Most business owners are unaware of just how high the risk is that they will be victims of fraud. In this case, ignorance does not equal bliss; it can put entire businesses and financial futures at risk.
In May, the WannaCry ransomware cyberattack hit organizations like FedEx and the U.K.’s National Health Service, affecting more than 200,000 computers worldwide, with cyber scammers demanding owners pay $300 or more to retrieve their data.
Ransomware like WannaCry grabs hold when someone unwittingly opens an email attachment or uses a compromised website, allowing a virus to enter. The hard-hitting software allows hackers to lock files or entire computers until a ransom is paid.
It’s bad news for businesses, whose biggest fraud worries used to centre on employee or supplier deception. But today, with online bad guys, who are often one cyber step ahead of the good guys, businesses are in a complex territory where they need to gain control over both digital and tangible assets.
“Fraud is about people telling you lies for money,” says Greg Draper, the Calgary-based forensics expert at accounting firm MNP. “In the past it was employee-focused, or else vendors. Now, with the Internet, it allows criminals around the world to reach you. Their full-time job is to find ways to make businesses part with their money. We know that about 50 per cent of businesses in a year are victims of fraud. Some may not know it, but they’re all vulnerable.”
Man in the Middle
At casual gatherings, Bruce Hallsor heard about an online fraud, dubbed “man-in-the-middle,” making the rounds in Victoria and beyond. It’s when a fraudster somehow infiltrates an email dialogue and convinces the correspondents that they (the fraudster) are both the service provider (lawyer, accountant, supplier, etc.) and the client.
“I didn’t think much of it,” recalls Hallsor, managing partner at Crease Harman LLP. “Law firms have good security. We’re dealing with trust money.”
But on February 1, Hallsor opened his work emails and saw a message where he had asked his accounts-payable department to deposit $97,600 into a U.K. account.
“Supposedly, it was a deal I was working on,” he says. Perplexed because he didn’t recall the deal, he walked over to his accounts-payable employee and discussed the unanticipated request. As it turns out, his employee wasn’t aware of the deal either.
Red flags went up, and Hallsor and his employee began scrutinizing the emails. Somehow fraudsters had got into the email chain and used an email address that transposed two letters in Hallsor’s legitimate email address.
“It was very hard to notice,” he says. Deciding to play cat and mouse with the fraudster, Hallsor and a sharp-eyed staff member spent the day attempting to snag the crook, trying to make him or her believe the money was on its way. All the while they kept working to find out who was behind the scam. When it was apparent the money wouldn’t arrive, the fraudster broke contact. Hallsor reported the thwarted crime to the Victoria Police Department (VicPD).
“But there was no great expectation that they’d find them,” he says.
Detective Sgt. Derek Tolmie contacted U.K. police, but they didn’t act on the case, either because the crime was prevented or because of the sheer number of such complaints. “I am incredibly frustrated,” he admits. If a crook is smashing the door to rob a house, police will be there to help. But if a criminal is breaking into an online system to steal, don’t count on cop control. “You have to take steps to protect yourself,” he says.
In Hallsor’s office, where a financial mistake can destroy a valuable reputation, the law firm uses much documentation to support email requests, employs face-to-face contact to verify online messages and double-checks all requests for money disbursements.
“If you rely entirely on email, you’re vulnerable,” Hallsor stresses. Over many years of practice, he knows that having well-trained staff who know not to open random emails or play around on social media is paramount. Also crucial is that for the last 20 years his firm has used the same IT professional to keep the company’s firewalls and software up to date and secured.
As Tolmie knows, not all businesses are as aware. In one file, $1 million was stolen by an online fraudster after a Victoria lawyer and his client both thought they were communicating with one another when, in fact, they were messaging the double-dealer. Legitimate emails about a real-estate transaction between the lawyer and the daughter of an elderly client were accessed. Soon the lawyer got frustrated with the client’s odd requests, which were actually made by the fraudster. The lawyer chalked it up to the client being old and perhaps confused.
“Never in his wildest dreams did he believe he was being defrauded,” Tolmie says. But the $1 million vanished after deposits in Asia, then Europe.
Another local case involved the purchase of a large piece of equipment for a business. The scammers infiltrated email correspondence (via the one-character difference in email addresses) between the purchasing manager and supplier, asking the manager to send $25,000 to Florida instead of the expected address in Canada. What was interesting, Tolmie says, is that the Canadian supplier had earlier been scammed by a woman, apparently in Russia.
“What we’re seeing are victims dragged into two different frauds, man-in-the-middle and romance scams,” Tolmie says.
The crooks, who can be anywhere in the world, are trolling 24-7, sometimes using spyware that gives them full access to a company’s computers to learn its business dealings, sometimes doing lots of online research.
“They knew a lot about Hallsor,” Tolmie says. When they strike, there’s a sense of urgency as the fraudsters tell the victim they have to act fast, often leading to careless activity.
“Slow right down. Do your due diligence,” Tolmie advises.
Targeting Small Business
Also on VicPD’s radar are counterfeit cheques, often intercepted in the mail or else reproduced. Thanks to laser printers, the fake cheques are very convincing, Draper adds.
Rosanne Walters became a chartered accountant in 1983, and by 1989 she was a forensic auditor working in Los Angeles, where she later ferreted out fraud in the movie industry. Today she’s a partner at BDO Canada LLP in Vancouver, where forensic investigations are one of her several specialties.
