilities Exchange. This is a credit reporting agency fed by data supplied by phone companies, pay-TV companies, and utility service providers.
In only a decade, mobile phones have completely changed our daily lives. Unfortunately, fraud has kept pace with technology. To protect your personal information, you need to be aware of the constantly evolving threats.
© 2019 Covenant CPA
Data analytics is changing the way many businesses operate. It’s also changing how forensic accountants do their jobs, providing fraud experts with the means to mine massive mounds of data like never before.
These analytical techniques are among the most efficient and effective at detecting occupational fraud:
1. Association analysis. This method can help identify suspicious relationships by quantifying the odds of a combination of data points occurring together. In other words, it calculates the likelihood that, if one data point occurs, another will, too. If the combination occurs at an atypical rate, a red flag goes up. For example, association analysis might find that a certain supervisor tends to be on duty when inventory theft occurs.
2. Outlier analysis. Outliers are data points outside the norm for a given data set. In many types of data analysis, outliers are simply disregarded, but these items come in handy for fraud detection. Experts know how to distinguish and respond to different types of outliers.
Contextual outliers are significant in certain contexts but not others. For example, a big jump in wages on a retailer’s financial statements might be notable in April but not in December — when seasonal workers come aboard.
Collective outliers are a collection of data points that aren’t outliers on their own but deviate significantly from the overall data set when considered as a whole. If, for instance, several public company executives sold off substantial blocks of stock in the business on the same day, it might signal suspicious behavior.
3. Cluster analysis. Here, experts group similar data points into a set and then further subdivide them into smaller, more homogeneous clusters. Data points within a cluster are similar to each other and dissimilar to those in other clusters. The greater the similarities within a cluster and the differences between clusters, the easier it is for an expert to develop rules that apply to one cluster but not the others.
Cluster analysis has long been used for market segmentation of consumers. But it can also detect fraud, particularly when combined with outlier analysis. Outlier clusters — those that are farthest from the nearest cluster when clusters are mapped out on a chart — generally merit extra scrutiny for suspicious activity. A fraud expert might, for example, use cluster analysis to evaluate group life insurance claims. The expert would look for clusters of large beneficiary or interest payments, or long lags between submission and payment.
High tech and old school
If you hire experts to uncover suspected fraud in your organization, don’t be surprised if they break out the data analytics tools. But they’ll also likely use some old-school methods — including interviewing employees — to find possible suspects and financial losses. Contact us to discuss at 205-345-9898 and firstname.lastname@example.org.
© 2019 CovenantCPA
According to the Association of Certified Fraud Examiners’ Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse, organizations victimized by fraud lose a median $130,000. But construction companies, in particular, are even harder hit, with a median loss of $227,000. What can you do to protect your construction business? Adopt this checklist.
Ways to tighten controls
An effective strategy for minimizing fraud is to tighten your internal controls. Make sure the following are part of your policies and procedures:
Surprise audits and jobsite visits. These visits can not only help detect fraud, but also send a strong message that combating fraud is a priority — which is a powerful deterrent.
Segregation of duties. Avoid situations in which one person handles multiple financial or accounting tasks. For example, the person who processes cash transactions shouldn’t also prepare the company’s bank deposits.
Bank statements. Have monthly bank statements sent to you or a manager independent of the accounting function. Canceled checks should be reviewed for unfamiliar payees and forged signatures.
Purchase monitoring. Name someone other than the purchasing agent — you or an estimator, for instance — to review vendor invoices, purchase orders and other documents. Use prenumbered purchase orders. Physically check materials and supplies to ensure they correspond to what was ordered in terms of quantity and quality.
Kickbacks and bid-rigging. If your company is suddenly winning bids that you haven’t in the past and that seem like a stretch, verify that your bid processes have been followed. Sometimes employees disguise illegal activities as change orders, so be sure to scrutinize each change order.
Budget analysis. Prepare annual budgets — for your company and each job — and regularly compare actual results to budgets. Scrutinize large or unanticipated discrepancies.
