In this episode, we take a look at the common types of fraud, what businesses should be vigilant of, and how can they protect themselves?
Host
Guy Ruddle
Guests
- Tristan Yelland, Partner, Forensic and Investigations, Grant Thornton
- Will Christopher, Partner, Kinsgsley Napley
Producer
Natalie Chisholm
Transcript
Guy Ruddle: Hello, and welcome back. Today we're looking at fraud. It's the largest reported crime in England and Wales according to the government, and they recently issued a three-year plan to bring the number of incidents down. In that plan, some of the onus is on businesses, not least because failure to prevent fraud is now a criminal offense. So what do companies need to be vigilant of? What methods are fraudsters using to target organisations? And how can businesses spot them?
[Teaser audio] Will Christopher: The problem for years has been there have been insufficient prosecutions brought, and so that has meant that this is a really risk-light crime to commit, which is why there's so much of it.
[Teaser audio] Tristan Yelland: We're seeing a real uptick in those sorts of AI-enabled, technology-enabled scams certainly in, in our client base.
GR: I'm Guy Ruddle, sitting in for Philippa, who's been laid low by a bug, and joining me today are two experts in the field with many cases worth of experience between them. Tristan Yelland is a partner in the Forensic and Investigations team at Grant Thornton. He specialises in dealing with fraud, misappropriation of assets, false accounting, and corruption. Will Christopher is a partner at the law firm Kingsley Napley, specialising in dispute resolution. He's an expert in civil fraud litigation, internal fraud investigations and fraud-related insolvency. So welcome both of you. Thank you very much for coming into our studio and being here.
TY: Thank you for having us.
WC: Good morning.
GR: So the government is obviously worried about fraud and with good reason. Fraud costs the economy £14.5 billion, just about, in the latest figures. It's the most, as I say, recorded crime in the UK. Will, has the situation been getting worse in your experience?
WC: I think definitely, yes. I mean, the amount of inquiries we get about frauds is definitely on the rise, and we have been seeing bigger and bigger frauds happening over the last few years.
GR: So it's not just the number of them, it's the size of them as well?
WC: Absolutely.
GR: Tristan, does what Will's saying chime with you? And is it just that there is more of it around, or are people getting better at seeing it?
TY: Yeah, I suppose there are two parts to that question. The answer to both is yes. I think there is more fraud around, and that definitely chimes with what we're seeing in terms of the inquiries to our firm. But as you say, I think people are becoming more aware of fraud generally, and that means that people are becoming better at spotting it. And as people become better at spotting it, that means that naturally they pick up on it more. So that means that people are reporting it more. So perhaps there might have been a lot more fraud previously, but people just weren't aware of it. But because people are becoming so much more aware of it because it is such a big issue, people are, say, spotting it more and things like technology are helping with that, and that means that it is becoming more and more of an issue.
GR: So in a way, that's a good thing?
TY: Oh, yeah. Absolutely it is a good thing. But effectively it's just highlighting what perhaps has been a bit more hidden in the past. But it's a good thing that we are becoming aware of it, but it is still very much an issue and those numbers that you quoted very much reflect that.
GR: Are there particular types of fraud that are the most common or that are becoming more and more prevalent?
WC: Yes. We see a lot of the same frauds that we saw previously repackaged or evolving to meet the law enforcement's attack on them. So for instance, authorized push payment fraud, where you are deceived into transferring money to somebody who you shouldn't have done. Since banks had to check the beneficiary name on domestic transfers, that has largely fallen away. But now the fraudsters are targeting international transfers because you don't have the same controls that the banks are required to check the beneficiary names. So you can say " I'm a supplier, our bank details have changed," and make the payment to the same company, but it's not to the company, it's to the fraudster's account. So that's one way that APP fraud has evolved. Advance fee fraud, that's also evolved. The classic 419 fraud where you had a Nigerian prince with millions in a bank account, but you had to make some payments to release it. That's changed now. It's because people are aware of that. And so I had a client who was wanting to borrow a very large sum of money for his business, and he was put in contact with fraudsters, and they said, "Yes, we can lend you this money, but before you get it, you've got to pay an insurance premium, which will sit on an escrow account." And of course, that was for £2.5 Million pounds.
GR: Wow.
WC: That went into what was supposed to be the escrow account and promptly disappeared, and we've been looking for it ever since.
GR: You think about that sort of fraud, with the Nigerian prince type thing , as something that individuals get caught by. Not, I would've thought, big corporates or sophisticated organisations.
