Protect your company from cyberattacks by adopting zero trust

Some organizations struggle to prevent cyberattacks because they rely on cybersecurity tools and techniques that protect only their perimeter. Perpetrators who make it past a single line of defense (such as with a username and password) can gain unfettered access to the company’s network. They can then use ransomware to block access to data or steal customer information or intellectual property.

Zero trust security was designed to address the shortcomings of a single perimeter defense. Created by an IT industry analyst, zero trust requires companies to not automatically trust users or devices. This can be particularly effective if your business relies on cloud computing or if your employees work from home or use their own devices to access your network. 

3 principles

Three key principles underlie zero trust:

1. Trust must be earned — often. Zero trust requires initial and ongoing verification for every user and device entering and moving within an IT environment. For example, after users enter the correct network credentials, they must provide additional credentials to access its email system. And even after users are granted access, the system generates “timeouts” that force users and devices to reverify. This is intended to limit the amount of time a malicious actor can spend in the network.

2. Roles and business needs dictate access. By applying the “least privilege” concept, organizations following zero trust limit access to only the data and resources users need to do their jobs. For example, an administrative assistant typically doesn’t need access to a company’s general ledger and a salesperson doesn’t require access to HR files.

Least privilege segments a company’s IT environment into secure zones, based on users’ roles. Just as ships use bulkheads to create watertight compartments to maintain buoyancy, this micro-segmentation keeps the network “afloat,” even if a segment has been compromised.

3. Multifactor authentication is essential. Zero trust security requires verification with a high degree of confidence. Multifactor authentication (MFA) requires users to provide more than a username and password to access a network. It might entail entering a one-time password sent to a previously registered email or mobile phone. Or users might need to open a dedicated app on a mobile device and confirm that they’re seeking network access.

Building more and higher walls

If the only barrier between your IT network and a fraud perpetrator is simple perimeter security, your company’s risk of being hacked is higher than necessary. Consider adopting zero trust to build more and higher walls. Contact us for more information and cybersecurity tool recommendations.

© 2021 Covenant CPA

What goes into a fraud damages calculation?

At first glance, calculating restitution for fraud damages may seem relatively simple. If someone steals $10,000 from a company, that person should repay that amount, perhaps with interest, right? Not quite. Financial experts also consider the profits the business lost because of the fraud — and weigh different methods of computing damages.

The appropriate approach

Experts typically use either the benefit-of-the-bargain or out-of-pocket approach to calculate damages. The appropriate method depends to some degree on the location and nature of the fraud. But in most cases, the benefit-of-the-bargain method results in greater restitution for victims.

Take, for example, a property developer who buys a parcel of land that the seller says is worth $1 million but is offering at $900,000. In truth, the seller is lying about the parcel’s value and has even falsified a valuation report. The land is actually worth about $700,000. Putting aside the developer’s failure to perform proper due diligence, how might fraud damages be assessed?

Under the out-of-pocket rule, the company would be awarded $200,000 in damages, or the difference between the land’s real value and the amount paid for it. Using the benefit-of-the-bargain rule, however, damages would be calculated at $300,000 — the difference between the seller’s misrepresented value and the parcel’s true worth.

3 common alternatives

It’s obvious why plaintiffs typically prefer the benefit-of-the-bargain method. But there are three other methods experts commonly use to calculate lost profits.

First, using the benchmark (or yardstick) method, an expert compares the fraud victim’s corporate profits to those of another, similar company that wasn’t defrauded. This method is particularly appropriate for new businesses or franchises.

The hypothetical (or model) method is also generally appropriate for businesses with little history. It requires the expert to gather marketing evidence that demonstrates potential lost sales. After calculating the total, the costs that would have been associated with the lost sales are subtracted to arrive at lost profits.

Finally, the before-and-after method typically is used for longer-established businesses. Experts look at the company’s profits before and after the fraud compared to profits during the time the fraud was being committed. The difference is the lost profits.

Don’t do it yourself

Defrauded business owners shouldn’t attempt to calculate their own fraud damages — or engage a professional who isn’t qualified to do it. To help ensure you receive the highest restitution amount, contact us or have your attorney get in touch.

© 2021 Covenant CPA

Is someone stealing your company’s secrets?

