October is National Cyber Security Awareness Month, but you knew that already…

Source: Kurhan

Did you know that October is National Cyber Security Awareness Month (NCSAM)? Ok, you probably did not. It isn’t exactly the type of event that hits the front page of most newspapers and websites, but it should.

The FBI’s Robert Mueller recently stated that “cyber security may well become our highest priority in the years to come.” In my opinion, that time is fast approaching. If you follow the news regarding Cyber Security as I do, you may agree that we are already under a sustained attack that has the potential to cut the country’s economy off at the “knees”.

As we all know, it is not just corporations that are the victims. US consumers are targeted by organized crime groups from around the globe. In fact, this is not just a US problem, it is a global epidemic.

It is easy to dismiss NCSAM as a silly event that means nothing. And that is EXACTLY why you should pay attention. As long as consumers are victimized, there will be an incentive for fraudsters to invest the time and money to launch their attacks. So, with that in mind, please take the time to review the FBI’s recommendations below:

  • Set strong passwords, and don’t share them with anyone.
  • Keep a clean machine—your operating system, browser, and other critical software are optimized by installing regular updates.
  • Maintain an open dialogue with your family, friends, and community about Internet safety.
  • Limit the amount of personal information you post online, and use privacy settings to avoid sharing information widely.
  • Be cautious about what you receive or read online—if it sounds too good to be true, it probably is.

If you want more information on NCSAM, the FBI’s press release contains links to a number of helpful resources. I hate to state the obvious, but if you don’t take the time to improve your awareness of the cyber security threat facing the nation, no one will do it for you.

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

 

If you want to learn more about the “art” of interviewing fraud suspects, here is an interview that I gave on the subject. Let me know what you think…

CPE Link Blog

An interview with Paul McCormack, fraud investigator and educator…

How many fraud suspects have you interviewed in the course of your career as a certified fraud examiner?

After the first hundred, I actually stopped counting, but I’ve easily interviewed more than 500 people while investigating employee and third party fraud.

How is interviewing a fraud suspect different from the interrogations we see dramatized on TV?

The goals are very different. On TV, the actor-detective wants to force a confession. It makes for entertaining television. The goal of the interview in a private company is to encourage the employee to share information. Threatening him or her, with termination or legal action, isn’t appropriate or effective. In fact, there are legal risks to it. Tactics that may be appropriate for law enforcement can get you in trouble if you employ them as an interviewer in a corporation.

What qualities make a…

View original post 498 more words

Dishonor among thieves

If you believe Diana L. Farmer-Forston, since her early childhood life has been a struggle. But in many respects, her struggles are just beginning. Diana was recently sentenced to two years in prison for embezzling $567,000 from her employer, Bennett and Zydron, a Virginia Beach law firm. In an interesting twist, Diana ended up being scammed out of $300,000 of the fraud proceeds when she agreed to lend a co-worker money to cover expenses associated with their cancer treatment. Allegedly, Diana made her coworker sign a promissory note with a monthly interest rate of 4.5%. Thankfully, the coworker is cancer free. In fact, they never had cancer in the first place.

Hired by the law firm in 2005, Diana didn’t launch her fraud career until 2007. What happened between 2005 and 2007? Did Diana’s struggles from her childhood come back to haunt her? We do know from court filings that her husband of 25 years announced in 1999 that he had decided to undergo a sex change operation. Their marriage ended shortly thereafter. That revelation surely had an impact on Diana, but did it force her to commit fraud seven years later?

Here’s a hint: In many cases, you’ll never figured our exactly what drove an employee to commit fraud.

In Diana’s case, it would likely require extensive therapy to truly undercover the root cause. Diana’s attorney claims that she has struggled with depression and other undisclosed mental health issues since her childhood. He also states that Diana was also around physical, sexual and emotional abuse while growing up. She has apparently had a very difficult journey to date, but her struggles started long before she joined the law firm.