WC: You'd be surprised. So I act for a lot of corporates that have been caught by this, and that was one of them. And you've got Ponzi schemes as well, where corporates will be a part of the victim group.
GR: Will, you were sort of nodding to the idea that corporates can be as caught out as individuals?
TY: Very much so. It's not so much my field of expertise, but certainly in terms of those sorts of scams, particularly in the cyber scams. Our practice has seen a real uptick in those frauds, and they really vary. But we had a client fairly recently, a quite well-known client, where it was one of those advanced AI scams. It was a Teams call, and they thought the Teams call was from their CEO. And they answered the Teams call and the CEO asked them to transfer some monies to facilitate an urgent transaction, which they did because they thought they were speaking to their CEO. It turns out that the CEO's account had been hacked as a result of a phishing scam, and actually they were talking to an AI image of the CEO, and so that individual just processed the transaction because they thought they were talking to their boss. Then it was only many months later when the auditors came in and asked what that transaction was about, and that employee said, "Well, ask my boss." And then the boss had no idea what it was about. It's things like that, where those things can happen. So we're seeing a real uptick in those sorts of AI-enabled, technology-enabled scams certainly in our client base.
WC: I think as well corporates are targets because they have deep pockets often and are paying suppliers for those sorts of fraud, so it's a run-of-the-mill payment according to the company and the people who are processing those payments. You get a few of those and you're in the money.
GR: All those examples are examples of external fraud— the company being targeted from the outside. I'm sure there's not empirical data for this, but how much of the fraud that we're talking about overall is internal? You know, people within the organisation rather than the organisation being attacked from outside?
TY: I'd have to say in the work that I see, the majority is internal. Although it really depends. In terms of the bad actors it kind of depends on the size of the business that we're talking about, and this kind of goes a little bit to your previous question around trends, I suppose. So in terms of, say, smaller to medium-sized businesses or maybe entrepreneurial businesses or owner-managed businesses, what we're seeing increasingly is a pattern of, say, individuals who are higher up the business, maybe a CEO or CFO or something like that, committing fraud against the business. It might be really basic fraud like expense fraud, credit card fraud, or something like that. But we have seen a lot of that in the last year or two, and that's quite a basic fraud in the smaller businesses. Maybe there isn't the control environment in place to detect that sort of fraud. But that's one type of internal bad actor that we're seeing, say, in those smaller businesses. But then in larger businesses, we're not seeing that extractive fraud, where it's money leaving the business. What we tend to see is a lot more financial statement fraud, where financial results are being manipulated in order to achieve a certain outcome, but that outcome benefits individuals within the organisation. Particularly if you think about the economic environment that we're in, where generally things are quite depressed, the economy's struggling, profit margins are suffering, but businesses and shareholders still demand profit. We often see this environment where in order to meet those targets, sometimes businesses will just fudge things.
GR: Like delay a cost or bring forward an incoming payment?
TY: That's exactly right, yeah. It's always, or not always, but it's often at the year-end where it'll be, as you describe, it'll be, " Let's try and push this cost into next year or bring some revenue forward from next year into this year to make our figures look better." Sometimes that's done in collusion with suppliers. So sometimes we'll see email correspondence— we have one at the moment where you can see a very open email correspondence between a client and the suppliers, where they're saying, "If you allow us to invoice this for you now, even though we haven't done the work, we're gonna raise an invoice early and we'll give you a 10% discount." So it's kind of offering an incentive to the customers in order to allow them to bring that revenue forward. But it's fraud. We see that sort of thing quite often.
GR: I mean, I don't wanna give advice to fraudsters, but first rule, don't put anything in writing, I'd have thought. But anyway that's perhaps not what we're here to talk about it precisely. Will, when you talk about this, particularly with the smaller businesses, SMEs or whatever, Tristan was saying they don't often have the same level of controls and things like that. Presumably it's quite a serious thing, it may not seem as serious as it could be. Is it something that can eventually be really existential for the business?
WC: Yes, definitely. I think first of all where you've got these owner-managed businesses, the controls are more slack because those individuals are often the controllers of the business. And so, and so that can lead to them being able to manipulate controls or just bypass controls completely. We often find that if a whistleblower brings us in, for example, that the frauds that they're blowing the whistle on are just the tip of the iceberg. And so you look back over years and years, and you find out that this has been going on for years. So you might know about half a million, and then it turns out to be five or six million that's been defrauded from the company, and that's obviously very impactful. Then there's the public relations side of things, although I think companies are really reluctant to litigate and recover losses because of that PR problem. But I think they should think carefully about the other side of that PR, which is we've got fraud controls, and this is an example of them working, and this is an example of us not letting somebody get away with it, and that's why we're taking this action. T
GR: That example where you go back in time, presumably that can create significant problems for their relationships with other people, with their suppliers, their customers, maybe their banks, or their lenders and all that sort of stuff, because suddenly they appear to have a particular situation, but when you now look back, it's very different.
