Crooks in Charge

They forgot one simple step—filing a change-of-address request—and as a result their addresses changed in ways they never intended.

For two years the high-flying CEO and his accomplice, the vice president of human resources, lived large, traveling the world, staying at the finest hotels.

Newly hired to run a New England-based company whose products sold in 4,000 retail stores in the United States and abroad, he hit the ground running and quickly reinvigorated the business. He was great in meetings, great with customers. As new orders rolled in, he pushed for a global expansion plan.

Meanwhile, the VP of HR had his back, taking care of his expense accounts, keeping the wolves (and the bean counters) at bay. If you needed to see him, you had to go through her. He rewarded her by giving her more power, placing her in charge of payroll and expense accounting functions. She rewarded herself by indulging in vacation homes, snowmobiles, boats, four-wheel vehicles and computers.

A road warrior, he traveled as much as 80% of the time. He could be in Singapore one day, London the next and Los Angeles the next, almost always staying at a Ritz-Carlton or Four Seasons. He wined and dined lavishly and treated colleagues to expensive dinners and top-shelf wine. He gifted generously, rewarding junior employees with golf clubs, Rolex watches and expensive electronics. He spent tens of thousands of dollars on Harley-Davidsons, drove a precision sports car and occasionally chartered a helicopter for private travel.

He didn’t lack companionship. Often, when his wife did not accompany him on a business trip, he would rendezvous with any number of secret girlfriends he had cultivated across the globe. Or he’d hire call girls. He showered the women in his life with expensive jewelry and on at least one occasion paid for a mistress to have her breasts enlarged and then kept a photo of her with a diamond pendant—also a gift from him—snuggled in her new cleavage.

But an oversight involving a change-of-address form would be his undoing. It turns out the CEO’s high-flying lifestyle was financed with a stolen company credit card that only the VP of human resources knew about.

“It’s a crazy story of greed,” says Christopher Giovino, the partner-in-charge of Dempsey Partners’ Forensic Analysis practice, which investigated the depth of the scam once it was discovered. “It was so simple and so easy to do, and they got away with it for quite a while. And they would have gotten away with it if it wasn’t for her just forgetting to call American Express to redirect the mail.”

The end of this scheme came when the company began losing money and the board of directors called for staff cuts.

“The company started to bleed money because of their spending,” Giovino says. “They didn’t know why because the business wasn’t bad, but they seemed to be losing millions of dollars. The board and senior management decided the only way to stop the bleeding was to downsize and cut staff.”

In a Shakespearean plot twist, it turns out that one of the people they decided to cut was the vice president of human resources.

“They didn’t know about the illicit relationship,” Giovino says. “He had to fire her.”

That’s when the scam unraveled. Within days, the change of address would come into play when a clerk in human resources opened a notice from American Express about the credit card no one was supposed to know about. She took the mysterious statement to her supervisor, who forwarded it farther up the corporate chain until finally a senior director confronted the CEO about the account. He admitted his guilt and resigned.

“Within a day, the board of directors and their lawyers decided that they wanted to hire a forensic accounting firm to go in and investigate,” Giovino says. “They didn’t know who was involved. They didn’t know if there were co-conspirators. They didn’t know the quantum of the loss. They didn’t know it happened.

“We interviewed everybody from the top down. We talked to girlfriends of his. We started to uncover the depth of his sexual promiscuity. Not that anybody cares about that morally but because it affected the company and its spending.

“We started to interview people who gave us little tiny nuggets of rumor and innuendo, and that, coupled with his emails and some phone records, led us to find other people who were involved with him. We found a number of employees who were unwitting dupes, people who they befriended or paid off to help them live their lives, never letting these people know that they were stealing from the company.”

Giovino called on his expertise gained from 27 years with the U.S. Drug Enforcement Administration, where he rose to become the associate special agent in charge of the New York office and chief of the Organized Crime Drug Enforcement Strike Force.

“We had a staff of accountants going through all of the records we could find,” he says. “All of the credit card statements for the companies overseas, for the companies in the U.S., and then we got Amex to send us a full set of statements for the credit card that we never knew existed. We started hearing stories about other former employees who were fired yet received Rolex watches going out the door or large bonus checks or severance checks that weren’t approved by anyone in the company. The stories were mind-boggling.

“We went in there and turned the place upside down. As you can imagine, there was a great deal of anxiety in that building. Good people, great employees who had questioned them throughout the years and were always browbeaten for it felt a little vindicated but angry. They felt angry because we had to interview them thinking that they were potential co-conspirators. The morale in a company when something like this happens gets destroyed. There’s a secondary and tertiary victim here that go way beyond the theft of the money and the damage to the company because the people who are there, the good people, are thinking you are looking at them and thinking they were complicit.”

