It’s one of the worst experiences an entrepreneur can imagine – having your business ripped off through fraud. Thousands of small business owners every year wake up to this nightmare, finding they’ve lost thousands of dollars, private business data and potentially even the company itself.
But instead of protecting themselves from a potentially damaging situation, most business owners are ignoring the warning signs of fraud and are setting themselves up for disaster.
But by implementing some simple processes – and some clever technology – business owners can greatly reduce their exposure.
Fraud is a massive problem within Australian businesses. A recent KPMG survey found there were 81 major cases of fraud heard before Australian courts in the second half of 2009, up from 69 during the first half of the year.
These cases have even given us a profile of the average Australian corporate fraudster – he is a 38-year-old male, has been employed within the victim organisation for at least six years and typically steals cash to the value of $262,000.
Gary Gill, head of forensic at KPMG, says businesses often don’t think about who is the most likely culprit – not a newcomer, but a long-time employee.
“Quite often there is a gambling addiction behind a fraud case, or other addictions such as alcohol or drugs. Usually there is an underlying cause, it doesn’t just necessarily happen out of thin air.”
But businesses aren’t paying attention, according to Grant Thornton’s national head of private businesses services, Tony Markwell.
“I think a lot of employers underestimate how often fraud is occurring, how vulnerable they are, and I think it’s fair to say that a lot of businesses haven’t kept up-to-date with new technology and how easy it is now to be defrauded.”
“We’ve had a lot of clients in this situation, and they’ve been hit hard in ways that could have been avoided relatively simply if they had put some easy processes into place.”
Their message is simple: your business is vulnerable to attack, and you need to do something about it.
Types of fraud to watch for
Many businesses only look for the obvious when it comes to fraud, but Peter Vitale from CCI Lawyers warns the means by which an employee can gain an advantage dishonestly from their employers is limited “only by human imagination”.
“Another tactic might be for people who are paid commission to falsely report the date of a sale, which might push a transaction into a new period which would give additional commission entitlements. There are all sorts of things, simple and complex, that employees can do.”
Vitale says credit card usage, logs of personal use of motor vehicles, fuel cards and claims for allowances can all be abused. Gill also says many types of fraud occur in the procurement and payroll areas, and that it’s typical for employees handing these areas to be the ones involved in the fraud as they have large amounts of control.
“Usually a control weakness occurs in the payroll system, where a person has access to controls which they really don’t need to do their job. Sometimes they set up false supply chains and end up putting their address as a supply address and gain funds.”
Bronwyn Maynard, senior associate and team leader at Harmers Workplace Lawyers, says she has been witness to a number of employee fraud cases, including “misappropriation of funds, stealing of employer goods, fraudulent expense claims and incorrect time sheets”.
One of the most high profile instances of employee fraud occurred last year at retail chain Clive Peeters, when an employee allegedly stole millions from the company by falsifying payroll accounts and diverting funds to her own account.
She purchased two vehicles and a number of properties across the country, and her activity went undiscovered for months.
While Clive Peeters was lucky in that it could sell off the assets and actually recoup the majority of its losses, it still highlights how a business can be undone by the actions of one rogue employee.
The top 10 ways to spy on your staff
One of the most obvious security strategies is to go all out by completely spying on your staff. This can include anything from monitoring online activities to activating security checks for every single process of employee activity.
Employers are also likely to minimise the risk of fraud by having video surveillance systems put in place. But while Vitale warns that while a number of businesses have successfully applied monitoring practices to their own workplaces, there are a number of factors to consider.
“Obviously you’ve got surveillance data legislation that applies in each state, and that differs for employers across the country. In New South Wales, for instance, you have to get an order from a magistrate before you can engage in certain types of surveillance, while in Victoria it isn’t so difficult.”
“The critical thing that employers need to remember is that where they do suspect fraud, there needs to be a legal standard reached, otherwise that could really put the employer in trouble. Clear evidence is needed, such as emails, logs, video footage, it could even be electronic diaries and so on. But these need to be obtained legally.”
If you’re prepared to do everything by the book, there are a number of ways businesses can watch what’s happening. Here are 10 of the top ways you can spy on your staff.
Visual surveillance is one of the most popular methods used by employers. But beware, while cameras are effective they are also a trap for legal difficulty. Maynard warns employers that legislation differs from state to state regarding what can be done to monitor staff and offices.
“Employers can utilise video security systems in their workplace. However, it is important for employers to be aware of any legislation in their state that imposes obligations on their use of such security systems.”
“In New South Wales, for example, the primary piece of legislation dealing with surveillance by employers is the workplace surveillance act.”
She says the act makes it unlawful for an employer to undertake surveillance without providing at least 14 days prior written notice that the surveillance will be carried out. Employers must specify the type of surveillance, how it will be carried out, when it will commence and whether it will be continuous or periodic.
But once you’ve got the legalities out of the way, there are some nifty gadgets available for the purposes of spying. Josh Pennycott from surveillance equipment retailer Eye Spy says his business sells a type of camera which actually combines visual camerawork with POS details.
“So you’ll have the camera image of someone at a cash register, with the customer opposite them, and then imposed on that image you’ll see details like how much the transaction was worth, the change to be given, what was purchased, and so on.”