As an employer, you have to focus on what you can control. Certainly, before hiring a new employee, perform background checks, conduct a rigorous interview process and call references. Whether the employee experienced abuse as Diana apparently did it is legally, ethically and morally out of scope during the interview process. Remember, you can’t control what has already happened…

You can control what happens once the employee sets foot in the office. Once they join the organization, make sure that you don’t send messages that help the new employee rationalize that committing fraud is “ok”. Fraud prevention essentially begins during the interview process and continues throughout the employee’s tenure. Assuming that you have not hired an employee that is already an accomplished fraudster, your company has ample opportunity to prevent from fraud happening. I’ll detail many of the tactics you can use to build a culture that prevents fraud in my next post. This post hopefully lays the groundwork.

Bottom line: You can prevent fraud if you focus on what you can directly control. The employee already has ‘baggage’ that they bring to the table. You can’t control how much, or what it contains. You can control how your organization is positioned to prevent and detect fraud. There are no “fool-proof” approaches, but you have far more power than you realize

Learn more about Diana’s case here

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com


5 reasons why companies struggle to combat fraud

Companies lose billions every year. Some are shocked that it happened to them. Others, have a line item in their financial plan (Yes, you read that correctly. They plan to lose money to fraud.) Far too many companies are forced to close their doors because of it…

So, why is it so hard for companies to combat fraud? Here are five reasons that I have uncovered during my career:

  1. “You work here as well?” – Fraud professionals often talk about their frustration with “silos” that result when departments involved with preventing and detecting fraud don’t talk to each other. In fact, a significant portion of my career has been spent helping break down the silos within organizations. The fraudster – both employee and third-party – is able to exploit the lack of communication between departments for their own benefit. Large companies are particularly guilty. It is not unusual for two or more departments to be actively investigating the same employee! No one has the complete picture of the fraud, yet each department continues to investigate the situation independently while the losses mount.
  2. “I don’t want to think about it” – Fraud can be overwhelming, especially for senior executives with an already heavy workload. It is easier not to think about what fraud may be doing to the company’s bottom line. Unfortunately, ignoring the problem will never solve it. In fact, when losses do result (yes, fraud happens) they are often gigantic.
  3. “We don’t have the money” – This reason is certainly understandable, especially when you consider the dire state of the global economy. It is probably the biggest hurdle that our firm has to overcome when talking with companies of all sizes. Unless the company has experienced a significant fraud within the last 12 months, there is resistance to any investment in fraud prevention or detection services. Until the company sees a spike in fraudulent activity, why should they worry? Well, unfortunately, you can’t pick a date and time when fraud will happen. It has an uncanny knack of taking place when you can least afford it. The costs to fix the problem are normally far higher than the prevention that was needed in the first place.
  4. “Bring it. We’ve got it covered” – From time to time, I run across an exceptionally high performing fraud department. They have the right mix of people, processes and technology to fight fraud. The company’s executives support their efforts and they routinely hire the “best of the best” to join their organization. They have fraud – internal and external – under control. Well, almost. What worked last month, or last year, will not automatically work today. Combating fraud requires a “continuous improvement mindset”. Fraud evolves, so too must the fraud department. Complacency can eventually destroy even the best fraud department. The latest fraud intelligence can literally make the difference between success and failure. Trust me; I’ve seen it happen on more than one occasion.
  5. “They were just that good” – I have interviewed 100’s of people who have committed fraud. Many of the schemes that they perpetrated required tremendous vision, drive and determination to execute. Some of the most intelligent individuals that I have met were in fact accomplished fraudsters. The really smart fraudsters are often never caught. Every fraud investigator can cite at least one or two situations where the fraudster got away with it. Some fraudsters are just that good. If they don’t make a mistake, you have almost no chance of catching them.

This list is certainly not all inclusive. I’d love to hear from others as to why fraud is so difficult for companies to fight. Also, if you disagree with any of my observations, feel free to say so!

Sign up for the “Fraud Happens” Weekly Intelligence Report.

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter or white paper you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

Wow! Now THAT’s impressive!

What a fantastic response! I have been overwhelmed with a long list of blogs to review! I love what I have read so far. I’ve also personally learned a great deal of helpful information to boot! To make sure that I fully review each submission, I’ll announce the Fraud Happens blog of the week tomorrow (Tuesday).

Clearly, there are a number of talented fraud, security, and compliance bloggers out there! Keep ’em coming!