Dempsey Partners was able to identify at least $1 million in recoverable assets and turned its findings over to the state’s district attorney and the FBI, which immediately froze those assets. The two perpetrators both pleaded guilty to embezzlement in 2012 and were sentenced to more than four years in prison, plus restitution.

Not Uncommon

According to the Association of Certified Fraud Examiners, occupational fraud is believed to cost business an average of 5% of its annual revenue, or $754 billion, in the United States alone, based on 2011 figures.

“I guess I’m numb to it by now,” says Chris Marquet, who leads Marquet International, an independent investigative, litigation support and security consulting firm with offices in New York and Boston. “One of the things I’m staggered by is the sheer numbers. We chronicled last year 400-some cases of more than $100,000 in embezzlement from U.S. companies. That’s more than one case every single day. Holy mackerel, it’s just massive.”

In its 2012 Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners says most occupational fraud falls under one of three categories, although some cases overlap:

• Asset Misappropriation Schemes, in which an employee steals or misuses the organization’s resources (e.g., theft of company cash, false billing schemes or inflated expense reports). This was cited in 86.7% of all employee fraud cases reported to the association in 2010 and 2011. Respondents reported a median loss of $1 million.
• Corruption Schemes, in which an employee misuses his or her influence in a business transaction to gain a direct or indirect benefit (e.g., schemes involving bribery or conflicts of interest). Some 33.4% of the cases in the report fall into this category, with a median loss of $250,000.
• Financial Statement Fraud Schemes, in which an employee intentionally causes a misstatement or omission of material information in the organization’s financial reports (e.g., recording fictitious revenues, understating reported expenses or artificially inflating reported assets). This was cited in just 7.6% of the cases, with a median loss of $120,000.

The report says fraudsters most often hit small businesses, defined as those with fewer than 100 employees, with nearly 31% of the cases detailed in the report targeting a small business. The median loss for these small businesses was $147,000. Small businesses also appear to be the most vulnerable to fraud. They frequently have fewer and less effective anti-fraud programs in place than larger companies, and many small businesses do not buy insurance that can protect against employee crime.

Businesses employing 1,000 to 9,999 employers were the second favorite target, making up 28% of the fraud cases in the report. The median loss for these businesses was $100,000.

The highest median loss—$150,000—occurred in businesses employing 100 to 999 employees.

The Role of Insurance

Fraud experts estimate that up to half of all fraud losses are never recovered. That’s where insurance comes in. Andy MacLeod, senior vice president in the Management Liability Division of Arthur J. Gallagher Risk Management Services, calls employee crime insurance a low-frequency, high-loss line.

“I would say that with your larger commercial companies it would be a very, very high percentage that carry the insurance,” MacLeod says. “Small operations may not be as likely to carry it. On average I’m dealing with three or four claims a year. When the underwriters are setting their premium rating plans, they’re usually thinking their policyholders may experience a claim every six to eight years.”

Maria Treglia, senior vice president, chief sales officer of Program Brokerage Corp., Hub’s wholesale unit in New York, says most carriers distinguish between financial institutions and commercial entities in their policies because financial institutions have a higher potential for bigger losses.

“There are two types of policies out there that you could buy,” she says. “There’s crime insurance, which is a true employee theft policy. You could have a rogue employee doing things that are borderline criminal but maybe are more negligent than criminal. It’s hard to prove if they are negligent or intentionally done. If it’s more along the lines of a screw-up rather than an intentional act, there’s errors and omission insurance that can protect your business.”

Greg Bangs, Chubb’s worldwide product manager for crime, kidnap/ransom and extortion, says his employer offers its commercial customers 10 insurance clauses in an attempt to tailor its coverage. Besides covering employee theft and dishonesty, some of Chubb’s clauses cover the following:

• Premises Coverage And In-Transit Coverage. Protection against physical theft by a third party. For example, someone breaking into a safe, or someone coming into a robbery situation and stealing something. It also covers things like loss due to fire. If the insured has money or securities on premises and they burn in a fire, for example, that’s actually covered under a crime insurance policy.
• Forgery Coverage. Today’s scanning technology makes it easy to make reproductions. Someone who got hold of one of the insured’s checks or promissory documents could forge it, causing the insured to have a forgery loss.
• Computer Fraud Protection. “This is actually a case that we saw in the market,” Bangs said. “Some fraudsters had managed to hack into an insured inventory control system and directed product to be shipped to a certain warehouse that the fraudsters had rented for the weekend, and then the fraudsters came into the warehouse and took it all away by Monday morning.”

