The Fraud Triangle:
Businesses get Burned by the Man-in-the-Middle


By: Dorothy Riggs, CFE



By: Dorothy Riggs, CFE

The fraud triangle involves three major components; pressure, opportunity and rationalization. Mixed together, these ingredients explode causing significant losses for businesses of all classifications. Recent reports indicate that a typical organization loses 5% of annual revenues to fraud.  


The Incendiary Mix of Fraud Triangle Ingredients
  • Pressure is felt by potential fraudsters.  It may stem from financial, health, blackmail, psychological, lifestyle dependency or other issues that are of monumental importance to the affected individual.  He or she looks for some way to relieve the pressure by eliminating the immediate issue, if only temporarily, until they can find a more permanent fix.
  • Opportunity is present when the fraudster identifies and takes advantage of circumstances in order to illegally and deceitfully obtain personal gain.  For example, a bookkeeper may supplement his or her income by issuing checks to a fictitious vendor.  Or, a legitimate vendor may collude with a company manager to receive undue payment for fraudulent invoices.
  • Rationalization is used to placate the offender’s feelings of guilt or criminality.  He or she thinks what they did isn’t so bad because the company has an overflow of money and it’s not like anyone was really hurt.  An employee may also think illegally obtained funds and resources are owed to them because they feel undervalued and underpaid.  Many times the individual considers the theft a loan because they fully intend to repay what they stole.
Who’s likely to get caught in the middle of the fraud triangle?
Internal Perpetrators
Companies are often shocked when they discover the identity of fraud culprits.  As mentioned in the details about fraud triangle ingredients, in many cases the wrongdoer is an internal team member.  You may assume that someone who is established within the company, trusted by company executives and knowledgeable about company operations to be the least likely to commit fraud.  But, you would be mistaken.  Statistics from 2015  report that $50,000,000,000 is stolen annually by employees of U.S. businesses.   The following graph obtained from ACFE (Association of Certified Fraud Examiners) provides a breakdown of the most recent employee fraud statistics.
http://www.acfe.com/rttn2016/images/perp-us.jpg
Types of internal fraud include, but are not limited to:  Skimming, expense reimbursements, check tampering, billing, corruption, payroll, register disbursements, misuse of resources, larceny and financial statement.  
External Perpetrators
Not only does fraud occur at the hands of internal miscreants, businesses must also beware of those lurking on the outside.  They too look for opportunities to alleviate personal pressure. Ergo, circumstances frequently lead them to commit fraud against businesses.  In a previously discussed fraud triangle scenario the vendor who submitted fraudulent invoices would be considered an external perpetrator.  Other types of fraud committed by outsiders include, but are by no means restricted to:  check fraud, executive impersonations,  data breaches, IP (Intellectual Property) theft and account hacks/takeovers. For instance, executive email account hacks continue to be a widely used tactic by external fraudsters. Due to email account manipulation, I’ve personally investigated wire fraud cases with losses exceeding $250,000.00 for a single event. On August 12, 2016 Leoni , one of the world's largest cable manufactures announced that they had been victimized by a single cyber fraud event which cost them 44 million dollars.
Steps Businesses and Organizations can Take to Mitigate Fraud Burns
All organizations have inherent risks. That's just one of the casualties of doing business.  However responsible operations have a duty to detect and extinguish fraud when possible by being aware of pressures and how they relate to the company's overall fraud risk, by applying strong internal controls and by promoting a culture of upstanding ethical behavior throughout the organization.


  • Implement separation of duties for employees.
  • Implement dual controls or a solid checks-and-balance system.
  • Require employees to take vacation.
  • Conduct thorough audits periodically.
  • Set up a fraud hotline or at least instill an open-door culture so employees feel comfortable addressing issues or concerns.
  • Make sure that proper controls are in place by limiting authorizations and access based on necessary employment  responsibilities.
  • Implement and publicize policies & procedures regarding fraud detection and disciplinary measures
  • Monitor employees for discrepant behavior or lifestyle, which is often the first red flag that something is awry.
  • Be mindful of the information provided on websites, brochures, social media and etc.  Proprietary data is often obtained from these sources and is used to commit fraud.
  • Consistently use fraud monitoring, detection and analytic software.
  • Employ or become familiar with reputable IT professionals.
  • If possible, use a post office box, which is more secure than a free standing mailbox.  If not a post office box, develop a secure procedure for outgoing and incoming mail.
  • Educate employees about securing confidential company data and workstations.
  • Implement specific procedures regarding responding to executive email requests to disburse funds.  Some type of authentication and confirmation process should be included.
  • Make sure team members use secure passwords, change them periodically and do not share them internally or externally.
  • Immediately change default passwords for product software used within the company.
  • Limit vendor access credentials to company systems as much as possible.
  • Take advantage of fraud protection banking products such as:  Positive Pay, ACH Monitor, Paperless Statements, Account Alerts and etc .



Dorothy Riggs assumes sole copyright of articles authored by her that are published on FraudSense.blogspot.com . Her permission is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to: FraudSense1@gmailcom. 

Comments

  1. Very insightful article. Well done and thanks for sharing!

    ReplyDelete

Post a Comment

Popular posts from this blog

How to tell if your identity has been stolen

Things You Should Know About the Equifax Data Breach