TY: It's funny, to echo what Will says, sometimes what initially seems to be a small fraud at the outset can have such big implications. So we had a case a few years ago where, like I was talking about a few moments ago, it was a small or relatively small business, and we found that the CFO was committing fraud. Initially it looked like she was committing expense fraud, credit card fraud, et cetera. But when we explored further, we found that in addition to that, she'd also been manipulating the financial figures, and the reason she'd been doing that was because she had a performance related bonus. So she wanted to hit her target to get the bonus, and that was fine. We found that. But then related to that, we realised that the company also had a loan with banking covenants. So if you unwound the fraudulent reporting, we then realised that actually the company had breached its banking covenants for the previous six quarters, and then that had to be reported to the bank. So the bank now was told that, actually, this company that you've loaned to has missed its banking covenants for the last six quarters. So that really put the company in a difficult position because potentially the bank could have pulled its funding, and that would've been a really existential crisis for that business. So you can see how that sort of small initial fraud, the credit card fraud, became a really big problem for that business. In the end, the business got through it and it's going today, but you can see how it became a big problem. The other thing that I would say as well, in terms of thinking about your third parties, is the auditors. Hopefully, as this is an ICAEW podcast, that'll be of real relevance to the audience. But people don't consider, or businesses often don't consider, that they have to tell their auditors when there's been a fraud. And one of the concepts of an audit is that they rely on the integrity of management. So if, say, a financial director or a CFO has committed fraud, and the auditors have relied on that individual for a lot of audit information, that undermines a lot of the audit information they've got. What that therefore means is that the audit goes from being a clean audit to potentially being a qualified or disclaimed audit opinion. That will then be in the public domain. Those accounts will be on Companies House and accessible to everyone. And again, that can also put the company in a very difficult position with third parties lenders, and things like that. So there can be really severe consequences for a fraud.
GR: So are we saying that we think overall that companies, maybe particularly smaller companies, don't take the threat of fraud seriously enough?
WC: I think the answer to that is yes, they're not taking the threat of fraud seriously enough because you've got to balance putting in place policies and procedures to prevent fraud and the cost of that with the benefit of it, and it's very difficult to see the benefit of it unless you've been the victim. And so you find that the companies that have been a victim of fraud, they might not want to litigate, but they certainly want to tighten up their policies and procedures to prevent it happening again. But without having been a victim, I think you're absolutely right. There is a real danger that companies don't take this seriously enough.
GR: Especially as Tristan says, at a time when the economy is hard, plenty of businesses are having to work extra hard and pedal particularly faster to make a buck, so to speak. It's an easy thing for it to slip by the wayside a bit.
TY: Yeah, exactly. Ultimately, we see companies / shareholders are interested in the bottom line, and investing in things like fraud prevention is not necessarily front of mind always. As Will says, it's often once the horse has bolted that companies become really interested in investing in those sorts of anti-fraud measures.
GR: Slamming the stable door, to use the horse bolting analogy, is it more expensive to slam the stable door after it's gone than to have the door shut in the first place?
WC: Yes. Litigation is horribly expensive and really uncertain, and it takes up management time. And as I said before, there's a potential PR risk of having to deal with the fact you've been defrauded. So yeah, it's absolutely more expensive to deal with it, deal with the fraud that's happened than prevent it from happening. But just to pick up on what Tristan was saying, I think that where there was criminal liability attached to prevention policies and procedures for the Bribery Act, companies sat up and took notice and spent money on it because they risked their directors going to prison in the event that they didn't. The new offense of failure to prevent fraud may well have the same effect, and that's to prevent the company being used to commit fraud. But I think the same policies and procedures are likely to also have the knock-on effect that they will prevent internal frauds and frauds being perpetrated on the company as well.
GR: What's the role of technology? I mean, the obvious question is, one imagines it's making fraud easier, but is it also making it easier to detect fraud?
