Fraud is an intentional act to deprive another of property or money by guile, deception, or other unfair means. Corporate fraud is fraud against a company and can be committed by internal or external parties. Internal fraud is when an employee, manager, or owner commits fraud against their own company such as theft or misuse of company assets. External fraud is committed by third-parties and includes bribery, corruption, hacking, theft and insurance, loans and payment frauds.
It is estimated that organizations globally lose 5 percent of gross revenue to fraud.
A general understanding of human nature and crime may lead us to believe that corporate fraud is committed by employees with bad intentions and a faulty moral compass. However, fraud experts, after analyzing thousands of cases of corporate fraud, have found that other factors are more important in leading an employee to commit fraud.
These factors are illustrated in the Fraud Triangle. The Fraud Triangle consists of Opportunity, Pressure, and Rationalization. To take a simple example – The petty cash draw in Jack’s company is never locked, is not monitored, and is never reconciled. He has an Opportunity. He is low on cash, it is his girlfriend’s birthday and he has not bought a present yet. He has Pressure. A few hundred dollars will not harm the company, nobody will find out, he is underpaid, and overworked and his boss is an idiot. He now has Rationalization and all three boxes are ticked for Jack to become a corporate fraudster, despite being a generally ethical and well-intentioned employee.
How can the Fraud Triangle help us understand the threat of fraud during the Covid-19 pandemic?
Opportunities – while working from home, many companies have had to quickly introduce new work-processes with fewer controls. Pressure – we all know the pressure faced by many during the pandemic due to uncertainties, reduced salaries, family crises and general anxiety levels. Rationalization – while working from home, employees may feel less connected to their employer and colleagues or they may feel dissatisfaction with their employer for measures taken during the pandemic, such as salary reductions or redundancies, making it easier for them to justify committing fraud.
The Association of Fraud Examiners (ACFE) – the world’s largest anti-fraud organization and provider of anti-fraud training and education (and the source of most of the statistics presented in this article) – has observed a significant increase in fraud as a result of Covid-19. Especially in employee embezzlement, cyber fraud, payment fraud and identity theft caused by less oversight due to remote workforces. ACFE members also report challenges to investigating fraud due to travel restrictions and other lack of access to evidence.
While Covid-19 may have created new opportunities and different kinds of fraud, the fundamentals of fraud and how companies can protect themselves from fraud remain the same. The following are some of the key tools available to companies to reduce the risk of being victims of fraud –
- Hotlines – 43 percent of frauds are detected through tips. Organizations with hotlines detect fraud sooner and limit their losses. This illustrates the importance of having a clear reporting mechanism for employees, suppliers, and others to report suspicions of fraud. Most fraudsters are not saving for a rainy day – they tend to live beyond their means and colleagues may pick up on this and report their suspicions. Other red flags of fraud include financial difficulties, unusually close relationships with vendors/customers and addictions.
- Fraud Awareness Training – Employees are more likely to provide tips after they have received training on fraud. They are also less likely to commit fraud if they are aware of the company’s code of conduct and anti-fraud policies and internal controls. Topics will include red flags of fraud, types of fraud, and fraud reporting processes.
- Tone at the Top – Many factors in the Rationalization of a fraud involve poor management. Management and owners must set an example in terms of ethical behaviour and fair treatment of employees and vendors.
- Incident Response Plans – Companies should have a plan in place for how they will respond to fraud or allegations of fraud. This may include identifying external resources that can be called upon to support investigations and legal actions. Once fraud is detected, it is important to collect evidence in a forensically sound manner so it can be used in legal proceedings if necessary. Evidence should also be carefully reviewed before deciding whether legal action can be taken against the fraudsters. Companies often rush to confront a fraudster before sufficient evidence has been gathered to strengthen the company’s position.
- Internal Controls – Most companies will not have the open Petty Cash drawer that helped corrupt poor Jack, but many have comparable vulnerabilities that employees will become aware of over time. Having tighter internal controls including separation of duties, physical safeguards, and surprise audits will reduce the Opportunity factors in the fraud triangle. Many external auditors will also provide internal control review services.
- Fraud Risk Assessments – This involves proactively identifying and mitigating the company’s vulnerabilities to internal and external fraud. It can be done internally or with the support of outside consultants.
- External Audits – External audits of financial statements are also a significant source of fraud discoveries, especially in larger organizations. Identifying potential frauds should be included in the scope of engagement with external auditors.
- Pre-Employment Screening – These include checking of past employment duties, criminal and background checks, educational verification, and reference checks. Organizations should ensure that their employment screening processes comply with data protection laws, with no unauthorized accessing of applicants’ data, and consider the use of a professional screening company.
As the saying goes, prevention is better than cure. Implementing these anti-fraud tools will reduce the risk of your organization becoming a victim of fraud. It will also ensure that, if you do become a victim of fraud, the response will be swift and appropriate, and the damage will be limited.Read More
I have been based in Bangkok now for the past 7 years and, with the push for a digital economy, Thailand 4.0 has meant that the issue of cyber-security has been pushed to the forefront. Each year we continue to see a growth in demand for forensic awareness training and for forensic examinations. However, there is still a general lack of understanding about digital forensics and we continue to see companies making the same mistakes over and over again.
