The Hidden Heist

Smaller businesses are more at-risk for fraud — here’s how to protect yourself

Back Longreads Oct 31, 2017 By Steven Yoder

If federal authorities are right, the scheme was simple. El Dorado Hills resident Jeffrey Davis was national sales manager for Nature’s Path Foods, a Vancouver-based organic food company. Glen Martinka co-owned a food brokerage and distribution service based in Phoenix that marketed and sold Nature’s Path products.

Davis could authorize Nature’s Path purchases of at least $3,500. Prosecutors allege that between December 2008 and April 2012, Davis used that power to work with Martinka to create fake invoices, charging the company for non-existent services. Davis submitted those for reimbursement, and he and Martinka then split the proceeds, the feds say. Over three and a half years, the pair allegedly stole about $219,000. (Nature’s Path didn’t respond to a request for comment.)

Cashiers create fake transactions. An attorney diverts money from nonprofits whose accounts he managed. A credit union staffer falsifies bank documents. These are a few of at least nine cases of proven or alleged embezzlement in the region since 2013. “With fraud, there’s always something new and different. You never see it all — they just keep coming,” says forensic accountant Annette Stalker of Stalker Forensics in Granite Bay.

Most local cases involved mid-sized companies, banks or charities. Each year, small and mid-sized organizations, including small businesses, lose the most to employee theft. A study released in August by international insurer Hiscox reported that the median employee theft case cost companies an average of $1.13 million in 2016, and that 55 percent of cases involved companies with fewer than a hundred employees. And while no one keeps national data on employee embezzlement, a 2016 survey of fraud examiners estimated that it costs businesses and other organizations a full 5 percent of revenue each year.

A sense of autonomy is often what keeps staff happy in small businesses. But every virtue has its vice and when it comes to money, independence is cousin to temptation.  

Small firms have fewer employees, but they lose the most in these schemes. The fraud examiners’ survey found that the median loss at organizations with fewer than 100 employees in 2016 was $150,000, while losses at those with 1,000-10,000 employees were only $100,000.

But most companies don’t get interested in better controls until they’ve been hit, says Stalker. Small and mid-sized companies are behind for obvious reasons — they think they don’t have enough staff to segregate duties, and they’re more likely to employ family members and long-term employees, so relax what controls they do have. That’s why those who investigate swindles say small-business owners can make inexpensive business-process changes to avoid being the next target.

You Think You Know Someone

A common theme runs through many cases of employee theft: The perpetrator is a longtime, trusted employee, so oversight has been relaxed. “It’s sort of like, ‘Hey, we know him. He’s been around a long time. It’s OK that he’s not following the exact rules,’” says John Barrett, director of EisnerAmper’s forensic, litigation and valuation services group in Sacramento. Owners who don’t understand the work of their specialist employees are especially likely to fall prey.

Barrett worked on a case like that not long ago. A company hired its first-ever IT director to update the firm’s software and equipment. The owners saw immediate benefits. Over time, they gave him ever-more responsibility and independence. Finally, they put him in charge of his own budget, and he reviewed and approved vendors and related deliveries.

Related: Lock the Business Cookie Jar

His supervisors didn’t know that he had family members and friends who worked in IT. So, he started ordering fictitious or wildly price-inflated parts and services. He’d send $10,000 to his brother’s company for computers that never arrived, and the brother would pocket $3,000 and send him $7,000, says Barrett. The owners didn’t understand enough about tech to know that the spiraling spending indicated a problem.
The director was caught only when the company brought in a second tech staffer, who asked a board member why the IT equipment budget was so large. When the company landed some government contracts, the board member took his questions to the government’s auditors, who uncovered the slow-moving heist.

Whiteout, Tape and a Knife

Companies targeted often have something else in common: The owners don’t look at financial statements. That played a role in one of Stalker’s recent cases involving an area mortgage broker.  
A longtime staffer shared a small office with the company’s main bookkeeper. They became friends, and the officemate learned where the bookkeeper kept her login passwords.

