Category Archives: False Billing Fraud

The Ideal Employee

It was late on a dark November evening in 2002 when the corporate counsel of the Victoria Paper Corporation contacted our Chapter member Jay Magret, CFE, CIA about a suspected irregularity involving the team of Tim Clark, the world-wide maintenance manager for Victoria’s most complex automated paper manufacturing equipment.

Clark had been hired after a long exhaustive search by one of Victoria’s many employment contractors, Global Image, Inc. Clark was hired to oversee the entire maintenance program at Victoria’s plants worldwide.  Victoria’s management was elated because Clark seemed ideal for the position, seemingly having spent half of his professional life providing automated systems savvy support to major paper companies around the world. He was used to working in foreign locals and had collected an array of impressive skills that enabled him to be appreciated as a through professional. Once hired, Tim requested four additional staff members for his unit, whom he said he personally knew, and contracted for through Global Image. The names and resumes of the four new staff members were subsequently provided by Grayson Employment, another job agency that also specialized in providing labor to the paper industry. Because the four new staff members were already registered in Grayson’s employee database and were explicitly requested by Tim Clark, Victoria and Global Image didn’t feel the need to complete the usual background verifications.

Such a chain of job agencies is common in the labor market: international paper companies, like companies in other industries, manage large projects in disparate, sometimes isolated locales around the globe, and they are stressed by production deadlines. Accordingly, companies find themselves continuously short on the highly specialized people who are qualified to manage and support such projects. Such international companies rely heavily on job agencies to provide contractors already skilled in the business and available to work in remote destinations.

When a business sector is booming, it becomes crowded with personnel interested in exploiting opportunity and, in the resulting complicated labor market, the temptation to cut personnel supply corners in response to tight deadlines often emerges. The result is that, with a plethora of job agencies providing labor, sometimes to a single project, the final employer sometimes doesn’t know with precision what the hourly fee paid to each individual contractor is after it is redistributed along the chain of multiple job agencies.

Under Clark’s direction, his team was charged with the ambitious task of assuring the continuous performance of maintenance activities at Victoria’s paper plants around the world. On paper, Clark’s team worked long hours each week and most weekends, sometimes flying throughout Europe and Asia with little rest. Each hour worked by a member of the maintenance team was certified and signed off on personally by Clark, on behalf of Victoria.

During their year-and-a-half of service, the four individuals hired by Tim Clark claimed to have worked an excessive number of hours, which triggered an internal review by Grayson Employment’s personnel management. During their review, personnel management found that the four employees’ employment files did not include appropriate identification documents. When the agency requested copies of their passports, the four employees immediately submitted their resignations, and soon after Clark did the same. The day after Clark resigned, Grayson contacted Victoria whose corporate counsel, alarmed, contacted our Jay Magret.

Setting to work immediately and working closely with Victoria’s auditors and the corporate counsel, Magret quickly uncovered evidence that Clark had falsified records and documents for three of the individuals on his team. It became apparent to Jay that those individuals were ghost employees; they did not exist. Clark had created fake resumes for three ghost employees, falsified contracts, signed time sheets, and forged the resignation letters. Further analysis showed that the fourth individual did indeed exist, was related to Clark, and had collaborated on the scheme. Clark and his accomplice had to work hard to carry out the duties of four employees.

Jay’s analysis also showed that Omega’s employee interviews were sometimes conducted solely by line managers involved in the hiring process, without the support of the Human Resources Department. The same line managers were then responsible for certifying the time sheets of their employees, including contractors, while their identification documents weren’t systematically collected or retained. Moreover, the contracts and procedures in use didn’t clearly establish or document each step of the selection and job assignment process.

Magret’s final report specified that the fraud was possible, and profitable, because the paper company client paid the wages of each ghost employee through the chain of job agencies and directly into the accounts of the contractors, which were registered in the name of a private company and managed by Clark. By the time Victoria realized the scope of the fraud scenario with Magret’s help, Clark and his associate had already disappeared with more than a million dollars paid to them during their year-and-a-half scheme. The paper company later discovered that even Clark was not who he claimed to be. He had used a fake identity and was untraceable, leaving little to no chance of recovery of the stolen money.

