By Paul K. Graser, CFE
Sr. Investigative Specialist
Edward Jones
St. Louis, Missouri
Although fraud does not discriminate, it has a heavier impact on smaller businesses (companies with fewer than 100 employees). Larger businesses have the luxury of implementing more complex procedures and audit controls. They may even set up a fraud hotline for employees to report any internal issues.
An Association of Certified Fraud Examiners (ACFE) study in 2018 concluded that 30 percent of fraud cases occurred in small businesses, and 60 percent of those did not recover their losses. Those losses were in addition to the regular things that can affect productivity and profits, such as employee morale, brand image, reputation and unforeseen issues like global pandemics. Fraud in small businesses can have a more damaging effect because of smaller scales and profit margins.
Clickbait + Email Compromise
One scam that goes for big money is called the "business email compromise." This occurs when an employee's email account has been compromised. This scheme is the next evolution of the poorly written phishing emails requesting money for unknown third parties. In this more complex scenario, the hacker will break into a system or network with clickbait. Clickbait involves someone in the company clicking on a link that will download malware or spyware that will run unnoticed in the background. The hacker will monitor the sent/received information and notate which individuals in the company are decision-makers. From there, the hacker will derive what he or she can potentially exploit. With access to calendars, previous emails and invoices, the scammer will take notice of how directives are given and the typical chain of command.
One EASA service center owner shared a story of when he was on a business trip at a sales convention, and his controller received an email that appeared to be from him requesting a $30,000 wire transfer to purchase equipment. The message was sent from the owner's email address and had the wiring instructions on an attached document. The controller obliged and had the bank wire the funds.
When the owner came back from the trip the next day, he inquired if the wire had been sent because the intended recipient had not received it. The controller showed the owner the confirmation. However, the owner also noticed the wiring instructions were different than what he had sent. After further investigation, they determined a hacker had changed the wiring instructions in the attachment but left the verbiage and the dollar amount in the email the same to make the change less noticeable.
An attempt to recall the wire was not successful. When the owner went back to the supplier's email, he found the original wiring instructions were different from the ones the controller received. This business has implemented a rule going forward to call the originator of the wiring instructions sent via email to ensure they are the same as the ones received.
Trust But Verify
Another EASA member shared that an assistant made a sale while the owner was on vacation. It was an incoming call from a desperate individual looking for a specific part. He was allegedly fed up with the turnaround time from a competing company and looking to try this member's services. The part needed cost almost $4,000, and the member's company happened to have one available. The caller provided a shipping address and a credit card number. The assistant even went a step further and contacted the company name provided and asked if the person who placed the order was employed there, which he was. The assistant then pushed the order through to be shipped immediately and emailed the good news to the EASA member.
A couple of days later, the credit card authorization request was submitted but came back declined. The EASA member followed up with the purchasing company. When asked to speak to the person who made the purchase, the voice on the other end didn't sound like the person who originally called. Sure enough, the individual advised that he never placed the order and wasn't even the person who had the authority to do so. After getting back into town, the owner did a Google search on the address where the part was delivered. The location turned out to be a vacant warehouse.
This EASA member instituted the following best practices in place to ensure due diligence on new customer accounts:
- Verify the purchase and figure out if it makes sense for thebuyer by asking more questions.
- Confirm the buyer has the authorization to make purchasesfor the company.
- Make sure payment is received and confirmed from newcustomers prior to shipping.
- Verify that the customer company is legitimate by checkingtheir website on WHOIS.com.
- Verify shipping addresses for new customers using GoogleEarth.
- Purchase/sale must be approved by another authorizedindividual within the company.
Small businesses remain an essential part of our economyand culture. Awareness of typical fraud schemes will increase the chances of catching and preventing fraud losses in the future, enabling a larger profit.
Related Reference and Training Materials
Print