Protect your company from cyberattacks by adopting zero trust

Some organizations struggle to prevent cyberattacks because they rely on cybersecurity tools and techniques that protect only their perimeter. Perpetrators who make it past a single line of defense (such as with a username and password) can gain unfettered access to the company’s network. They can then use ransomware to block access to data or steal customer information or intellectual property.

Zero trust security was designed to address the shortcomings of a single perimeter defense. Created by an IT industry analyst, zero trust requires companies to not automatically trust users or devices. This can be particularly effective if your business relies on cloud computing or if your employees work from home or use their own devices to access your network. 

3 principles

Three key principles underlie zero trust:

1. Trust must be earned — often. Zero trust requires initial and ongoing verification for every user and device entering and moving within an IT environment. For example, after users enter the correct network credentials, they must provide additional credentials to access its email system. And even after users are granted access, the system generates “timeouts” that force users and devices to reverify. This is intended to limit the amount of time a malicious actor can spend in the network.

2. Roles and business needs dictate access. By applying the “least privilege” concept, organizations following zero trust limit access to only the data and resources users need to do their jobs. For example, an administrative assistant typically doesn’t need access to a company’s general ledger and a salesperson doesn’t require access to HR files.

Least privilege segments a company’s IT environment into secure zones, based on users’ roles. Just as ships use bulkheads to create watertight compartments to maintain buoyancy, this micro-segmentation keeps the network “afloat,” even if a segment has been compromised.

3. Multifactor authentication is essential. Zero trust security requires verification with a high degree of confidence. Multifactor authentication (MFA) requires users to provide more than a username and password to access a network. It might entail entering a one-time password sent to a previously registered email or mobile phone. Or users might need to open a dedicated app on a mobile device and confirm that they’re seeking network access.

Building more and higher walls

If the only barrier between your IT network and a fraud perpetrator is simple perimeter security, your company’s risk of being hacked is higher than necessary. Consider adopting zero trust to build more and higher walls. Contact us for more information and cybersecurity tool recommendations.

© 2021 Covenant CPA

What goes into a fraud damages calculation?

At first glance, calculating restitution for fraud damages may seem relatively simple. If someone steals $10,000 from a company, that person should repay that amount, perhaps with interest, right? Not quite. Financial experts also consider the profits the business lost because of the fraud — and weigh different methods of computing damages.

The appropriate approach

Experts typically use either the benefit-of-the-bargain or out-of-pocket approach to calculate damages. The appropriate method depends to some degree on the location and nature of the fraud. But in most cases, the benefit-of-the-bargain method results in greater restitution for victims.

Take, for example, a property developer who buys a parcel of land that the seller says is worth $1 million but is offering at $900,000. In truth, the seller is lying about the parcel’s value and has even falsified a valuation report. The land is actually worth about $700,000. Putting aside the developer’s failure to perform proper due diligence, how might fraud damages be assessed?

Under the out-of-pocket rule, the company would be awarded $200,000 in damages, or the difference between the land’s real value and the amount paid for it. Using the benefit-of-the-bargain rule, however, damages would be calculated at $300,000 — the difference between the seller’s misrepresented value and the parcel’s true worth.

3 common alternatives

It’s obvious why plaintiffs typically prefer the benefit-of-the-bargain method. But there are three other methods experts commonly use to calculate lost profits.

First, using the benchmark (or yardstick) method, an expert compares the fraud victim’s corporate profits to those of another, similar company that wasn’t defrauded. This method is particularly appropriate for new businesses or franchises.

The hypothetical (or model) method is also generally appropriate for businesses with little history. It requires the expert to gather marketing evidence that demonstrates potential lost sales. After calculating the total, the costs that would have been associated with the lost sales are subtracted to arrive at lost profits.

Finally, the before-and-after method typically is used for longer-established businesses. Experts look at the company’s profits before and after the fraud compared to profits during the time the fraud was being committed. The difference is the lost profits.

Don’t do it yourself

Defrauded business owners shouldn’t attempt to calculate their own fraud damages — or engage a professional who isn’t qualified to do it. To help ensure you receive the highest restitution amount, contact us or have your attorney get in touch.

© 2021 Covenant CPA

Is someone stealing your company’s secrets?

Corporate espionage has long been a threat for U.S. companies. Recently, intellectual property theft by foreign governments and organized crime gangs has grabbed headlines — for good reason. According to the U.S. Justice Department, 80% of its economic espionage prosecutions target schemes that would benefit China. Yet for most businesses, the threat comes from employees and former employees who take advantage of lax environments with few internal controls.