In response to management’s request that he proactively suggest controls to strengthen Victoria’s anti-fraud program, Magret suggested, as a matter of normal practice, that:

–Companies should perform time assessments to ensure they know how long a job will take to complete.

–Strict procedures should be in place during the hiring process, especially regarding segregation of duties. Human resources should always be involved in the process and responsible for checking identification documents with the physical person.

–The company should limit the opportunity for line managers to recommend hiring people they know. In some cases, it is unavoidable, so managers should always try to guarantee a higher level of segregation, especially in the authorization of time sheets.

–When using a job agency, the company should be sure that the relationship with contractors will be directly between the company itself and the agency. By doing this, the company will save money and be more assured about the contracted personnel.

— Client inhouse auditors of the personnel function should perform a periodic analysis of office records by selecting a sample of employees and verifying their effective presence in the office or on the job site, making sure appropriate identification is included in their records.
–Excessive hours claimed is as a red flag, especially when it is common among off-site employees. Establishing key performance indicators for each department or business process can serve as a reference for red flag comparisons.

–A wide-ranging and fragmented work environment can make the ghost employee phenomenon possible. A strong internal control framework and strictly enforced personnel policies are the only ways to prevent and discourage this type of fraud scheme.

Offered & Bid

Our Chapter was contacted last week by an apparent victim of an on-line auction fraud scheme called shilling.  Our victim bought an item on the auction and subsequently received independent verification that the seller had multiple ID’s which he used to artificially increase the high bid on the item ultimately purchased by our victim.  On-line consumer auctions have been a ubiquitous feature of the on-line landscape for the last two decades and, according the ACFE, the number of scams involving them is ever increasing.

The Internet allows con artists to trade in an environment of anonymity, which makes fraud easier to perpetrate. So every buyer of items from online auctions not only has to worry about the item being in good condition and every seller has to be concerned about being paid, they must both also worry about whether the other party to the transaction is even legitimate.   Common internet auction fraud complaints include products that never arrive, arrive damaged, or are valued less than originally promised. Many complaints also stem from sellers who deliver the product but never receive payment. Almost all auction sites have responded over the years by  instituting policies to prevent these types of fraud and have suspended people who break the rules. eBay, for example, has implemented buyer protection and fraudulent website protection programs, as well as several other safeguards to prevent fraudsters from abusing their auction services but the abuses just seem to go on and on.

What apparently happened to our victim is called shilling.  Shilling occurs when sellers arrange to have fictitious bids placed on their item to drive up the price. This is accomplished either by their own use of multiple user IDs (as our victim suspects of her seller) or by having other partners in crime artificially increase the high bid on their item; typically, these individuals are friends or family members of the seller. If the shiller sees a legitimately high bid that does not measure up to his or her expectations, s/he might burst in to give it a boost by raising the bid. This auction activity is one of the worst auction offenses and is cause for immediate and indefinite site suspension for any seller caught in its performance by any legitimate auction.

A related ploy that also raises lots of complaints is called sniping.  Sniping is a bid manipulation process in which an unscrupulous bidder bids during the last few seconds of an auction to gain the high bid just as the time runs out, thus negating the ability of another bidder to answer with a still higher bid. Most bidders who successfully engage in this practice do so with the aid of sniping technology. In general, sniping is legal; however, most online auctions sites have instituted no-sniping policies, as the practice is devious and may harm legitimate, honest bidders.

Then there’s bid shielding.  Bid shielding is a scam in which a group of dishonest bidders target an item and inflate the high bid value to discourage other real bidders. At the last moment, the highest bidder or other bidders will retract their bids, thereby shielding the lower bidder and allowing him to run away with the item at a desirable, and deceitful, price.