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter, or white paper, you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

“There’s Gold in Them Thar Hills”

A Hooter

The lawsuit involving Hooters and Twin Peaks has already triggered a wave of clever, and not so clever, headlines, but it is really no laughing matter. (With this post, I suppose that I just added a headline to the list. You be the judge as to which category it falls into.)

The dispute involves Joe Hummel, the former  EVP of operations at Hooters. Hooters alleges that as he was leaving the company, Hummel stole over 500 pages of sensitive business information and trade secrets.

He is now employed with La Cima restaurants. Unfortunately for Hooters, La Cima is in the process of launching the Twin Peaks restaurant chain (any guesses what the new chain will “feature”?). Before joining La Cima, Hummel allegedly downloaded Hooter’s marketing plans, contract agreements, recruiting tools, and sales figures – some or all of which are likely trade secrets – and then emailed them to himself using his personal email account. If this is true, how could it have been prevented? I regularly help companies prevent IP theft, and I can tell you that there is no easy fix. Instead, it requires a multi-pronged approach using the right mix of people, processes, and technology.

What is a trade secret anyway? The short answer is whatever you say it is! The more detailed answer is that a trade secret must be secret (not widely known), be of value because it is not widely known, and treated as a secret at all times. In this case, it is not entirely clear if all of the information that Hummel allegedly took would meet the definition, but at face value, certain elements would appear to fit the bill. I would strongly suspect that Hooter’s marketing plans were not widely available within the company or the industry as a whole. Would the marketing plan be of value because it is not widely available? Ultimately, that is for the courts to decide.

Asking the courts to pursue employees that steal trade secrets is certainly within your company’s rights, but I would liken it to putting toothpaste back in the tube once squeezed. It is time consuming and potentially very messy, and the end result may not justify the effort.

Does your company have any trade secrets? (Hint: the vast majority do.) What have you done to protect them? Could an outgoing executive steal your company’s trade secrets? Would you even know?

If the answer to any of the questions above causes concern or leaves you wondering about how well protected your trade secrets may be, we can help. Just don’t wait until a theft occurs. By that time, the toothpaste is out of the tube…

Hooters is not alone in dealing with this type of situation. Given the glamorous nature of their business, they are unlucky enough to attract media attention when things go wrong. That said, could your company be next?

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter, or white paper, you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

Is nothing sacred?

I guess not. Eleanor Zapanta allegedly stole $712,000 from the Center for Spiritual Living by, wait for it…writing 250 unauthorized checks.

If your organization uses checks in any way, shape, or form, be very, very careful. Zapanta’s fraud allegedly took place over six years. The church only has an annual budget of $1.2 million. Assuming that the money was stolen at the same rate each year, that’s just under $120,000 per year, or 10% of the annual budget, lost to fraud. Normally, a check fraud starts small and grows until it is discovered, but you get the point – the church lost a huge percentage of its budget from just one fraud scheme.

Given the information shared in the original news story, let’s see what we can learn or infer:

1. Church business managers should never be left to their own devices. Someone in the organization needs to review their work on a regular basis. Fraud thrives on secrecy, lack of oversight, and misplaced trust.

2. Check stock must be locked in a file cabinet or safe when not in use, and it should only be accessible when two individuals are present. I know – it feels like overkill, but consider the losses associated with just the check frauds that I have discussed on this blog. I have many, many more check frauds stored and analyzed in our global case studies database. Check fraud can easily cost well over $500,000, and it is almost 100% avoidable.

3. Don’t rely on your bank to stop embezzlement. Most banks do quite well at detecting and preventing check fraud perpetrated by third parties. Embezzlement, or fraud committed by an insider with access to checks, however, is a different matter. How exactly should a bank uncover an embezzlement if the checks are signed by an authorized signatory?

4. Reconcile your organization’s bank statements on a daily basis. As part of that reconciliation process, ensure that checks issued have the appropriate supporting documentation such as invoices, purchase orders, etc. Checks should also have two signatures when appropriate and pertain to business-related expenses. Checks made out to individuals or payees that appear unfamiliar should receive additional scrutiny.

There are additional lessons learned, but that’s enough to start the ball rolling. What additional measures would you recommend?