The problem … and a solution

Employees with access to trade secrets may take that information with them when they leave your company for another job — or pad their paychecks by selling it to your competitors while still employed. As with all types of fraud, workers are more likely to participate in corporate espionage if they’re unhappy in the job (motive), have access to sensitive information (opportunity) and can mentally excuse the act (rationalization). For example, thieves may rationalize selling IP because they feel underpaid and that they “deserve” the fraud proceeds.

You can reduce espionage risk from unethical employees by first identifying information that should be secured. New technology and market strategies are clearly sensitive. But customer complaints or component purchasing data may also be valuable to your competitors. Think about which competitors would benefit from what information.

Then determine how much of your sensitive information is at risk and where the vulnerabilities lie. Passwords, firewalls and other security measures are critical to protecting data, but they aren’t invulnerable. You also need to consider who has access to confidential information and how your business processes drive how the information is used.

The last step is to develop a security policy that considers your business methods, potential external weaknesses and staffing patterns. Revisit the plan periodically as your business and competitors change.

Stop loose lips from sinking ships

Be sure to educate employees about the threat of corporate espionage and let them know how to report suspicious activity such as people asking for details about their jobs. Emphasize that secrets can be revealed inadvertently.

For example, a software developer may agree to help a “student” with her research, or an operations manager may participate in a “customer satisfaction survey” by a manufacturer. Employees also need to watch what they discuss with coworkers in public places such as lunch spots and after-hours bars. They never know who’s eavesdropping.

Of course, not all research into your company is illegal. Public documents such as Federal Communications Commission and regulatory filings, content on your website and published articles on your company can give an experienced business analyst a fairly accurate idea of what you’re doing. Actual corporate espionage involves theft of information that hasn’t been made public.

Actual threats

Although your business should put most of its anti-espionage resources into preventing employees from stealing IP and selling it to competitors, actual threats may vary according to your industry or products. The IP of defense contractors and technology companies, for example, may be attractive to foreign states. Contact us to help assess your threat level.

© 2021 Covenant CPA

Actively look for fraud and reduce financial losses

The Association of Certified Fraud Examiners’ (ACFE’s) Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse provides ample evidence that some fraud detection methods are better than others. In general, passive methods, such as accidental discovery or notification by police, coincide with longer-running schemes and higher financial costs. To nab dishonest employees quickly and limit losses, your company needs to be proactive.

Shorten time, minimize costs

Active methods include IT controls, data monitoring and analysis, account reconciliation, management review, surprise audits and internal audit. These methods can significantly lower fraud durations and losses.

For example, frauds detected by IT controls had a median duration of six months and a median loss of $80,000. Those found through account reconciliation ran for a median of seven months and totaled a median loss of $81,000. By comparison, fraud detected through notification by police or stumbled upon by accident had a median duration of 24 months. When companies learned about a scheme from law enforcement, the median loss was $900,000.

Surprise audits and proactive data monitoring and analysis can be especially effective ways to fight fraud. On average, victim organizations without these antifraud controls in place reported more than double the fraud losses, and their frauds lasted more than twice as long as frauds at victim organizations with these controls in place. Yet only 37% of the organizations in the ACFE study had implemented surprise audits or data monitoring and analysis.

Tips are most effective

The leading fraud detection method, tips, could be considered active or passive. But there’s no arguing that this method is effective — particularly when organizations offer employees and other stakeholders confidential fraud hotlines. Organizations that had hotlines for reporting misconduct detected fraud by tips more often (49% of cases) than those without hotlines (31% of cases).

To ensure that tips are used as an active detection method, your organization should set up a hotline and promote its use. Increasingly, companies offer other reporting forms, including email and Web-based submissions. Also, the ACFE has found that in 33% of cases where a tip was made, the whistleblower reported suspicions to a supervisor or other person in a position of authority.

Budget-friendly options

Even if your organization’s budget is tight and you think you have few resources to commit to fraud prevention, know that there’s always something you can do. Active methods can be surprisingly low cost and they certainly are less expensive than being defrauded. Contact us for more information.