Electronic data is fragile, if there is any chance it may be used as evidence in legal proceedings, then it must be handled in a certain way so it is possible to demonstrate to the court that the integrity and authenticity of the evidence has been maintained. If mishandled, then the evidence may be called into question when presented at court.
The majority of our investigations involve the theft of company data by rogue employees. Management will naturally turn to their IT staff to begin an investigation and collect potential evidence. However, consider the following points:
- Usually the IT staff have not been trained in how to conduct a methodical investigation
- They are often unaware of the need to maintain a complete chain of custody from the collection of data stage through to producing a report
- They are unaware of all the potential sources of evidence
- They lack the specialist tools required to conduct a forensic investigation
- They lack experience in correctly interpreting the findings of the investigation
- They lack experience in preparing evidence and professional reports for court
- They are inexperienced at presenting digital evidence at court as an expert witness
Companies often assume that as long as the person conducting the investigation holds some type of IT qualification then this will be sufficient. Digital forensics is a highly specialized field and, as demonstrated by the points above, requires a forensic investigator with the qualifications and experience to conduct the forensic investigation.
Another important issue to consider is the experience of your legal team. Do they have experience of dealing with cyber-crime cases and do they have the technical understanding of digital evidence? Due to the potential complexity of cyber-crime cases the legal team will often have to work closely with the forensic investigator to ensure the best possible outcome in any legal proceedings.
Without doubt the number of legal cases using electronic evidence will continue to grow. Also, as the number of forensic specialists in Thailand increases, we can expect to see electronic evidence that has not been handled correctly being more robustly challenged in the courts. If you are involved in legal proceedings where the other side is presenting digital evidence, you should consider hiring your own forensic expert to examine the validity of their evidence. In order to give yourself the best chance of success in any legal proceedings, make sure you use suitably trained forensic investigators and lawyers with the experience of dealing with electronic evidence.
My colleague Andrew was keen to get my perspective as a lawyer. Here it is.
As a young criminal defense lawyer a senior colleague advised me that the only way to succeed, whether you are prosecuting or defending, is to put all your energy into preparing your case for trial and most importantly, to “know and understand the subject matter”. Back then it was reasonably straight forward to understand the subject matter of the criminal charges before you. Today it’s a very different story indeed.
Technology has developed at an exponential rate in the last decade or so and has given rise to a far more sophisticated medium for the dishonest perpetrator to cause damage to the unsuspecting victim, be that an employer, a business, a bank, the Authorities or even another individual.
The motive of the crime can be to damage the reputation of the victim, unlawfully obtain the victim’s confidential information or fraudulently acquire cash or other assets belonging to the victim.
As a lawyer prosecuting or defending such a case the task of knowing and understanding the subject matter of your cybercrime case is an extremely difficult one. After all you are a lawyer and not a trained scientist. This is where you need to work alongside an expert with digital forensics training and experience.
As Andrew mentions above, lawyers and other prosecuting Authorities will often rely on persons who have some level of IT training to try and make sense of the data. This is where mistakes can occur.
As lawyers we have a duty to our clients to get it right from the outset. There is no point in taking a case to trial with little prospect of success because you cannot properly explain highly technical evidence to a judge in such a way as to convince him of the perpetrators guilt, beyond reasonable doubt. Equally, the accused has a right to a fair trial and that means we have to be able to challenge technical evidence which clearly does not support the charges faced by the accused.
Our specialist cybercrime lawyers have handled many cases involving ‘cybercrime evidence’. The major advantage our team of lawyers have over many other advocates is instant access to our in-house computer forensics team. They are on hand to help us understand the subject matter of these cases, deliver expert reports, assist with our examination in chief, cross examination and give testimony to assist the court to make sense of complicated evidence. All of this is key to a successful prosecution or defence.
About the Authors:
Mr. Andrew Smith (Andy) – Director of Computer Forensics Services at Orion Forensics Thailand
Andrew has 17 years’ experience in the field of digital forensics. Andrew was a UK police officer for 9 years of which the last 4 years was spent working within the police computer crime unit where he received extensive forensic training. His role included the acquisition of electronic data, analysis and the presentation of evidence in the UK courts as an expert witness.
Andrew has now been based in Bangkok for over 7 years and is the Director of Computer Forensics Services for a commercial investigation company called Orion Investigations. His role is to oversee all forensic investigations, business development, promote awareness of cyber security and present evidence as an expert witness in Thai courts. He has regularly appeared as a guest speaker for various business chambers and organizations. Andrew has developed a range of forensic training courses for the local Thai market. Andrew has also developed a number of free forensic tools which are now used in forensics labs all around the world.
Email: firstname.lastname@example.orgRead More