In the relentless drive for more customers, some sellers resort to bid siphoning which occurs when fraudulent sellers lure bidders off legitimate sites by offering to sell the “same” item at a lower price. They intend to trick consumers into sending money without delivering the item. By going off-site, buyers lose any protections the original site may provide, such as insurance, feedback forms, or guarantees.  This practice is often accompanied by sellers embellishing or distorting the descriptions of their wares. Borrowed images, ambiguous descriptions, and falsified facts are some of the tactics a seller will utilize in misleading a buyer with the end of guiding her to participation in a siphoning scheme.

The second chance scammer offers losing bidders of a closed auction a second chance to purchase the item that they lost in the auction. As with siphoning victims, second chance buyers lose any protections the original site may provide once they go off-site.

One of the most common complaints associated with on-line auctions is price manipulation.  To avoid price manipulation, consumers need to understand the auction format before bidding. Sellers may set up the auction with questionable bidding rules that leave the winning buyer in an adverse situation. For example, say you are a winner in an auction. You bid $50, but the lowest successful bid is only $45. The seller congratulates you on your win, and requests your high bid of $50 plus postage.  As another example, let’s say the highest bidder retracts his bid or the seller cancels it, which leaves you the highest bidder. The seller then wants you to pay the maximum bid amount, citing that the previous high bidder had outbid you. Finally, let’s say you win a straight auction with a high bid of $85. The seller contacts you and instructs you to send your high bid, plus shipping, packaging, listing fee costs, and numerous other charges.

Our last example relates to the practice of fee stacking which refers to the addition of hidden charges to the total amount due from the winning bidder after the auction has concluded. Shipping and handling fees can vary greatly; therefore, the buyer should inquire before bidding to avoid unexpected costs. Typically, postage and handling fees are charged at a flat rate. However, some scheming sellers add separate charges for postage, packaging, handling, and shipping, and often devise other fees to tack on as well, leaving the buyer with a much higher purchase price than anticipated.

Then there’s the flat failure to ship the purchased merchandise.  This is the one type of on-line auction fraud that most people have heard of even if they don’t themselves participate in on-line auctions and involves a seller receiving payment for the item sold, but not shipping the merchandise. If the merchandise does not arrive, the buyer should contact the seller for the item or request a refund, hopefully having kept a receipt of payment for the purchase. If the purchaser made the purchase with a credit card, s/he can contact the credit card company to deny the charges. If the buyer gets nowhere with the seller, the buyer should contact the U.S. Postal Inspection Service, as the failure to ship constitutes mail fraud.

On the other hand fraudulent buyer claims of lost or damaged items are also considered mail fraud. Some buyers falsely claim the item arrived damaged or did not arrive at all, and thus refuse payment. Sellers should insure the item during shipping and send it via certified mail, which requires a signature verifying receipt.

A related buyer scam is switch and return.  Let’s say you have successfully auctioned a vintage item. You, the seller, package it with care and ship it to the anxious buyer. But when the buyer receives it, he is not satisfied. You offer a refund. However, when the buyer returns the item, you get back an item that does not resemble the high-quality item that you shipped. The buyer has switched the high-quality item with a low-quality item and returned it to you. The buyer ends up with both the item and the refund.

The on-line market is awash in fakes. The seller “thinks” it is an original; but the buyer should think again. With the use of readily attainable computer graphics and imaging technology, a reproduction can be made to look almost identical to an original. Many fraudsters take full advantage of these capabilities to dupe unsuspecting or uninformed buyers into purchasing worthless items for high prices.

If you are a fraud examiner working with clients involved in the on-line auction market or a buyer or seller in those markets …

— Become familiar with the chosen auction site;
— Understand as much as possible about how internet auctions work, what the site obligations are toward a buyer or seller, and what the buyer’s or seller’s obligations are before bidding or selling;
— Find out what protections the auction site offers buyers;
— Try to determine the relative value of an item before bidding;
— Find out all you can about the seller, especially if the only information you have is an e-mail address.  If the seller is a business, check with the Better Business Bureau where the seller/buyer is located;
— Examine the feedback on the seller and use common sense. If a seller has a history of negative feedback, then do not deal with that seller;
— Consider whether the item comes with a warranty, and whether follow-up service is available if it is needed;
— Do not allow the seller or buyer to convince you to ignore the rules of a legitimate internet auction.