Corporate espionage has long been a threat for U.S. companies. Recently, intellectual property theft by foreign governments and organized crime gangs has grabbed headlines — for good reason. According to the U.S. Justice Department, 80% of its economic espionage prosecutions target schemes that would benefit China. Yet for most businesses, the threat comes from employees and former employees who take advantage of lax environments with few internal controls.

The problem … and a solution

Employees with access to trade secrets may take that information with them when they leave your company for another job — or pad their paychecks by selling it to your competitors while still employed. As with all types of fraud, workers are more likely to participate in corporate espionage if they’re unhappy in the job (motive), have access to sensitive information (opportunity) and can mentally excuse the act (rationalization). For example, thieves may rationalize selling IP because they feel underpaid and that they “deserve” the fraud proceeds.

You can reduce espionage risk from unethical employees by first identifying information that should be secured. New technology and market strategies are clearly sensitive. But customer complaints or component purchasing data may also be valuable to your competitors. Think about which competitors would benefit from what information.

Then determine how much of your sensitive information is at risk and where the vulnerabilities lie. Passwords, firewalls and other security measures are critical to protecting data, but they aren’t invulnerable. You also need to consider who has access to confidential information and how your business processes drive how the information is used.

The last step is to develop a security policy that considers your business methods, potential external weaknesses and staffing patterns. Revisit the plan periodically as your business and competitors change.

Stop loose lips from sinking ships

Be sure to educate employees about the threat of corporate espionage and let them know how to report suspicious activity such as people asking for details about their jobs. Emphasize that secrets can be revealed inadvertently.

For example, a software developer may agree to help a “student” with her research, or an operations manager may participate in a “customer satisfaction survey” by a manufacturer. Employees also need to watch what they discuss with coworkers in public places such as lunch spots and after-hours bars. They never know who’s eavesdropping.

Of course, not all research into your company is illegal. Public documents such as Federal Communications Commission and regulatory filings, content on your website and published articles on your company can give an experienced business analyst a fairly accurate idea of what you’re doing. Actual corporate espionage involves theft of information that hasn’t been made public.

Actual threats

Although your business should put most of its anti-espionage resources into preventing employees from stealing IP and selling it to competitors, actual threats may vary according to your industry or products. The IP of defense contractors and technology companies, for example, may be attractive to foreign states. Contact us to help assess your threat level.

© 2021 Covenant CPA

Actively look for fraud and reduce financial losses

The Association of Certified Fraud Examiners’ (ACFE’s) Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse provides ample evidence that some fraud detection methods are better than others. In general, passive methods, such as accidental discovery or notification by police, coincide with longer-running schemes and higher financial costs. To nab dishonest employees quickly and limit losses, your company needs to be proactive.

Shorten time, minimize costs

Active methods include IT controls, data monitoring and analysis, account reconciliation, management review, surprise audits and internal audit. These methods can significantly lower fraud durations and losses.

For example, frauds detected by IT controls had a median duration of six months and a median loss of $80,000. Those found through account reconciliation ran for a median of seven months and totaled a median loss of $81,000. By comparison, fraud detected through notification by police or stumbled upon by accident had a median duration of 24 months. When companies learned about a scheme from law enforcement, the median loss was $900,000.

Surprise audits and proactive data monitoring and analysis can be especially effective ways to fight fraud. On average, victim organizations without these antifraud controls in place reported more than double the fraud losses, and their frauds lasted more than twice as long as frauds at victim organizations with these controls in place. Yet only 37% of the organizations in the ACFE study had implemented surprise audits or data monitoring and analysis.

Tips are most effective

The leading fraud detection method, tips, could be considered active or passive. But there’s no arguing that this method is effective — particularly when organizations offer employees and other stakeholders confidential fraud hotlines. Organizations that had hotlines for reporting misconduct detected fraud by tips more often (49% of cases) than those without hotlines (31% of cases).

To ensure that tips are used as an active detection method, your organization should set up a hotline and promote its use. Increasingly, companies offer other reporting forms, including email and Web-based submissions. Also, the ACFE has found that in 33% of cases where a tip was made, the whistleblower reported suspicions to a supervisor or other person in a position of authority.

Budget-friendly options

Even if your organization’s budget is tight and you think you have few resources to commit to fraud prevention, know that there’s always something you can do. Active methods can be surprisingly low cost and they certainly are less expensive than being defrauded. Contact us for more information.

© 2021 Covenant CPA

What goes into a fraud damages calculation?