TY: In terms of the perpetration of fraud it's making fraud easier in a number of ways. There's the cyber side, which s- it's not really my field of expertise. Our digital forensics team deals with that. But as I mentioned earlier we're seeing a real uptick in that side of it. But also just the amount of technology that businesses these days deal with, particularly large businesses, I think it does make it easier to for fraudsters to commit fraud if they want to. But then because there's just so much data, which means that you can just kind of mask things easier, and with people working remotely and things like that, and people not being in the office, it just helps that ability to create fraud or perpetrate fraud. But in terms of detection, I have to say that some of the technology that's around these days, and certainly the technology that we use, is really incredible at helping to detect fraud. We can detect patterns in transactions which previously would've taken hours, days, weeks, months to go and analyse transactions. And some of the tools that they can sort of analyse millions of transactions and spot the unusual ones. But it's an ongoing battle because, in the way that you might get an unusual posting at the end of every month to say, like we were saying earlier, you might get revenue deliberately brought forward. Unfortunately, if that becomes a regular monthly thing, then the software might say, "Well, because it's a regular monthly thing, it's therefore not unusual, therefore I'm not detecting it as fraud." So it's an ongoing battle. But no, certainly the technology, it's helped fraudsters, but it's also helping us on the fraud prevention and detection side.
GR: The other tech thing that we haven't really talked about yet is cryptocurrency and all that stuff. I mean, there's so much to it. That's probably a whole episode's worth to be done. But in a nutshell, if possible, where are we with that and fraud?
WC: (Laughing) That is a...
GR: Sorry, that's a hospital pass!
WC: It's a big question. But I think you can break it down into two main categories. One is frauds actually involving cryptocurrency, where they have been stolen because a wallet has been hacked or something has happened like that, and you're trying to trace crypto into wallets. So that's one aspect, and that is definitely on the rise, and the English courts have been very good at adapting their orders, so you can get orders against persons unknown. There's been some very interesting judgments where a foreign exchange has been ordered to liquidate funds and send the money to the court, or liquidate crypto and send the money to the court. So that's where it actually involves crypto. But because crypto's such a big buzzword and people are making so much money apparently from it, it's also the most popular vehicle, I think, for investment frauds, where people say, "Oh, invest in this crypto," and you invest in it and you can see your funds going up and up, and it's all just a complete fiction, and you only find out when you try and withdraw your funds at the end of it, and then the fraud is to try and tack on an advance fee fraud at the end of it and say, "You've gotta pay some tax before we'll give you your your money." So you pay that, and you don't see that either.
GR: It's quite scary, this whole thing. If you're listening to this, then you could feel that it's all a, you know, a terrible situation and everything. But we have got this sort of fraud, three-year fraud prevention plan from the government. You've had a look at it, Will. What'd you think of it?
WC: I think it's a really good thing that the government is putting this front and center because the problem for years has been, and it's recognised in the report, there have been insufficient prosecutions brought, and so that has meant that this is a really risk-light crime to commit, which is why there's so much of it. I think that they've identified the risks pretty well. It certainly accords with what we're seeing, in particular in relation to the sort of industrial nature of fraud, particularly coming out of Southeast Asia and Africa. That's very interesting. And I think that there's some good thinking there about how they're going to actually attack this strategy. Some of it I thought was a bit vague, and I think the proof is gonna be in the pudding and how this is implemented. But there was also quite an interesting section at the end where there was a governance and accountability section, and it's like who is gonna be accountable for delivering this? I think that's really important because in the same way that in a corporate, unless there is somebody who is responsible for the company's fraud losses, it's not gonna be a priority. So I hope that this means that there are people who are responsible for delivering this, and so it might happen. You get some good stuff in there. It's a good start, but let's see what happens with implementation.
TY: Do you wanna add to that, Tristan? Yeah, I mean, I just echo what Will says, really. I think I say that the fact that it is front and center is fantastic. Obviously, I would say that because I'm a fraud partner. But I think it is gonna be about implementation and making sure that it really has teeth. It was interesting because I was at a conference last week, and that conference was attended by a number of GCs from corporates and a number of lawyers like Will and lawyers who act in Will's field. I think one of the speakers was the new interim director of the Serious Fraud Office, he took questions, and some of the questions to the interim director was, "Are you going to effectively be given powers to go after corporates in a really meaningful way?" Because the lawyers were saying that the first question that their clients ask them, their corporate clients, is, "What is the regulatory regime at the moment?" I.e. Does it have teeth? Because if it doesn't have teeth, then there's less for me to worry about, and therefore there's less reason for me to pay attention to investing in anti-fraud measures because I don't really need to worry about it. And so I think that really goes to Will's point around what is implementation of this going to be?
GR: I'm quite conscious that so far we've talked about all the problems, but we haven't talked so much about what companies can or perhaps should be doing about it to prevent it. And maybe we could start coming at it from sideways slightly, Tristan. When you're investigating, when you're looking at fraud, what are you looking for? And I ask that so that companies can understand what they're looking for as well.