Usually spyware is referred to as a threat, but you can make it work for you instead of against you. There are a variety of programs that can be installed on computers designed to monitor exactly what people are doing, even in real-time. Other programs such as key-loggers record every keystroke, while firewalls can even inspect emails for any sign of suspicious activity.
Pennycott says his business sells a small USB stick that can covertly monitor a user’s computer without them knowing about it.
“The USB stick is small, you can just put it into a computer, and within 60 seconds it downloads a program onto your desktop and then I can remotely view your desktop at a different computer without you knowing.”
Again, employers need to be aware of the legalities of using such equipment before doing so.
Gill says some employees have used company cars to fraud employers, tampering with logbooks and so on. Having a GPS unit on company cars can ensure you know exactly where they are at all times, and how far they have actually travelled. If there is a discrepancy in the logbooks, you know where to check.
Some Australian companies such as Quicktrack, Smarttrack and GPS Fleet Solutions provide services to locate your cars at all times.
Internet banking safeguards
Most businesses would be operating their payrolls and other banking needs online, with perhaps just one employee operating the procedure. But Gill says this is a recipe for disaster, and says electronic detection mechanisms can be put in place to ensure you know who accessed these programs and when.
“There are all sorts of software solutions available whereby you can run programs to determine who is accessing these banking programs, what is being done and so on. The key here is just knowing what programs to use and letting people know they will be put in place.”
Every single website your employees visit can be monitored and logged, along with every download they make. Browsing software usually tags this information as default, but employers can add to that by making regularly inspections and records of sites being visited.
But Vitale says employees must be told what’s going on before surveillance commences.
“There is some debate going on right now as to the specifics of how that can be done, but it’s always wise to indicate to employees that emails and internet usage will be monitored. The reason for this is just being sure to give out full disclosure.”
“Also remember that relying on information you gather through these means can be problematic if employees aren’t on notice about it. It’s always better to make these disclosures, and then stop anyone from doing anything silly. If anyone does anything, well then, they probably deserve what they get.”
Not only can employers check out what websites users are visiting, other records can be made available. Emails, chat transcripts, logs showing access to certain data systems and detailed call lists is all available for scrutiny.
But once again, Maynard says surveillance legislation applies here. For instance, in New South Wales the surveillance act requires employers to comply with notification requirements before any surveillance is undertaken – including monitoring of emails.
“Further, the employer must have a computer surveillance policy in place, of which employees must be notified in advance.”
Pennycott says phone logs can even be recorded using bugs and similar technology, but that this is becoming less frequent as more businesses move to mobiles.
You can keep tabs on employees by having them use keycards to enter and exit buildings and access certain areas, which allows log-keeping of who accessed what and when. Not only does this make sure only employees with the proper authority are accessing important areas, if something goes wrong, you know who to blame.
Sounds simple, but many employers don’t even bother with setting up a public computer system. If you want to watch what your employees are doing, then make sure you set them up with computer systems which only allow them to save files in certain folders. Then, you can watch what they are doing in your own time and monitor any suspicious activity.
Most electronic systems on computers, and other systems such as electronically-monitored doors, cars and GPS systems, can be set up with notification systems. If someone gains access, a report is logged and you can see who was tampering with what, and at what time.
One of the more shocking suggestions is to employ random bag searches. Vitale says businesses are legally permitted to do this but caution must be taken to ensure solid notifications are given beforehand and notices are put up in an office in plain sight.
Typically the view is that you can’t search someone’s bag or locker without permission, but there are companies which have successfully implemented such programs by putting up signs saying “you may be subject to a random bag search”.
Other fraud prevention methods
Of course, spying on your staff isn’t the only solution. Before employers start locking office doors from the outside, these experts suggest there are number of different ways to prevent fraud that cost little time or effort.
Gill says employers should set up a reporting system through which whistle-blowers can report suspicious activity, in order to prevent activity as it begins.
“The key measure to have in place here is a mechanism to report suspicion of fraud, or concerns they might have. Whenever something happens with regards to fraud, someone else usually knows but don’t report it because there is no mechanism to do so.”
“Organisations I know of are putting in place hotlines where employees can report these matters, so at least the company is aware of things that might be happening.”
Markwell says employers need to have a hands-on approach to their business, and regularly review accounts, logs and financial data. Additionally, he says employers must spread control of critical systems, such as payroll, over a number of different employees.
ACCC deputy chairman Michael Schaper says small businesses are often more likely to fall victim to scams due to the limited time and staff involved. He recommends keeping savvy with regards to account keeping and echoes the call for a spread of control among employees.
“Businesses need to be more professional in their record keeping and accounts, because there are still lots of people who are operating in the equivalent of a shoebox. There are really simple ways to keep up-to-date on this stuff. Additionally, make sure just one or two people are in charge of paying accounts.”
Markwell says a “culture of control” needs to be implemented. Employees must get used to working in an environment where everything they touch can be logged.
“You need to be up front about it in front of your staff. You need to emphasise the wider range of controls being put on the company rather than just looking at the one role which may be being watched.”
Gill says while the implementation of such measures depends on the culture of each organisation, he recommends employers simply be honest about what they are doing.
“You will get pushback where there is a concern about what you are doing. But just be honest, explain that fraud is a fact of life, that it often happens internally and you are putting in place many detection methods so you can prevent it from occurring which would not only hurt profits, but also the possibility of salaries being paid out.”