A truck delivers a dozen pallets of computer monitors to a law firm. An account manager in an architectural firm receives an email from the executive vice president, asking her to update personal information as part of an enterprise initiative. A remote employee works from his home surrounded by three laptops. These might be common business occurrences, but corporate fraud could be hiding in each.
The truck could be delivering monitors that don’t meet an actual business need, but were ordered on a phony invoice that was approved without verifying the vendor or the purchase order. The important email could be a phishing scheme that looks like branded and secured internal correspondence. That remote employee could be working multiple “full-time” jobs simultaneously, by logging billable hours to all of the clients at once. Business fraud is common on a global scale, and the professional services industry has widespread vulnerabilities.
“There's increased pressure to meet sales goals and revenue goals. Any time there’s increased pressure to meet goals, you're going to run into people trying to commit fraud.”
What motivates fraud? Follow the money. “There's increased pressure to meet sales goals and revenue goals,” said Anne Layne, Grant Thornton Risk Manager. “Any time there’s increased pressure to meet goals, you're going to run into people trying to commit fraud.”
In Layne’s experience, there are two areas where fraud is prevalent: business email compromise (BEC) and procurement fraud.
Business email compromise (BEC) fraud
BEC schemes use misleading emails that try to acquire data or deceive readers into taking action. For instance, they might appear to be from a vendor, requesting a change to their remittance account or address, or submitting an invoice for payment that goes to the scammer's account. On the consumer side, they could be sent to a customer, posing as the law firm and requesting payment for an invoice that goes to the scammer's account. Sometimes they simply try to acquire personal data and vital corporate information, like account data or social security numbers. With this data, the perpetrators can engage in identity theft and firm misrepresentation on a grand scale, and the result can cost a firm millions of dollars.
A Federal Bureau of Investigation alert reported more than 241,000 BEC incidents in financial institutions over the prior five years, resulting in a loss of more than $43.3 billion. All it takes is a single employee clicking a link or following misleading instructions in a corrupt email, to open a digital gate into the wider corporate IT infrastructure. The ramifications can be significant.
“Schemes can lead to financial loss, data loss and harm to your public and industry reputation — you might have consumers who associate your name with a scam.”
Julia Cobb, Grant Thornton Risk Experienced Manager, noted that BEC “schemes can lead to financial loss, data loss and harm to your public and industry reputation — you might have consumers who associate your name with a scam.” BEC is on the rise, as the post-pandemic world has more remote employees and growing platforms for bad actors to exploit. More doorways lead to more opportunities.
There’s also a growing volume of procurement fraud in professional services. Procurement fraud is the practice of gaining an unfair advantage through dishonest or fraudulent means to procure contracts and services, whether it’s on the awarding or winning side. This can happen in collusion between buyers and vendors, deceptive invoicing from suppliers or “bait and switch” order fulfillment.
Fred Kohm, Grant Thornton Forensic Advisory Services Partner, noted that one example of procurement fraud is bid rigging, where “employees set up companies and go through the exercise of self-dealing services to their employer, or set up vendors to provide services to their employers — so it all looks fine.” Bid rigging usually involves complicity between a dishonest employee and a willing accomplice vendor, to cover the tracks of the fraudulent billing and order fulfillment. Procurement fraud has become especially prevalent in the deluge of government contracts related to pandemic recovery.
Another style of procurement fraud in professional services is false billing, with false bills often generated by remote workers. Without direct supervision, a growing number of professionals are recording phantom hours that are billed to client work. These workers are logging billable hours to multiple accounts while doing little or no work. Some individuals might even be juggling multiple jobs or gig jobs to increase their income while ultimately cheating their employers and clients.
The frequency and levels of fraud can seem overwhelming but there are strategies to effectively combat and prevent ongoing deception.
How to fight fraud
Employee awareness can go a long way toward fighting BEC fraud. Employees should:
- Scrutinize emails, always checking for red flags like grammatical errors, changes in fonts or unrecognized domains
- Slow down and don’t fall victim to a false sense of urgency in emails, or cut corners on security.
- Confirm security by forwarding suspicious emails to a central IT resource for review, or contact the sender by phone.
- Implement and use technology with email filters to prevent potentially suspicious emails, or look for key words to flag.
- Take and follow training to identify suspicious signs or activity, and report them.
“Instead of just billing it to a code, provide the client with an explanation of what you are doing on that code.”
Accountability is another big factor in fighting fraud. It’s important to have checks and balances where each participant must report work, to make it hard for fraud to lurk in the shadows. For instance, firms can require all workers to provide explanations for their billable hours. “Write a little narrative of what you worked on,” said Jack Rich. “Instead of just billing it to a code, provide the client with an explanation of what you are doing on that code.” When employees know they have to justify their actions, the temptation to “invent” billable hours declines.
Compliance programs and careful monitoring that emphasize accountability are also a strong fraud deterrent. Kohm said, “In a firm utilizing best practices, quality reviews and monitoring takes place within workflow tools and software. Professionals get alerts when things aren't exactly the way they should be, or in compliance.” When done right, such compliance programs can feel like a team effort rather than feeling intrusive.
“In a firm utilizing best practices, quality reviews and monitoring takes place within workflow tools and software. Professionals get alerts when things aren't exactly the way they should be, or in compliance.”
Software solutions can also move the procurement process to automated approval workflows. This way, spending controls and contract management can be highly regulated with limits and restrictions that make it hard to hide falsified activity. More robust solutions include machine learning and artificial intelligence components that look for anomalies, discrepancies and commonalities throughout the process and raise red flags. Change orders and price fluctuations are common culprits.
Digital solutions help in the fight against BEC, too. Vendor management programs eliminate the need to verify email-requested changes, by creating a self-service portal for vendors to manage their own information. Email monitoring programs can reduce the risk of compromised emails even getting through, by looking for links, attachments, phony URLs and other red flags that cause havoc in firms.
The role of culture
However, it is still important to educate all employees to be vigilant in spotting problem emails. Training programs and making available ways to report suspicious emails go a long way to reducing this everyday fraud.
In some ways, fighting fraud can be as straightforward as paying attention. “If people think you are paying attention, they are less likely to do any of these things,” said Layne. “Even if you are far away geographically, engage with employees and know what is going on.” That means you also need to know your employees and vendors well, to help identify any changes in behavior or activities that might signal fraud.
The best prevention is to build a culture that discourages fraudulent activities. Employees who are paid fairly, and who respect and value their fellow workers, are less apt to look for ways to deceive their employers. A positive and productive culture drives a shared commitment to stop fraud early or even prevent it.
Corporate fraud can lurk in any email, delivery, invoice or timesheet. Everyday incidents can open the door to lost revenue, data and personal information. However, professional services firms have many options to fight fraud with comprehensive prevention programs and processes, employee awareness and a firm culture where fraud has no place.
Our featured risk, compliance and controls insights
No Results Found. Please search again using different keywords and/or filters.