Plum Street Dialogue #4 – Some Fraud Schemes Involving Cash

patio-set-5Over the years I’ve been involved in on-going discussions with any number of practicing certified fraud examiners, many of whom have provided me with excellent insights on every aspect of the profession.   Using the notes I’m constantly taking, I thought it might be fun (and instructive) to cast some of their thoughts on actual practice in the form of a series of fictitious dialogues on everything fraud examination.  This third is a discussion on the topic of financial fraud; the dialogue is between three composite fraud examiners, Glenn, Alex and Terrie.  Our three friends meet, as before, after work, in the garden behind Glenn’s house on Plum Street in the Fan District of Richmond, Virginia.

[As we join our friends in the shade of Glenn’s patio, Terrie is talking about one of her recent cases specifically as well as cash fraud schemes in general … she’s saying that there are numerous schemes that employees use to defraud organizations. The schemes generally involve cash, accounts receivable, inventory, purchasing, investments and fixed assets, as well as the manipulation of payroll and personal expenses.]

Terrie:  Cash defalcations, like the case I’m currently working on, are probably the most common of all employee embezzlement schemes. Since most companies keep relatively good control over cash, the schemes are frequent but rarely material.  A little more complex scheme involves kiting. Kiting is the process where two or more banks are used to create artificial deposits. Checks written on one bank are deposited in the other and then cash is removed from the second bank. In order to keep the checks from being returned, the fraudster writes new checks periodically. All kiting schemes require banks to pay on unfunded deposits.

Alex: In your experience, Terrie, what’s the best way to go about detecting cash frauds?

Terrie: I use several basic techniques to detect cash frauds. Classically, they include bank reconciliations, cut-off bank statements, surprise cash counts, investigation of customer complaints, journal entry review, and the review of historical sales and cost trends.

Alex: I just finished working a case involving accounts receivable.

Glenn: What do accounts receivable schemes look like?

Alex: There are about four that I’m aware of: lapping, fictitious receivables, diversion of payments on old written-off accounts, and borrowing against the receivables.

Glenn: Define lapping …

Alex: The term is used to describe a method of concealing a defalcation where cash received from a customer is misappropriated by the employee, and at a later date cash received from another customer is credited to the first customer’s account. The second customer’s account is credited still later by cash received by a third customer, and so on. These lapping schemes are usually detected when the scheme becomes too difficult to conceal, when an employee makes a mistake by not crediting the right account, or the customer subsequently complains (which they almost always do). Old or written-off accounts receivable are almost always vulnerable to theft by cashier and accounts receivable employees. Because few controls exist on written-off accounts receivable, subsequent payments can sometimes be diverted. That’s exactly what happened in the case I just finished.

Fictitious accounts receivable are also a common way businesses attempt to artificially inflate their assets and income. They are also sometimes furnish motive for salesmen and others to meet quotas and receive commissions.

Glenn:  According to the speaker at one of our Richmond Chapter’s recent training events, employees will even use the company’s accounts receivable as collateral for their own personal loans.

Alex:  Just as there are four basic schemes, there are four basic detection methods for accounts receivable frauds. They include matching deposit dates, customer confirmations, accounting cut-off analysis, and trend analysis on written-off accounts. Account receivables frauds can be prevented through the adequate segregation of duties. The collection of cash, posting of accounts receivable, and the writing off of old uncollectible accounts receivable should all be done by different personnel if possible. Also, some customer receipts can be made to a lock box rather than to the company’s normal mailing address. This allows the customer to make payments directly to the bank and therefore eliminate time delays.

Terrie:  Don’t forget inventories …because so many companies carry large inventories, these assets are particularly susceptible to abuse. The most frequent inventory scheme concerns the theft or appropriation of the company’s items. The theft of scrap sales proceeds is also pretty common. Because the amounts are generally insignificant to the company, scrap sales are usually not well controlled and good inventories aren’t kept.  In some instances, since inventory accounts are not generally reconciled until the end of the year, embezzlements can be charged to these accounts.