That laid the groundwork for a low-tech, multi-part scheme. The bookkeeper worked part-time and came into the office at noon. So the officemate showed up most mornings at 5 or 6 a.m., before anyone else was in. On those days, she had a priority task: Login to the accounting software as the bookkeeper and write a check to herself, usually for about $1,000. Then in the accounting software, she substituted the owner’s name for hers, as the recipient. That in itself wouldn’t raise suspicion, since the owner often wrote checks to himself. Then she’d get back to work.

Related: I Think My Boss is Stealing From Me

There was a remaining step — the riskiest. She’d always volunteer to collect the mail, meaning she’d be the first to get her hands on the bank statement. That was crucial because it showed copies of her self-dealing checks.
Statement in hand it was back to her office, where she kept a folder with an X-ACTO knife, whiteout and tape. On the damning checks, she’d surgically remove her name and implant the owner’s. Next, she went to the copy machine to remove the traces of her doctoring. It helped that the owner never checked the statements.

Fast-forward three years and more than $200,000 later. One month, the employee got behind on her name-transplant duties. Unfortunately for her, it was tax time, and an outside accountant in the office asked for the latest statement. It wasn’t in the files because it was on the employee’s desk waiting to be doctored.
The owner called the bank, which helpfully faxed over the missing statement. The wayward staffer tried but failed to intercept the fax, and it was soon in the hands of the owner and tax accountant. “What’s this?” the owner asked the employee when he read the checks.
She had no answer, and he fired her on the spot.
(Real names omitted per Barrett and Stalker’s CPA professional code of conduct, including a duty to maintain client confidentiality.)

How Not to Be a Victim

Small companies assume they can’t afford expensive control measures to stop cases like these. The fraud examiners survey found bigger companies far more likely to have sound anti-fraud controls like external audits, fraud hotlines and fraud training — all of which detect and stop theft faster and so cut the losses if it does happen, according to the report.
In fact, small firms can afford prevention, says Stalker. In 2010, she and Conrad Davis, a partner at accounting firm Crowe Horwath, wrote a white paper on inexpensive steps that small- and medium-sized organizations can take.

For example, business owners should check bank statements before bookkeepers do. They should look at all canceled checks to make sure the payees are legitimate and that signatures and endorsements are authentic.
Owners also should limit financial authority, say Stalker and Davis. That means establishing dual check-signing responsibility for amounts over a certain level and having those who deposit checks return the deposit receipts to someone else, who compares the amount against the bank statement. That also means having a separate person check company orders when they arrive — in the case of the IT director, someone else should have signed off on delivery to ensure that if 10 computers were ordered, 10 were delivered, Barrett says.

Fraud tip lines are essential too. Companies should contract with one since they’re the most common way that theft is detected, according to the fraud survey.

And Stalker and Davis advise owners to do background checks on all hires who will handle money. Once they’re onboarded, owners should be alert to lifestyle changes that indicate someone living beyond their means.
James McCurley, a director and forensic accountant in the Sacramento office of Denver-based  RGL Forensics, says companies should meet with an outside accountant every six months. You might pay for a couple of hours of an accountant’s time, but that’s well worth the price, he says.
Companies also often set an upper-dollar limit on transactions that don’t get the normal scrutiny. That’s acceptable, says Stalker, if you ensure there are too few of them for an embezzler to do lasting damage.  If you have only 10 transactions a year of less than $200, you could decide those aren’t worth tracking. But 50 in a year might be a different story.
McCurley adds a public relations proviso to fraud prevention: Make sure your employees see the measures you have in place. Part of their value is to advertise to other employees that someone else is watching the books. Barrett says there’s no reason for employees to be offended that they’re being cross-checked. “You have to be clear in your communication: ‘We’re going to look at what you’re doing closely, and it’s not a personal reflection on you. It’s a safe way to conduct our business,’” he says.
In fact, those who put in good controls are doing their employees a favor by not tempting them. “These are crimes of opportunity,” McCurley says. “Rarely do people join a company intending to rip off the owners.”