Marquet says no company can make itself immune to occupational fraud, but any effort to reduce its exposure helps.

“At the end of the day, when you look at how these things occur, it’s always a lack of business controls,” Marquet says. “There’s always going to be someone who walks out the door with a computer, or whatever. There’s always an ambient level of fraud going on. If you can prevent, control, limit, reduce the amount of fraud that goes on, that helps them all around. Even squeezing 1% out of that could add a lot of dollars to the bottom line.”

Here’s where insurance brokers can be involved.

“Internal controls are the No. 1 defense against employee fraud,” MacLeod says. “If you don’t have good internal controls, that’s going to be discovered in the application process by the underwriter. And without the good controls, you’re probably not going to get an underwriter who is going to be willing to give you a quote for the insurance.

“One of the things the broker can do is, if they run into a client who is going to have a problem getting insurance because their application shows they’ve got weak internal controls, they can help explain to their client what will give them a better risk profile.”

So what are examples of good internal controls?

“They call it the golden rule of internal control,” says Bangs. “One employee should not be able to complete a transaction from beginning to end. The same person who orders the widgets shouldn’t also be the person who reconciles that in your books and pays the bill. There should be a three-way match: Some individual who is not involved with any of those transactions is tasked with taking the purchasing order record and the invoice record and the payment record and making them match and tie in. It’s a very simple control.”

The Association of Certified Fraud Examiners says more fraud is detected through anonymous tips than anything else. It encourages businesses to create a way for employees to report suspicious activity anonymously. It’s an idea Bangs supports.

“Say I thought my boss was stealing from the shop,” Bangs says. “To report that, I’d have to go to my boss’s boss, and frankly, most people aren’t going to do that. They’re not going to run that risk of putting themselves out there and perhaps being wrong. But if you have that anonymous hotline reporting system in place, statistics show employees are very willing to do that if they don’t have to put themselves out there.”

Check Them Out

Background checks when hiring are also becoming popular.

“You can get a solid basic background check on an individual for $50 to $100,” says Bangs. “We strongly recommend to all our clients that at least on new employees coming in that they get at the very least a background check and sometimes a criminal history. It’s amazing what these background investigations turn up. Sometimes you’ll see people who have stolen from a number of employers, but the employers didn’t prosecute because they didn’t want the publicity. They just kind of swept it under the carpet and pushed the person out the door.”

The high-living CEO mentioned above may have benefitted from such a sweep. In court filings associated with his case, he acknowledged having been charged with misusing funds from a previous employer, charges that were dismissed when he made restitution. A background check might have revealed this information, but the business needs of his new company were so pressing that he was brought on board before the check could be completed. In the interim, he developed the partnership with the HR VP who would become his accomplice and who, ironically, was tasked with reporting the results of his background check to the board of directors. She is believed to have falsified the report.

Other precautions include:

• Rotate responsibilities for finance workers.
• Require employees to take their vacation. Embezzlers often are afraid to take vacation for fear someone will uncover their scheme.
• Conduct audits regularly and also at random.
• Make sure your vendors are vetted and legitimate.
• Engage in Management by Walking Around.

“I’m a big proponent of very simple things like a manager, rather than sitting in his office doing reports all day, walk around the shop more or around the cubicles or the retail space,” Bangs says. “Show yourself. Make employees know that you’re going to be there, that you’re going to sit down across from their desk.”

Treglia uses a different tactic to guard against cyber breaches.

“We’ve actually hired people to try to hack into some of our customers’ data centers ourselves just to see how many firewalls they have,” she says. “It’s always good to have an audit of the systems and firewalls you have in place to see how easy it is to hack in.”

Get Tough

It used to be that companies victimized by fraud dealt with it internally to avoid embarrassing publicity.

“I was in the business for 30 years, and in the old days there was a real reluctance to go public,” Marquet says. “There were a lot of cases that I think just quietly went away. The company would come to some sort of agreement to pay restitution and fire the person quietly and not say anything bad. You didn’t want any negative publicity. More and more today, prosecution does occur, and that’s a good thing.

“I’m a firm believer in prosecuting in these kinds of cases. There are several benefits. One, there’s justice involved. Two, you send a message within the organization. Any stakeholder understands that you’re going to take it seriously and you’re not going to put up with it. We’re going to prosecute people, and it doesn’t matter if it’s a CFO or a bookkeeper, everyone gets the same treatment. You don’t let the CEO walk quietly away and make civil restitution; you want to prosecute these people.”