Alex: And how do you detect it? …

Terrie: Most inventory fraud is detected through missing financial documentation, physical inventory counts, or analytical review. If the company’s cost of sales has risen significantly from one period to the next, this could either be because of legitimate reasons or because embezzlements in significant amounts are being charged to the inventory accounts.

Glenn: And purchasing! …

Terrie: Right.  Don’t ever forget purchasing!

Glenn:  The purchasing function of a business is particularly vulnerable to employee abuses. Typical schemes involve fictitious invoices, over-billing, checks payable to employees, and conflicts of interest. Purchasing fraud doesn’t necessarily require collusion with another employee or an outsider, although it often occurs.  I recall a case where a vendor opened up a credit card account for the personal use of a client company’s purchasing officer.

Alex:  That’s a good one and, I would imagine, hard to detect.  Fictitious invoices are one of the most common red flags of employee fraud. They normally involve purchases for goods or services not delivered or rendered. An over-billing scheme is a method where the fraudster submits an artificially inflated invoice to her company for payment. The amount of the overpayment is then diverted or paid to the employee or an accomplice. In a few instances, employees simply make out checks to themselves, deposit the checks in their personal bank accounts, and then destroy them when they are returned in the company’s bank statement. Purchasing or accounts payable employees can also have duplicate payments issued for the same item. Conflicts of interest in purchasing occur when an employee, manager, or executive has an undisclosed interest in a business that supplies goods or services to his employer.

Glenn:  So, the bottom line, how are purchasing schemes generally detected in your experience?

Alex: By analytical review in some instances.  Going over the various general ledger accounts might reveal unusual or unexpected items.  The fraud examiner can also use the computer to facilitate analytical review of timing of bids, patterns of bids, amount of work, patterns of new vendors, and similar trends.

Terrie:  Duplicate addresses in the vendor file. And also addresses that look like addresses that match, like they are different companies, but they end up going to the same P.O. Box. That’s definitely one to look for. And going to a drop box. You know how you get situations where the address is let’s say 100 Warren Street, Suite 150. Well, that’s a drop box for post office box 150. You have to look for things like that. Vendors with post office boxes. You know you can have a post office box and have a check come to you. You should always have a street address. You should know for sure that’s a real street address or real company or just take the time to look it up.

[A pizza delivery man bearing two large boxes and an invoice appears at the edge of the patio and clears his voice…]

Glenn: Well, I see that dinner has arrived and we’ve only touched the surface … we can continue this discussion, if you want,  the next time we choose to meet.

Terrie:  Sounds like a plan!

Before You Pay that Invoice!

HandOnMouseDuring our April 2015 training event, ‘Using Analytics to Detect Fraud’, our speaker, Bethmara Kessler, gave a fascinating, real life example from her own practice of how detailed analytic analysis could be especially helpful in addressing false billing frauds.  In addition, she explained at length just how this type of fraud works. In a false billing scheme, an employee or outside party creates false vouchers or submits false invoices to a target organizational payer. These documents cause the payer to issue payments for goods or services that are either completely fictitious or overstated in price. The perpetrator then collects the fraudulent payments/checks and converts them for personal use. Another type of billing fraud involves buying personal goods or services with company money.

A false billing fraud affects the purchasing cycle, causing the company to pay for nonexistent or non-essential goods or services. Most false billing frauds involve a service, since it is easier to conceal a service that is never performed than to conceal goods never received. As Bethmara’s example demonstrated, the most common billing scheme is setting up one or more bogus vendors.   There are several ways to do this. The most common is to create a fictitious vendor (often called a shell company), open a bank account in the shell company’s name, and bill the victimized company. The perpetrator then creates an invoice and sends it to his employer. Invoices can be professionally produced via computer and desktop publishing software, typewritten, or even prepared manually. Often, the most difficult aspect of a fraudulent billing scheme is getting the false invoice approved and paid. In many instances of billing fraud, the person perpetrating the fraud is also the person in the company who is authorized to approve invoices for payment. Another popular means of getting invoice approval is to submit invoices to an inattentive, trusting, or “rubber-stamp” manager. Furthermore, perpetrators often create false supporting documents to facilitate approvals and payments, e.g., voucher packages.