At first glance, calculating restitution for fraud damages may seem relatively simple. If someone steals $10,000 from a company, that person should repay that amount, perhaps with interest, right? Not quite. Financial experts also consider the profits the business lost because of the fraud — and weigh different methods of computing damages.

The appropriate approach

Experts typically use either the benefit-of-the-bargain or out-of-pocket approach to calculate damages. The appropriate method depends to some degree on the location and nature of the fraud. But in most cases, the benefit-of-the-bargain method results in greater restitution for victims.

Take, for example, a property developer who buys a parcel of land that the seller says is worth $1 million but is offering at $900,000. In truth, the seller is lying about the parcel’s value and has even falsified a valuation report. The land is actually worth about $700,000. Putting aside the developer’s failure to perform proper due diligence, how might fraud damages be assessed?

Under the out-of-pocket rule, the company would be awarded $200,000 in damages, or the difference between the land’s real value and the amount paid for it. Using the benefit-of-the-bargain rule, however, damages would be calculated at $300,000 — the difference between the seller’s misrepresented value and the parcel’s true worth.

3 common alternatives

It’s obvious why plaintiffs typically prefer the benefit-of-the-bargain method. But there are three other methods experts commonly use to calculate lost profits.

First, using the benchmark (or yardstick) method, an expert compares the fraud victim’s corporate profits to those of another, similar company that wasn’t defrauded. This method is particularly appropriate for new businesses or franchises.

The hypothetical (or model) method is also generally appropriate for businesses with little history. It requires the expert to gather marketing evidence that demonstrates potential lost sales. After calculating the total, the costs that would have been associated with the lost sales are subtracted to arrive at lost profits.

Finally, the before-and-after method typically is used for longer-established businesses. Experts look at the company’s profits before and after the fraud compared to profits during the time the fraud was being committed. The difference is the lost profits.

Don’t do it yourself

Defrauded business owners shouldn’t attempt to calculate their own fraud damages — or engage a professional who isn’t qualified to do it. To help ensure you receive the highest restitution amount, contact us or have your attorney get in touch.

© 2021 Covenant CPA

Don’t let vendor fraud infiltrate your organization

Vendor fraud can be costly — particularly when several perpetrators are involved. The median loss of a fraud scheme conducted by two individuals is $200,000, according to the Association of Certified Fraud Examiners. Losses rise precipitously to more than $500,000 when four or more people commit the fraud. These schemes typically involve the collusion of employees with outside parties or a conspiracy between suppliers. But you can help prevent vendor fraud in your business by familiarizing yourself with the schemes.

Types of schemes

Vendor fraud can take one of several forms. Price fixing is an agreement among competitors to set the same price for goods or services. It also refers to competitors jointly establishing a price range or minimum price. Such agreements violate the Sherman Antitrust Act, regardless of whether the prices are unreasonable.

A similar fraud is bid rigging, where two or more vendors agree to steer a company’s purchase of goods or services. Bid-rigging schemes include:

Bid rotation. Vendors participating in the scheme take turns as the low bidder.

Bid suppression. Two or more vendors illegally agree that at least one of them will withdraw a previously submitted bid or not bid at all.

Complementary bidding. Some of the vendors participating in the scheme submit token bids with a high price or special terms that will make them unacceptable to the company.

Another way vendors cheat is through market division. This occurs when competitors agree not to compete in a specific segment of a market. If bids are solicited by a customer in, for example, a certain geographic region, the competitors either won’t bid or will submit complementary bids. This drives up the price for the soliciting company.

Kickbacks and inflated invoices

In kickback schemes, vendors bribe employees on the inside to submit or authorize payment of fraudulent invoices. Vendors typically incorporate kickback payments in the invoice — compounding the amount companies are overbilled.

Vendors can also submit inflated invoices in more subtle ways. The price charged may exceed prices agreed upon in the contract, the invoice might reflect charges for more goods than the customer actually received or a vendor could alter the date on a genuine invoice and submit it for duplicate payment.

Preventing abuse

Knowledge is power, but it’s not always easy for owners and employees to spot vendor fraud in progress. Make sure you carefully vet all new vendors and investigate any vendor/employee relationship that seems unusually close. Finally, contact us to perform a vendor audit.