TY: There's probably two different categories broadly of things that I'm looking for. So the first category would be transactional things. So as we've mentioned, unusual transactions at the year-end are always things that are gonna interest me as a fraud investigator. So, journals that are pushing expenses through to next year or pulling revenue forward into the current year. Any journals around judgmental balances, so accruals, provisions. Basically anything which appears to suddenly improve financial performance right at the year-end is gonna be a red flag for me. Also, any journals or transactions where a sort of management override of controls appears to happen, again, particularly at the year-end, is gonna be something which particularly interests me. So that's on the transactional side. And then the second category would be behavioral things. So something that I see in almost all the fraud cases that I investigate is that the business which has been the victim of the fraud has a culture which is not great, maybe call it a toxic culture, where, for example, there is so much pressure to achieve results that people are forced into this situation where they end up perhaps committing fraud. We had one case, it was a really bad example where people were effectively told that if they did not achieve a certain set of results by the end of a particular period, they would be forced to stand up against the wall and have darts thrown into them.
GR: What?
TY: Yeah, exactly. It's pretty extreme.
GR: Really?
TY: Yeah, absolutely. I mean, I don't know if it was a joke or what, but that's what the email said. And if that's the environment that you're operating in, you're going to do whatever you can to make sure you hit the figures, presumably because you don't want darts thrown into you. So where you have that sort of toxic culture, you often see that fraud follows. So that's the second thing that I'm looking for, is there that toxic culture around?
GR: Is that something that rings a bell with you, Will?
WC: Definitely. But I think it's important for businesses when they're thinking about fraud prevention to have a think about what their risks of fraud are, because different businesses will have different fraud risks. So you have a look at those, and then you can design and think about procedures and policies to prevent those risks. It's not rocket science. Companies can do it by themselves if they sit down and have a think about it and have a response plan. Have a plan for what happens if it goes wrong and despite all these policies and procedures, you fall victim to fraud, because those initial hours are so important because you can get very effective without notice orders from the court, but they're most effective if you act quickly before the money's disappeared and before your protagonists have got wind of the fact that you're onto them. If you're running around wondering: which lawyers to use, how do you conduct an investigation, do you need IT forensics? All of these sorts of things you can think about, and you can make sure you've got it so you know who to call.
GR: We've already said that, say you're running a business which is employing, I don't know, 80 people or whatever, so you're not a particularly big business. You're under pressure already. You're probably not doing enough of the fraud prevention stuff already, let alone having a plan for if it does happen. I mean, that's just another step you've got to go to.
WC: It's not very difficult. It really isn't very difficult to do. You've got to sit down for ten minutes and think, "Okay, do I have a lawyer who's an expert in this that I can call? Will I call my auditors or my accountants or do I need another firm of accountants to help me with this? If I've got the right firm of lawyers, they might be able to help with all of this." It's not difficult. It just requires a little bit of planning and thought, and it will be really helpful. And you invoke Sod's Law as well. If you've done the planning, it probably won't happen to you.
GR: Well, that all does make sense, and I like the idea of Sod's Law being your top protection. But are there any other things, sort of top thoughts for companies that you would say, if you're really gonna think of one more thing, what would it be?
WC: Train your staff to recognise these red flags, to recognise phishing attacks, to recognise signs of fraud. There's always the human element.
TY: Yeah I think that's absolutely right. I think the other thing is, if the worst does happen and if, unfortunately, your company is a victim of fraud, act early and inform the right stakeholders. So as Will alluded to a moment ago, it's bring in the right sets of lawyers and bring them in early so that you can protect yourself. If you need independent accountants, bring them in. Inform your auditors as well, because the auditors need to know so that they can then plan their audit accordingly. So often what we see when a company is a victim of fraud is sometimes they'll try to sit on it or maybe even hide it, and then at the last minute, they'll tell their auditors just before the accounts are being signed, and then suddenly the accounts can't be signed. There's a huge delay, there's cost overruns because things need to be reperformed. But tell your stakeholders early so that you can manage the process.
GR: Thank you both very much for that.
WC: Thank you.
TY: Thank you.
GR: If you have any thoughts you'd like to share about today's episode or the podcast in general, you can do that now via our contact email, which is podcasts@icaew.com. And now you've listened to this episode, please do remember to log it as CPD on the ICAEW website. That's a job for every time you listen to an episode, but you'll be relieved to hear it's a quick and easy one. Thank you very much for being with us.