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter, or white paper, you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

“I’m as mad as hell, and I’m not going to take this anymore!”

Regular readers of this blog will know that many of the fraud losses I discuss here are largely avoidable. Well, my business partner and I have decided to do something about it. Today, we launched Consult-OnLine, an online platform that provides fraud and intellectual property theft prevention services for small- & medium-sized companies.

Why now, and why online?

Quite simply, the number of fraud cases involving small-and medium-sized companies is staggering. SMEs need help, and they need it fast. They are often overlooked by traditional consulting firms as too small to purchase services – or worse, the companies suffer in silence and do their best to muddle through without the assistance of a fraud expert. The most common reason for not engaging a fraud consultant is cost. Small companies can’t afford to pay the hourly rates and expenses that traditional firms charge. They are also genuinely concerned that once a fraud consultant enters their office, they will have a hard time convincing them to leave.

Believe it or not, other firms have offered professional services online before. One in particular was phenomenally successful, but for a number of reasons they shut the site down. We strongly believe that professional services can be delivered online. In fact, we built an innovative platform to do exactly that.

In addition, over the last three months, we have developed a proprietary database that contains analysis of fraud cases from the news. There are so many lessons to be learned from fraud at other companies. We thought it made sense to build a database that companies could access and use to learn how to avoid a similar fraud at their company. I have over 16 years of fraud experience, yet even I am amazed at the number of six- and seven-figure fraud cases that we have gathered from around the world. We are absolutely convinced that the database will “open eyes” and help companies dramatically reduce their fraud risk.

So, I am mad that small- and medium-sized companies coffers are being raided by fraudsters with impunity. AND my firm is prepared to do something about it.

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter, or white paper, you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com

You’ll never understand fraud in my industry

“It is way too complicated for anyone outside the industry to understand. Fraud in our industry is just… well… complicated!”

– Senior Executive at XYZ company

I won’t disclose the name of the company, but the preceding statement was made by a Vice President of Internal Audit during a discussion about fraud within his company. I failed to convince the VP that the 80/20 rule applied. I believed, and still do, that 80% of the fraud schemes they experienced could be found in other industries, with the remaining 20% being industry specific. He believed the exact opposite, that 20% were common to other companies and that 80% were industry specific. I lost the argument (it was really a friendly exchange).

What I didn’t have available at the time was access to a database of previous fraud cases from within his industry. I do now. We have created a proprietary database that includes hundreds, soon to be thousands, of fraud cases from around the world. Here is an example of just one case in the database involving healthcare.

Ronald A. McFarland of Pennsylvania received a 37-month sentence for his role in embezzling $2.46 million from Rosewood and Oaktree Cancer Care. McFarland was the president of Verimed, a third-party billing company. Rosewood and Oaktree engaged Verimed to bill for outpatient radiation treatment programs for cancer patients.  So how did McFarland commit fraud? Very, very complicated (I jest). He billed for services, then kept the money he received. He then made fraudulent accounting entries to cover his tracks.

Could this type of fraud happen in your industry? Sure it could! The healthcare industry uses third-party billing companies a great deal due to the complexity and length of time it takes to collect from insurance plans. But you don’t have to be in healthcare to experience a loss of this type. If your company relies on a third party to bill and/or collect amounts due your company, the potential is there.

I do agree that fraud within certain industry segments is exceptionally complicated, hence my earlier statement that 20% of fraud is specific to an industry. But when you remove the industry and truly analyze the fraud modus operandi, the other 80% starts to come into focus. Regardless of industry, fraudsters want your money in whatever form they can take it (cash preferably!).

If I have learned anything from my career in fraud, it is that history repeats itself again, and again, and again. Certainly, fraud schemes that are specific to your industry must be understood to prevent losses. However, don’t believe your “own press.” Fraud within your industry is not so unique that you can’t learn from other industries. You’d be amazed at the similarities across industries. Trust me.

So next time someone says fraud is so complicated in their industry that you’ll never understand it, take the time to politely challenge their statement. You may have much more in common than you both realize!

Need a writer that understands fraud? When you hire me to write an article, blog post, newsletter, or white paper, you get an accomplished writer that is also an expert in fraud.

paul@mccormackwrites.com