© 2021 Covenant CPA

3 ways fraud experts use data analytics

Forensic accountants have long used technological tools to uncover fraud schemes. But recent advances in “big data” have provided even better, more efficient techniques for identifying suspicious activities and dishonest employees. These are three common types of data analytics used by fraud experts:

1. Association analysis

This method can help identify suspicious relationships by quantifying the odds of a combination of data points occurring together. In other words, it calculates the likelihood that if one data point occurs, another will, too.

If data point combination occurs at an atypical rate, a red flag goes up. For example, association analysis might find that a certain worker or manager tends to be on duty when inventory theft occurs.

2. Outlier analysis

Outliers are data points outside the norm for a given data set. In many types of data analysis, outliers are simply disregarded, but these items come in handy for fraud detection. Experts know how to distinguish and respond to different types of outliers.

Contextual outliers are significant in certain contexts but not others. For example, a big jump in wages on a retailer’s financial statements might be notable in April but not in December, when seasonal workers usually come aboard.

Collective outliers are a collection of data points that aren’t outliers on their own but deviate significantly from the overall data set when considered as a whole. If, for instance, several public company executives sold off substantial blocks of stock in the business on the same day, it might indicate suspicious behavior.

3. Cluster analysis

Here, experts group similar data points into a set and then further subdivide them into smaller, more homogeneous clusters. Data points within a cluster are similar to each other and dissimilar to those in other clusters. The greater the similarities within a cluster and the differences between clusters, the easier it is for an expert to develop rules that apply to one cluster but not the others.

Cluster analysis has long been used for market segmentation of consumers. But it can also detect fraud, particularly when combined with outlier analysis. Outlier clusters — those that are farthest from the nearest cluster when clusters are mapped out on a chart — generally merit extra scrutiny for suspicious activity.

Fraud experts might, for example, use cluster analysis to evaluate group life insurance claims. They then would look for clusters of large beneficiary or interest payments, or long lags between submission and payment.

Old school methods

Of course, technology alone usually doesn’t make the case against an employee. Face-to-face interviews and other “old school” methods are crucial to identifying fraud perpetrators and learning where they’ve stashed the money they’ve stolen. If you suspect fraud in your organization, contact us to investigate.

© 2021 Covenant CPA

No disaster scammer is safe from the NCDF

What do COVID-19, major hurricanes and West Coast wildfires have in common? All three have attracted scam artists, who have bilked disaster victims, charitable donors, insurance companies and government agencies out of billions of dollars. Also, all of these disasters — and the criminals who take advantage of them — are the focus of The National Center for Disaster Fraud (NCDF). Let’s take a look at what this partnership between the U.S. Justice Department and various law enforcement and regulatory agencies does to investigate and prevent fraud.

Investigate and prevent

The NCDF was established in 2005 after Hurricane Katrina to combat the massive fraud schemes that emerged as financial aid poured into the Gulf region. The agency now coordinates investigations into all kinds of natural and manmade disaster fraud. It also helps to prevent perpetrators from finding victims.

Recently, the NCDF posted on its website tips for charitable donors who want to help victims of Hurricane Ida (justice.gov/disaster-fraud). For example, the agency urges people to avoid making cash donations, writing checks to individuals or donating via wire transfer.

COVID and other opportunities

COVID-19-related fraud — including dishonest Paycheck Protection Program (PPP) loan requests and phishing schemes offering fake “miracle” drugs — makes up the bulk of current NCDF complaints. In recent weeks, the Justice Department has announced the indictment and sentencing of a roster of COVID criminals.

This includes a Georgia woman who pleaded guilty to bank fraud after seeking $7.9 million in PPP loans for four medical practices she controlled. In another ambitious scheme, a Texas man submitted 15 fraudulent PPP applications to eight different lenders, seeking a total of $24.8 million.

Of course, criminals will capitalize on any opportunity. A California man received $26,000 in relief funds from the Federal Emergency Management Agency (FEMA) after falsely claiming a trailer burned in the Camp Fire was his primary residence. Earlier this year, a Florida woman was sentenced to more than six years in prison for using stolen identities to file five applications for FEMA disaster assistance that was intended for actual victims of Hurricane Irma.

Calls for help

Agencies investigating disaster fraud depend on tips from ordinary people who’ve witnessed or are victims of these crimes. The NCDF hosts a 24/7 telephone hotline (866-720-5721) and accepts Web form complaints at justice.gov/DisasterComplaintForm. Also, if you believe disaster fraud has delivered a double whammy to you or family members, contact us for more information on how to fight back.