© 2021 Covenant CPA

3 ways fraud experts use data analytics

Forensic accountants have long used technological tools to uncover fraud schemes. But recent advances in “big data” have provided even better, more efficient techniques for identifying suspicious activities and dishonest employees. These are three common types of data analytics used by fraud experts:

1. Association analysis

This method can help identify suspicious relationships by quantifying the odds of a combination of data points occurring together. In other words, it calculates the likelihood that if one data point occurs, another will, too.

If data point combination occurs at an atypical rate, a red flag goes up. For example, association analysis might find that a certain worker or manager tends to be on duty when inventory theft occurs.

2. Outlier analysis

Outliers are data points outside the norm for a given data set. In many types of data analysis, outliers are simply disregarded, but these items come in handy for fraud detection. Experts know how to distinguish and respond to different types of outliers.

Contextual outliers are significant in certain contexts but not others. For example, a big jump in wages on a retailer’s financial statements might be notable in April but not in December, when seasonal workers usually come aboard.

Collective outliers are a collection of data points that aren’t outliers on their own but deviate significantly from the overall data set when considered as a whole. If, for instance, several public company executives sold off substantial blocks of stock in the business on the same day, it might indicate suspicious behavior.

3. Cluster analysis

Here, experts group similar data points into a set and then further subdivide them into smaller, more homogeneous clusters. Data points within a cluster are similar to each other and dissimilar to those in other clusters. The greater the similarities within a cluster and the differences between clusters, the easier it is for an expert to develop rules that apply to one cluster but not the others.

Cluster analysis has long been used for market segmentation of consumers. But it can also detect fraud, particularly when combined with outlier analysis. Outlier clusters — those that are farthest from the nearest cluster when clusters are mapped out on a chart — generally merit extra scrutiny for suspicious activity.

Fraud experts might, for example, use cluster analysis to evaluate group life insurance claims. They then would look for clusters of large beneficiary or interest payments, or long lags between submission and payment.

Old school methods

Of course, technology alone usually doesn’t make the case against an employee. Face-to-face interviews and other “old school” methods are crucial to identifying fraud perpetrators and learning where they’ve stashed the money they’ve stolen. If you suspect fraud in your organization, contact us to investigate.

© 2021 Covenant CPA

No disaster scammer is safe from the NCDF

What do COVID-19, major hurricanes and West Coast wildfires have in common? All three have attracted scam artists, who have bilked disaster victims, charitable donors, insurance companies and government agencies out of billions of dollars. Also, all of these disasters — and the criminals who take advantage of them — are the focus of The National Center for Disaster Fraud (NCDF). Let’s take a look at what this partnership between the U.S. Justice Department and various law enforcement and regulatory agencies does to investigate and prevent fraud.

Investigate and prevent

The NCDF was established in 2005 after Hurricane Katrina to combat the massive fraud schemes that emerged as financial aid poured into the Gulf region. The agency now coordinates investigations into all kinds of natural and manmade disaster fraud. It also helps to prevent perpetrators from finding victims.

Recently, the NCDF posted on its website tips for charitable donors who want to help victims of Hurricane Ida (justice.gov/disaster-fraud). For example, the agency urges people to avoid making cash donations, writing checks to individuals or donating via wire transfer.

COVID and other opportunities

COVID-19-related fraud — including dishonest Paycheck Protection Program (PPP) loan requests and phishing schemes offering fake “miracle” drugs — makes up the bulk of current NCDF complaints. In recent weeks, the Justice Department has announced the indictment and sentencing of a roster of COVID criminals.

This includes a Georgia woman who pleaded guilty to bank fraud after seeking $7.9 million in PPP loans for four medical practices she controlled. In another ambitious scheme, a Texas man submitted 15 fraudulent PPP applications to eight different lenders, seeking a total of $24.8 million.

Of course, criminals will capitalize on any opportunity. A California man received $26,000 in relief funds from the Federal Emergency Management Agency (FEMA) after falsely claiming a trailer burned in the Camp Fire was his primary residence. Earlier this year, a Florida woman was sentenced to more than six years in prison for using stolen identities to file five applications for FEMA disaster assistance that was intended for actual victims of Hurricane Irma.

Calls for help

Agencies investigating disaster fraud depend on tips from ordinary people who’ve witnessed or are victims of these crimes. The NCDF hosts a 24/7 telephone hotline (866-720-5721) and accepts Web form complaints at justice.gov/DisasterComplaintForm. Also, if you believe disaster fraud has delivered a double whammy to you or family members, contact us for more information on how to fight back.