Payroll practices. Have someone independent of your accounting department verify the names and pay rates on your payroll. If you don’t already, pay employees using direct deposit, rather than with checks or cash.
Vacation policy. Require full-time employees to take time off every year. Fraud is often exposed when the perpetrator isn’t there to cover it up.
These are just some of the many internal controls contractors should implement to protect their businesses. In addition to preventing and revealing fraud, solid internal controls can help avoid accounting errors, reduce waste and boost cash flow by making billing, purchasing and other processes more efficient. Contact us for more information at 205-345-9898 and email@example.com.
© 2019 CovenantCPA
Job applicants aren’t always honest on their resumés. And if you don’t investigate suspicious claims, you might end up hiring an unqualified and unethical employee — which could lead to financial, productivity and legal liability issues. The resumé fibber might also be more likely to commit occupational fraud.
Here’s how to unearth the three most common resumé falsifications.
1. Deceptive dates
Whether to gloss over a termination, a period of job hopping or time spent out of the workforce, some job seekers “adjust” dates to make their employment history seem more consistent. Look closely at resumés that state employment dates in years, not months. Say an applicant claims she worked at her last job between 2017 and 2018. Her tenure may only have lasted two months — December 2017 until January 2018 — instead of the implied two years.
Confirm an applicant’s precise employment dates with all previous employers. Also make sure that candidates complete your entire job application, informing them that, although a resumé isn’t a legal document, a job application is. Lying on it is cause for immediate dismissal.
2. Fake degrees and shifting majors
Workers applying for a position that requires a specific degree are more likely to lie about their education than other applicants are. If a resumé lists an unfamiliar school, or coursework and years but no degree, dig deeper. A school you’ve never heard of could be a diploma mill. A resumé that simply lists Chemistry, State College, 2002, may indicate that the job seeker completed classes in that subject but didn’t actually receive a degree.
Always check applicants’ educational claims by contacting the degree-granting institution. If you’re suspicious of a school, verify its accreditation with the U.S. Department of Education.
3. Embellished titles, skills and accomplishments
Everyone tries to look their best on a resumé. Some, however, embellish their experience, titles, skill proficiencies or grade point averages with outright lies. There’s no such thing as a perfect job candidate: You may want to flag any resumé that exactly matches all of a position’s qualifications.
You should contact all personal references and speak with previous supervisors or HR staffers, notpeers, to confirm titles and job responsibilities. To elicit the best information, ask open-ended questions, followed by more probing, detailed ones. But be aware that some past employers will give only limited information, such as dates of employment.
Time and money well spent
If you’re quickly checking resumés and conducting interviews, you’re less likely to separate the candidates with real potential from those sporting fake credentials. If time is scarce, outsource this process. It’s money well spent if you can save your company from public embarrassment, legal woes or financial losses due to fraud. Contact us with questions at 205-345-9898 and firstname.lastname@example.org.
© 2019 CovenantCPA
To prevent occupational fraud from cutting into your auto dealership’s profits and generating negative publicity, you need a strong internal controls system. And effective controls start with current and accurate financial statements.
It starts in accounting
One sign of weak internal controls is an accounting department that fails to generate a balance sheet and income statement until two or more weeks after month’s end. Accounting should post transactions daily, including new and used vehicle sales, repair orders, invoice payments, payroll and cash receipts.
By 1 p.m. on any given day, you should have access to real-time checkbook balances and other accounting information effective as of 5 p.m. the day before. That way, you might be able to catch the first signs of fraud and use the data to catch the perpetrator.
Tried and true methods
Complex computer passwords, background checks and security cameras are essential to preventing fraud. But sometimes these protections fall by the wayside. Periodically review your safeguards and ensure they’re being used. For example, require employees to change their passwords quarterly, conduct regular inventory counts, engage outside CPAs to perform audits and segregate accounting duties.
As a rule of thumb, employees who record and reconcile transactions should never have access to those assets (including being a signer on bank accounts). Give the segregation of duties a starring role in your internal controls program.