© 2021 Covenant CPA

How to conduct a remote fraud investigation

Before the COVID-19 pandemic, most fraud investigations took place in the office or other work facility. This made it easy for investigators to gather and analyze data and interview suspects and witnesses in a face-to-face setting.

But if your company allows employees to work from home — either temporarily or permanently — you may need to conduct a remote fraud investigation. In addition to suspects and witnesses working remotely, those tasked with conducting investigations (including outside experts) may also be remote. Here’s how to manage these situations.

Policies and procedures

First, develop policies and procedures for remote investigations. If you already have written polices for traditional fraud investigations, use them as a starting point. Some features, such as the role and processes of investigators may remain basically the same.

Cover the entire process, including:

  • The technology solutions you’ll use to communicate with employees and investigators,
  • Backup options in the event of technical problems, and
  • How you’ll share relevant files and documents — both electronic and paper.

Once you’ve developed a draft, have legal counsel review it.

Conducting interviews 

Before conducting interviews, prepare subjects for the process. Let them know approximately how long the interview might take and whether they must review documents before or during the discussion. Stress the importance of sitting in a quiet location with minimal background noise where they can remain undisturbed throughout the interview.

To provide your team with ample opportunity to detect verbal and nonverbal signs of deception, subjects need to keep their video feeds on the entire time. Most computers, smartphones, tablets and wireless connections can facilitate video calls, but be sure to test subjects’ devices and Internet connections before interviews. Consider having a trusted member of your IT department perform the test, instructing this employee not to discuss anything specific about the interview or the fraud allegations.

There are a couple things you should keep in mind. First, any conversation conducted via video conferencing will be recorded and can be used in a subsequent court case. So discuss interview plans with your attorney.

Second, expect the unexpected. For example, how will you proceed if a fraud suspect declines to answer questions, turns off his or her video or audio feed or consults with an unknown third party in the room? Subjects attempting to dodge uncomfortable questions may pretend to have connectivity problems. 

Unique challenges

Remote fraud investigations present unique challenges — many of which can be anticipated and mitigated. But even if you normally would conduct a preliminary fraud investigation in-house, consider engaging a forensic accounting expert early in the process to help ensure you don’t miss anything.

© 2021 Covenant CPA

Travel — and travel scams — are back

Although COVID-19 remains a concern, many people have started traveling again — both for business and pleasure. Unfortunately, as travel demand has increased, so has travel-related fraud.

For example, some fraud perpetrators posing as airline employees call would-be victims to try to elicit credit card numbers. Other scam artists send phishing emails that appear to offer cheap seats or rooms. And there are plenty of fake websites masquerading as legitimate travel companies.

Don’t fall for fraud

As you plan your next trip, take these steps to help reduce fraud risk:

Ignore unsolicited communications. Whether you receive an email, text, flyer or telemarketing call regarding travel bargains, it’s probably smart to ignore it. Afraid of missing out on a legitimate deal? Directly contact the airline, hotel or rental car company featured in the promotion.

Book with established companies. Whether traveling for business or pleasure, make reservations with companies with names you know. If you’re booking with a new service provider, read online reviews by fellow travelers. Some review platforms allow you to search using keywords, others identify keywords frequently used by reviewers and allow you to filter for those reviews. Also perform an online search with the name of the company and words such as “fraud” or “scam.”

Watch out for lodging scams. Many travelers use online property marketplaces to find lodging. But you need to scrutinize listings. Some fraud perpetrators post ads for nonexistent properties with enticing, below-market rates. If a “property owner” asks you to move the conversation off the site to avoid fees, refuse the request. Reputable platforms provide certain protections, such as insurance in the event the transaction results in fraud. They also keep your credit card information confidential.

Work with trusted services. If you travel frequently for business or pleasure or don’t have time to research trips, consider engaging a travel advisor or travel agent. These professionals maintain close working relationships with legitimate companies, know about the latest deals, may be able to provide insider tips about your destination and can, of course, make reservations for you.

Go with your gut

Before booking your vacation or business trip, scrutinize it for signs of fraud. If you doubt the legitimacy of a service provider or are suspicious of individuals involved in a transaction, go with your gut and look elsewhere. Safe travel requires due diligence that starts long before your journey begins.

© 2021 Covenant CPA