© 2021 Covenant CPA

How to conduct a remote fraud investigation

Before the COVID-19 pandemic, most fraud investigations took place in the office or other work facility. This made it easy for investigators to gather and analyze data and interview suspects and witnesses in a face-to-face setting.

But if your company allows employees to work from home — either temporarily or permanently — you may need to conduct a remote fraud investigation. In addition to suspects and witnesses working remotely, those tasked with conducting investigations (including outside experts) may also be remote. Here’s how to manage these situations.

Policies and procedures

First, develop policies and procedures for remote investigations. If you already have written polices for traditional fraud investigations, use them as a starting point. Some features, such as the role and processes of investigators may remain basically the same.

Cover the entire process, including:

  • The technology solutions you’ll use to communicate with employees and investigators,
  • Backup options in the event of technical problems, and
  • How you’ll share relevant files and documents — both electronic and paper.

Once you’ve developed a draft, have legal counsel review it.

Conducting interviews 

Before conducting interviews, prepare subjects for the process. Let them know approximately how long the interview might take and whether they must review documents before or during the discussion. Stress the importance of sitting in a quiet location with minimal background noise where they can remain undisturbed throughout the interview.

To provide your team with ample opportunity to detect verbal and nonverbal signs of deception, subjects need to keep their video feeds on the entire time. Most computers, smartphones, tablets and wireless connections can facilitate video calls, but be sure to test subjects’ devices and Internet connections before interviews. Consider having a trusted member of your IT department perform the test, instructing this employee not to discuss anything specific about the interview or the fraud allegations.

There are a couple things you should keep in mind. First, any conversation conducted via video conferencing will be recorded and can be used in a subsequent court case. So discuss interview plans with your attorney.

Second, expect the unexpected. For example, how will you proceed if a fraud suspect declines to answer questions, turns off his or her video or audio feed or consults with an unknown third party in the room? Subjects attempting to dodge uncomfortable questions may pretend to have connectivity problems. 

Unique challenges

Remote fraud investigations present unique challenges — many of which can be anticipated and mitigated. But even if you normally would conduct a preliminary fraud investigation in-house, consider engaging a forensic accounting expert early in the process to help ensure you don’t miss anything.

© 2021 Covenant CPA

What you can do to prevent fraud in your construction company

Fraud is costly for all victimized companies, but it’s even worse in the construction sector. According to the Association of Certified Fraud Examiners’ Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, construction companies affected by fraud lose a median $200,000 per fraud incident, compared with $125,000 per incident for all organizations.

Some types of fraud are more prevalent in the construction industry, particularly payroll and billing fraud. These can lead to legal liability and fines. For example, paying under-the-table cash wages to avoid paying payroll taxes could result in criminal charges and significant penalties. To prevent your managers and workers from acting illegally or unethically, tighten your internal controls. 

Essential controls

Certain internal controls are essential — including segregation of duties. This means that multiple employees should handle multiple financial or accounting tasks. For example, the person who processes cash transactions shouldn’t also prepare your company’s bank deposits. If you don’t have enough accounting employees to segregate duties, consider outsourcing some or all accounting functions. Also, have monthly bank statements sent directly to you or a manager independent of your accounting department.

You can reduce purchasing fraud threats by naming someone other than your purchasing agent — you or an estimator, for instance — to review vendor invoices, purchase orders and other documents. Also use prenumbered purchase orders and regularly check materials and supplies to ensure they correspond to what was ordered.

Kickbacks and bid-rigging can be kept to a minimum with scrutiny. If your company is suddenly winning bids that you haven’t in the past and that seem like a stretch, verify that your bid processes have been followed. Sometimes employees disguise illegal activities as change orders, so be sure to scrutinize each change order.

To minimize the risk of payroll fraud in your company, ask someone independent of your accounting department to verify the names and pay rates on your payroll. And if you don’t already, pay employees using direct deposit, rather than with checks or cash. You may also want to make surprise jobsite visits to compare employee headcounts to time reports and wage payments. 

Get help 

Don’t forget to enlist the help of fraud experts. We can review your accounting records and inventory and visit jobsites to help assess risk and suggest additional internal controls.

© 2021 Covenant CPA

Prevent conflicts of interest from costing your business

Without trust between you and your employees, your business probably wouldn’t be very successful. Delegating responsibility, sharing ideas, working as a team — all require a certain level of trust. However, too much trust can lead to occupational fraud and conflicts of interest. To maintain the proper balance, establish a policy that outlines your disclosure expectations and require employees to follow it.