A perpetrator can also use a shell company to perpetrate a pass-through billing scheme: the perpetrator places orders for goods with his shell company, has his shell company order the goods from a legitimate supplier at market prices, and then sells those goods to his employer at inflated prices. The fraud lies in the fact that the victimized company is buying the goods it needs from an unauthorized vendor at inflated prices. The perpetrator “profits” from the inflated prices gained while acting as an unauthorized “middle man” in a necessary company transaction.

Rather than utilizing shell companies to over-bill, some employees generate false disbursements through invoices of non-accomplice vendors. In what is called a pay and return scheme, the perpetrator makes an error in a vendor payment to facilitate the theft. One way to do that is to overpay or double-up on payments, request a check from the vendor for the excess, and steal the check when it arrives. Another scenario is to pay the wrong vendor by placing vendor checks in the wrong envelopes, then calling the vendors to explain the mistake and requesting the return of the checks. When the checks return, they are stolen. The support documents are sent through the accounts payable system a second time; and these checks are sent to the proper vendors.

Another scheme involves purchasing personal items with company money. One popular way to do this is to make a personal purchase, then run the unauthorized invoice through the accounts payable system. If the perpetrator is not in a position to approve the purchase, s/he may have to create a false purchase order to make the transaction appear legitimate or alter an existing purchase order and have an accomplice in receiving remove the excess merchandise.

Another way to purchase personal items with company money is to have the company order merchandise, then intercept the goods when they are delivered. To avoid having the merchandise delivered to the company, the perpetrator often will have it diverted to his home or some other address, such as a spouse’s business address. A third way to purchase personal items with company money is to make personal purchases on company credit cards. No matter which of the approaches is used, the perpetrator will either keep the purchases for personal use or turn the purchase into cash (or a credit card refund) by returning the merchandise.

Bethmara pointed out that, in some ways, it’s easier to conceal a billing fraud than other frauds – but in other ways, it’s harder. It’s easier in that the perpetrator does not have to remove cash or inventory from company premises; instead, the company mails her a check. It’s more difficult in that, when the perpetrator creates a bogus vendor or shell company, he has to come up with a name, mailing address (often the fraudster’s home address or a postal box), and phone number (often a home phone number); open a bank account in the shell company’s name (usually requiring him to file or forge articles of incorporation) or in his own name; deposit and withdraw money; and create and send vendor invoices. Any of these can lead back to the perpetrator, making it easier to find him once the fraud is detected and the shell company identified.

Depending on the scheme and organizational controls in place, the perpetrator may have to falsify or alter a purchase requisition, purchase order, receiving report, or vendor invoice, or fool or force the authorizing person to approve or forge an authorization. Perpetrators involved in a pay and return fraud usually have to intercept any checks that are returned.

Finally, Bethmara presented a number of red flags usually present when a false billing fraud is taking place, including:

  • An unexplained increase in services performed (services that were paid for, but never performed);
  • Payments to unapproved vendors;
  • Invoices approved without supporting documents;
  • Falsified or altered voucher documents; for example, altering a purchase order after its approval;
  • Inflated prices on purchases or orders of unnecessary goods and services;
  • Payments to an entity controlled by an employee;
  • Multiple payments on the same invoice or over payments on an invoice;
  • Personal purchases with company credit cards or charge accounts;
  • Excessive returns to vendors, or full payment not received for items returned;
  • A vendor with a post office box address.

On July 23, 2015 our Chapter will be hosting a one-day ACFE seminar entitled, ‘Fraud Prevention’.  Our speaker, Chis Rosetti, will be presenting a host of effective measures anti-fraud practitioners and client management can take to prevent the false billing and other common frauds so eloquently described by Bethmara Kessler and Jerry Sacks at our recent prior events (8 high quality CPE for just $150.00). Hope you can join us!