This week is International Fraud Awareness Week, so we have taken the opportunity to think about how our clients, and we ourselves, may be affected by fraud. There are certainly plenty of cases of fraud to read about in the news; most recently I was surprised to learn of fraudulent money ($17m!) being raised for an apparent Netflix movie, which turned out to be a scam. There are many stories relating to the consequences of fraud, where people and businesses have sadly fallen victim, but there seems to be insufficient guidance on how to protect ourselves and our businesses. Apparently, in the UK, there is a financial fraud every 17 seconds; I find this statistic pretty alarming!
Some clients acknowledge the threat and ask us for advice on how to protect their business from fraud, whilst other clients tell us “it wouldn’t happen to us.” Unfortunately, the risk of fraud is constantly increasing and inevitably, every business needs to think about it and take actions to protect themselves. Interestingly, the most common type of fraud is internal, so having a strong internal control environment and open culture simply isn’t enough. As an auditor, I regularly think about how my clients can guard against internal fraud, but more recently, we’ve had to broaden our recommendations on how they can protect themselves from external fraud as well. This is, of course, much more of a challenge for us all, given how advanced the scams can be. I have picked out some of the key ways to help minimise fraud risk to organisations and individuals and have summarised my thoughts below.
Challenge and question
Management should regularly review reports and financial information, and question anything that looks unusual, or not how they might be expecting it to look. This includes challenging good news – I know myself that if something hadn’t gone as well as I’d hoped, I would ask more questions than if something had gone better than I had expected it to. Businesses should analyse their performance and margins against competitors and ask some questions if these seem to be doing better than everyone else. Patisserie Valerie clearly did not do this, as their margins were significantly better than those of their competitors. Had this question been asked, there may have been a different outcome.
Be careful with emails
It is common for frauds to happen over email; this could be identity theft or interception of the email itself, or its attachments. There could also be links included within emails containing viruses.
A fairly common fraud is whereby companies receive a change of bank details over email from their “supplier.” If the email is not the supplier, funds will be paid and likely lost. This may only become clear when the real supplier chases for payment. This obviously has a financial impact on the business, but there is also a significant administrative burden of sorting it out after the event. This can be avoided by picking up the phone to your regular supplier contact (using the phone number from your system or database rather than the number in the email) and confirming that the email is genuine, and double checking all the details.
Apply extra caution when invoices are sent by email. Some fraudulent invoices will be perfect copies of what you would normally see. Ensure you have a process in place to think twice, or double check when paying invoices received by email.
In summary, never rely on an email only. This may not be who you think it is, or may have been intercepted. Always make that phone call for some extra reassurance. It is equally important not to click on links contained within emails, especially from email addresses you do not recognise.
As mentioned, frauds seem to be becoming more and more advanced, and it is important that staff are kept up to date with what they can do to protect themselves, both as individuals and as employees. There is little value in delivering training that may be forgotten about after a few weeks, so it must be regularly refreshed. Staff should be trained, and there should be controls in place to ensure they are following the checking process each and every time they receive an email, for example. It only takes one mistake for there to be some negative consequences. Staff should also have guidance on social media and sharing business information. There also needs to be general awareness in the workplace; clear policies and procedures are a good place to start.
Some companies send test fraudulent emails to see how staff react; the emails will likely include some of the “red flags” that staff should be looking out for, to see if they pick them up. The red flags can include incorrect spelling and poor presentation, or the sender address looking unusual (I have seen some that seem to be made up of random letters and numbers, rather than the format of ‘someone’s name @ the company they work for’), or urgency in the email to act straight away. Test emails seem to work well and can be a valuable training exercise. If it makes someone ask that extra question, it is probably worth doing.
So, if you’re concerned about fraud but are unsure where to begin, we would recommend that a good place to start is by asking that extra question. Whether that extra question is challenging a result, picking up the phone to a supplier to check an email is genuinely from, or checking a link before clicking, it may be just what is needed to avoid some the consequences of being victim to fraud.
If you would like further advice on how to protect your business from fraud, please do not hesitate to get in touch with our team.