Purchasing power

What constitutes conflict of interest? Let’s look at a fictional example: Veronica is the manager of a manufacturing company’s purchasing department. She’s also part owner of a business that sells supplies to the manufacturer — a fact she hasn’t disclosed to her employer. And, in fact, Veronica has personally profited from her business’s lucrative long-term contract with her employer.

What makes this scenario a conflict of interest isn’t so much that Veronica has profited from her position, but that her employer is ignorant of the relationship. When employers are informed about their employees’ outside business interests, they can act to exclude employees, vendors or customers from participation in transactions where there might be a conflict of interest. Or they can allow parties to continue participating in a transaction — even if it runs contrary to ethical best practices. But it’s the employer’s, not the employee’s, decision to make.

Prevention is the best policy 

Sometimes employees simply neglect to inform their employers about possible conflicts of interest. In other cases, they go to great lengths to hide conflicts. Perhaps they’re afraid a conflict will jeopardize their jobs or get them into legal trouble.

Prevention is the best policy here. Develop conflict-of-interest policies and communicate them to all employees. Provide specific examples of conflicts and spell out exactly why you consider the activities depicted to be deceptive, unethical and possibly illegal. Don’t forget to state the consequences of nondisclosure of conflicts, such as immediate termination.

Providing personal information

You might also require employees to complete an annual disclosure statement on which they list the names and addresses of their family members, their family’s employers and business interests, and whether the employees have an interest in those entities (or any others). To help ensure accurate statements, provide employees with a hotline to call if they have questions about your policy, aren’t sure how it relates to their circumstances or want to report someone else with an apparent conflict.

Also protect your business from conflicted vendors and customers. Before entering into a new agreement, compare the names and addresses on your employee disclosure statements with ownership information provided by prospective business partners.

Not necessarily fraud

Conflicts of interest aren’t necessarily fraud. But if you don’t know how an employee is personally profiting off your company, it could suffer serious consequences, including financial losses. Contact us for help reducing this risk. 

© 2021 Covenant CPA

How fraud perpetrators target military personnel and veterans

According to the Federal Trade Commission, veterans lost approximately $60 million to fraud in 2020. Active-duty military personnel and their spouses and dependents also suffered big financial losses to fraud last year. In fact, in 2020, military consumers lost more than the general public to fraud — a median $600 compared to $311 for nonmilitary consumers. Here’s what you and military friends and family need to know.

Beware of imposters

The greatest fraud threat to this group is “imposter” fraud. In this scheme, a criminal calls, emails or texts potential victims and pretends to be working for the Veterans Administration or another government agency. Perpetrators may claim they need personal information, such as Social Security or bank account numbers, to authorize the release of benefits. Instead, they use that data to commit identity theft.

In a variation of this scam, perpetrators pose as financial advisors who convince vets to exchange their pensions for up-front cash payouts. In most cases, the payouts are worth less than the pensions. Or fraudulent advisors may tout special benefits programs that can only be accessed by paying a fee. After paying, the fraud targets learn the programs don’t exist.

Unfortunately, many other types of fraud focus on vets and active-duty members — including fake job recruiting, loan, tax and charity schemes. One particularly vicious scam targets family members of deployed military personnel. Criminals claim the military member has been injured or is stranded and that the family must wire money. 

Foil fraud 

If you receive a communication from someone claiming to be a government official, offer to contact him or her at the agency’s official phone number. Don’t provide any information about yourself until you’ve independently confirmed the person’s identity.

In addition:

  • Never give anyone Social Security, bank account or credit card numbers over the phone or in response to an electronic communication. Legitimate representatives from, for example, the VA, IRS or state unemployment agencies, won’t ask for them.
  • Don’t click on links or download attachments contained in suspicious emails. Visit sites by typing their URLs directly into your browser.
  • Regularly monitor your credit reports for unusual activity and investigate sudden drops in your credit score.
  • Be wary of anyone claiming you must “act fast” to respond to an offer. Take time to confirm that individuals, programs and products are legitimate before handing over any money. Along the same lines, only work with financial advisors you know and trust. 

Sidestep risks

Military personnel, veterans and their families face a myriad of fraud risks. Be skeptical when reviewing claims, offers or information requests that aren’t delivered through official channels. Contact us with questions.

© 2021 Covenant CPA