Real life examples
To see how such controls can reduce losses, consider this real-life scam. A parts manager stole $70,000 by selling his employer’s parts and pocketing the cash. The loss could have been reduced if the owner had performed random inventory counts throughout the year, rather than waiting for his CPA to physically verify inventories at year end.
In another case, a dealership caught its cashier stealing by voiding service orders and falsifying deposit slips. The cashier’s responsibilities included collecting cash, issuing receipts to customers, preparing the daily deposit slip and reconciling the daily cash report. A loss of $16,000 might have been prevented if the dealership had segregated these duties.
Another dealer learned that his general manager was wholesaling used cars at a loss to the dealership because he owned a 50% interest in the wholesaler. A better pre-employment screening process might have helped detect such conflicts of interest as well as any criminal history.
We can help you bolster your dealership’s internal controls. But your involvement is essential to preventing fraud. Let employees know that you personally review bank statements, order test counts of inventory and examine adjusted journal entries. Knowing that you’re paying attention will discourage most thieves. Contact us for more at 205-345-9898 and email@example.com.
© 2019 CovenantCPA
It’s every business owner’s nightmare. Should hackers gain access to your customers’ or employees’ sensitive data, the very reputation of your company could be compromised. And lawsuits might soon follow.
No business owner wants to think about such a crisis, yet it’s imperative that you do. Suffering a data breach without an emergency response plan leaves you vulnerable to not only the damage of the attack itself, but also the potential fallout from your own panicked decisions.
5 steps to take
A comprehensive plan generally follows five steps once a data breach occurs:
1. Call your attorney. He or she should be able to advise you on the potential legal ramifications of the incident and what you should do or not do (or say) in response. Involve your attorney in the creation of your response plan, so all this won’t come out of the blue.
2. Engage a digital forensics investigator. Contact us for help identifying a forensic investigator that you can turn to in the event of a data breach. The preliminary goal will be to answer two fundamental questions: How were the systems breached? What data did the hackers access? Once these questions have been answered, experts can evaluate the extent of the damage.
3. Fortify your IT systems. While investigative and response procedures are underway, you need to proactively prevent another breach and strengthen controls. Doing so will obviously involve changing passwords, but you may also need to add firewalls, create deeper layers of user authentication or restrict some employees from certain systems.
4. Communicate strategically. No matter the size of the company, the communications goal following a data breach is essentially the same: Provide accurate information about the incident in a reasonably timely manner that preserves the trust of customers, employees, investors, creditors and other stakeholders.
Note that “in a reasonably timely manner” doesn’t mean “immediately.” Often, it’s best to acknowledge an incident occurred but hold off on a detailed statement until you know precisely what happened and can reassure those affected that you’re taking specific measures to control the damage.
5. Activate or adjust credit and IT monitoring services. You may want to initiate an early warning system against future breaches by setting up a credit monitoring service and engaging an IT consultant to periodically check your systems for unauthorized or suspicious activity. Of course, you don’t have to wait for a breach to do these things, but you could increase their intensity or frequency following an incident.
Data breaches are an inevitable risk of running a business in today’s networked, technology-driven world. Should this nightmare become a reality, a well-conceived emergency response plan can preserve your company’s goodwill and minimize the negative impact on profitability. We can help you budget for such a plan and establish internal controls to prevent and detect fraud related to (and not related to) data breaches. Call or email us today at 205-345-9898 or firstname.lastname@example.org.
© 2019 CovenantCPA
News of commercial database hackings may seem commonplace in 2019. But while many of these stories focus on hacked bank and credit card accounts, 401(k) plan sponsors and participants probably don’t realize that their plan assets also are at risk.
Employers who offer 401(k) plans to their employees need to take precautions against identity theft. Part of this is educating participants.
Role of sponsors
If your organization sponsors a 401(k) plan, it’s essential that you assess plan service providers’ protection systems and policies. Most providers carry cyberfraud insurance that they extend to plan participants. But there may be limits to this protection if, for example, the provider determines that you (the sponsor) or employees (participants) opened the door to a security breach.