“We used to worry about equipment disappearing out the back door, but with so much more electronic data we’re moving from internal theft to cyber crime,” Walters says.
She’s learned hackers love to target smaller businesses who can’t afford dedicated IT staff and, instead hobble together a system. Often firewalls and updates are neglected or employees are lax when it comes to passwords, using stupidly simple ones. And when that random attachment or email arrives at the office promising a cruise, and someone clicks on it? Presto, malware or ransomware blazes in. Tipoffs are emails that contain grammatical or spelling errors.
At Walters’ office, staff put a code word in each email so other staff know it’s legitimate.
“And our company flags every external email in red,” she adds. Her company also doesn’t allow staff to send company emails to their personal addresses. Another tip? Encrypt company data, because when an employee turns on the computer and is greeted by a black screen, it can be too late to retrieve data.
“Hackers can install keystroke monitors and sit and watch and see who is who,” says Walters, who also recommends employers not allow staff to use memory sticks at work, relating the story of a woman who, when she didn’t get a bonus she thought she deserved, downloaded company information and sold it to a competitor.
How Vulnerable is your Business?
The February 2017 MNP Business Fraud Survey of 1,000 Canadian small business owners and 100 executives at companies with 100-plus employees unearthed a misconception that exists between the belief that fraud is being managed and what’s actually occurring, Draper says.
While 67 per cent of those surveyed say they have policies/procedures to deter, detect and deal with online and physical fraud, one third admit they believe their business was exposed to fraud but they don’t know for certain. Also troubling is that businesses may discover fraud but not make it publicly known, afraid of the damage to their reputations.
“There’s a risk for all businesses, but there’s an attitude that it can’t happen to us. The disconnect is quite startling,” Draper says.
When it comes to internal fraud, most often it’s committed by employees dealing with financial pressure, be it from an addiction (gambling, drugs, shopping), a divorce, a sick family member or an expensive lifestyle (big mortgage, luxury vehicle). They then rationalize their fraud by telling themselves they deserve the proceeds or that they’re not being paid enough, Draper says.
“I tell business owners all the time: open your bank statements. They’ll check their stock portfolios every day, but they don’t take the time to look at their banking documents. Part of it is, you don’t expect someone you hire to steal from you,” he says.
Walters tells of two realtors, married to one another, who let a bookkeeper handle their finances. The bookkeeper skimmed off substantial funds, and they didn’t notice until much later. Small businesses are susceptible, Walters says, because they often have one person in charge of the books who can easily manipulate accounts, going so far as to set up fake suppliers, writing cheques to them and pocketing the money.
Making headlines recently in Victoria was the $120,000 stolen over six years from MLA Rob Fleming’s office by his assistant, Marni Offman. Walters recently completed an investigation where an employee stole $180,000 over 18 months. Other internal frauds include kickbacks where an employee and supplier make a deal and the supplier gives the employee half of the money paid for a service or product, often at inflated prices. There’s also expense-account abuse, inventory theft and cash skimming.
Walters recalls a client who paid $50,000 for a coffee-shop franchise with the promise she’d earn $100,000 a year. After a year, she’d made no money. The problem was, she’d predictably arrive at the shop each day at 11 a.m. But during the pre-11 hours, staff would sell coffee for cash and pocket the money, and give away food to friends. Many of the workers were young women, often with children, working two jobs, who rationalized the theft, saying they needed money and believed the owner could afford it. Once the owner installed video surveillance, her business was soon profitable.
“People change their behaviour when being watched,” Walters says.
Also useful is having a whistle-blower hotline where someone can confidentially report fraud and not fear reprisals. Proper employee screening, including criminal-record checks, is also vital. One of Walters’ colleagues who screens resumés found that seven out of 10 of them contain falsehoods.
Job rotations and mandatory vacations are important because if someone is committing internal fraud, they don’t like someone stepping into their position where the fraud could be discovered, or they hate to be away from their motherlode, Walters says.
Employee support programs are valuable because they can assist with personal problems or addictions, both of which can lead to fraud. Fraud-awareness training is also useful. And consider having insurance against dishonesty, known as a fidelity bond. It insures a business for losses caused by dishonest acts done by employees, Walters says.
The man who thwarted a fraud has the last bit of advice. “If you’re paying attention, it’s hard to fall victim,” Hallsor says. “Stay vigilant.”
How does your business measure up for fraud prevention. Check out the Cybersecurity Checklist.
• Are your passwords hard to guess, changed regularly, not set to defaults, and securely stored?
• Do you have a disaster- recovery plan or business- continuity plan, including cyber-fraud insurance, to recover all data?
• Is access limited based on user need and are mobile devices fully secured?
• Do you know who has access to all computer systems — and is computer access removed immediately when employees/contractors/volunteers exit the company?
• Is a regular process followed to identify software failings and apply updates, and are dedicated, trained staff, which could include third-party professionals, used to monitor/service the network?
• Is your data stored with a cloud service (which can be as secure as storing it locally)?
• Is your most valuable or sensitive data encrypted, are daily backups done, and is public WiFi not used for financial transactions?
• Do staff get regular security training to be aware of threats such as phishing or phony callers seeking information?
Read more business fraud-fighting tips from BDO Canada.