Your plan’s documents may say that participants must adopt the provider’s recommended security practices. These could include checking account information “frequently” and reviewing correspondence from the administrator “promptly.” Make sure you and your employees understand what these terms mean — and follow them.
What participants can do
Traditionally, 401(k) plan participants have been discouraged from worrying about short-term fluctuations and volatility in their accounts, and instead encouraged to focus on the long run. However, lack of regular monitoring can make these accounts vulnerable. Instruct employees to periodically check their account balances and look for signs of unauthorized activity.
Employees also should take the same steps they follow to protect other online accounts. For example:
- Use strong passwords and change them regularly.
- Take advantage of two-factor authentication.
- Don’t use the same login ID and passwords for multiple sites.
- Don’t allow a browser to store login information.
- Never share login information.
Such precautions can foil some of the most common retirement plan thieves — relatives and friends — from using their knowledge to gain account access. In one real-life case, a plan participant divorced his wife and moved out of the house. However, he didn’t update his address with his plan provider, change his password or review his balance regularly. His ex-wife cleaned out his more than $40,000 balance.
A few clicks
Without adequate vigilance, anybody can be a few clicks away from cleaning out your employees’ 401(k) accounts. Review your plan documents carefully and educate participants about their responsibilities for monitoring their accounts. Contact us for more information on identity theft at 205-345-9898 or email@example.com.
© 2019 CovenantCPA
It should come as no surprise that cash is the most popular target of fraud perpetrators. After all, once stolen, cash itself is virtually untraceable. But that doesn’t mean forensic accounting professionals can’t unearth cash fraud schemes — and the crooks behind them.
According to the Association of Certified Fraud Examiners, there are three main categories of cash fraud (which includes checks because they’re easily converted to cash):
- Theft of cash on hand,
- Theft of cash receipts, and
- Fraudulent disbursements.
The last category comprises many of the most frequently executed schemes, such as overbilling and “ghost” vendor or employee schemes. For example, overbilling vendors usually submit inflated invoices by overstating the price per unit or the quantity delivered. A dishonest vendor also might submit a legitimate invoice multiple times. Overbilling may involve collusion with employees of the victim organization, who typically receive kickbacks for their assistance.
Employees also can conduct billing fraud on their own, submitting bogus invoices payable to a fictitious vendor and diverting the payments to themselves. Similarly, an employee might set up payroll disbursements to nonexistent ghost employees.
Cash can be difficult to trace once it’s in the hands of a thief. But forensic experts usually are able to trace the path that stolen cash took before the fraudster pocketed it. This includes who “touched” the cash and what prompted its flow out of the organization.
Inflated invoices, for example, often leave a trail of red flags. Experts look for invoices that bill for “extra” or “special” charges with no explanation. Other suspicious signs include round dollar amounts, or amounts just below the threshold that requires management’s signoff, and discrepancies between invoice amounts and purchase orders, contracts or inventory counts.
If forensic experts suspect that fictitious billing has occurred, they often investigate accounts with no tangible deliverables — such as those for consulting, commissions and advertising — and check vendor addresses against employee addresses. Invoices with consecutive numbers or payable to post office boxes receive extra scrutiny.
Returned checks can supply useful information, too. Fraud perpetrators are more likely to cash checks, whereas legitimate businesses typically deposit them and rarely endorse checks to third parties.
To trace ghost employee schemes, experts examine payroll lists, withholding forms, employment applications, personnel files and other documents. The information collected from these sources may provide vital links between actual and ghost employees that wouldn’t otherwise be apparent.
To catch a thief
Strong internal controls are instrumental in preventing cash-type schemes. But even the strongest controls sometimes fail to prevent a determined fraudster. If that happens, we can help your business ferret out the fraud and track down the perp. Call or email us today for help– 205-345-9898 or firstname.lastname@example.org.