Home Month and Year December 2022 Where did all the money go?

Where did all the money go?

Experts say businesses susceptible to growing number of internal fraud, external scams Section: Risk management and insurance


Sarah Hawco is used to working with people on their worst days.

The co-founder of Hawco Peters and her Calgary-based team specialize in forensic accounting and dispute resolution services, often being called in when there’s suspicion that something’s gone wrong within a business.

“It’s, unfortunately, usually tied back to a trusted individual stealing from a company. It could be paying an employee who doesn’t exist or a misappropriation of some sort. Quite often, the question is, ‘where did the money go?’” says Hawco, a certified fraud examiner.

And as times have gotten leaner, especially during the recent pandemic, these types of economic crimes have become even more visible – and damaging.

“What happens in hard times is poor behaviour rises to the surface. That’s when it becomes apparent there’s been some sort of fraud or misappropriation,” says Hawco, noting she’s seen the theft of everything from wine to copper wire. “When times are booming, it’s easy to miss it.”

Just last year, a former principal at Altadore school pleaded guilty to a charge of forgery in relation to a multi-year scheme that diverted $200,000 from the Calgary Board of Education to a personal bank account he shared with his wife.

Meanwhile, a Lethbridge woman is scheduled to stand trial next year after being charged of falsifying records while as an employee of the University of Lethbridge to conceal the disappearance of more than $500,000.

Hawco notes it’s not always larger companies that are at risk, either.

“Bigger companies have bigger staff, which often means a better segregation of duties. So it can happen at a dental practice,” she says.

David Elzinga, managing director at Froese Forensic Partners, says he’s seen anything from kickbacks and secret commissions to false invoicing and asset misappropriation.

“The misappropriation is usually in the form of getting money out of an organization through some sort of fraudulent means,” says Elzinga, a certified fraud examiner who specializes in investigative and forensic accounting.

Prior to joining Froese earlier this year, Elzinga was manager of investigations in the enforcement division of the Alberta Securities Commission where he was responsible for the conduct of major investigations focused on regulatory fraud and breaches of other Alberta securities law.

It’s not just the threat of internal fraud that business owners need to be aware of. Elzinga notes the digitalization of just about everything is leading to an increase in the size, scope and sophistication of scams from external sources.

In fact, a 2021 Cyberthreat Defense Report by CyberEdge Group found 85.7 of Canadian companies experienced at least one form of cyber attack within a 12-month period – a 7.7 per cent rise in attacks compared to the year before.

“I think the pandemic has had some impact on the increase in cyber fraud,” says Elzinga. “Things like phishing emails, malware – that type of stuff has become more common in conjunction with more people working remotely.”

Competition Bureau Canada has identified approximately half a dozen of the most common scams that are currently impacting Canadian businesses. Grants and loan scams, for example, focus on providing businesses with for-fee “special access” to what ends up being non-existent government funded programs.

Directory scams are based on an “assumed sale” technique wherein a seemingly legitimate business directory supplier calls to confirm details about a business, followed a few weeks later by an invoice for online advertising that was never agreed upon.

Meanwhile, office supply scams use generic sounding supplier names to send legitimate-looking invoices, while the CEO scam is a type of highly targeted social engineering attack where scammers impersonate top-tier executives and then instruct their lower-ranking workers to disclose sensitive business information or pay fake invoices.

That’s in addition to a proliferation of some of the cyber scams Elzinga mentioned, such as spear phishing, whaling, vishing and smishing in which fraudsters try to trick employees into giving up sensitive business information.

A 2021 survey by Leger commissioned by Payments Canada found that around one in five Canadian businesses reported experiencing payment fraud. The two most common types were someone contacting the business pretending to be someone else and requesting money and credit card payment fraud.

“Historically, the risks to a business have primarily been internal, but things have changed,” says Elzinga. “There seems to be a shift going on.

“That said, every organization is subject to fraud risks. You can’t eliminate it. It’s the organizations that don’t think they’re at risk that are most likely to suffer.”

Randy Popik, a partner with Kingston Ross Pasnak, says one of the most common types of scams he’s seeing lately is ransomware. This form of malware involves hackers accessing an organization’s most important informational or vital systems and encrypting it until a ransom is paid.

“Some organizations have had their financial assets or intellectual property seized until they paid a bounty to get access back to their information. These are very sophisticated organizations,” says Popik, a certified forensic examiner who focuses on financial litigation support that’s largely comprised of fraud forensic work.

According to a 2022 TELUS Canadian Ransomware Study, 83 per cent of Canadian businesses reported attempted ransomware attacks and 67 per cent have experienced one.

The average ransom paid by Canadian organizations was $140,000. However, separate studies have estimated that the average cost of a data breach, a compromise that includes but is not limited to ransomware, is $6.35 million. That can include factors such as downtime, recovery of information and infrastructure rebuilding.

When it comes to combating fraud, particularly internal, Popik says businesses need to get familiar with the fraud triangle of pressure, opportunity and rationalization – a framework often used to explain the reason behind an individual’s decision to commit fraud.

“What an organization must do is break one of those components within the fraud triangle to reduce risk,” says Popik.

Rationalization refers to an individual justifying the fraud. It could be, for example, that the individual was treated wrong or that others are doing it, too – so there’s no harm in doing so.

“It could be everything from stealing office supplies to tools. Organizations need to get away from this nonsense that these are victimless crimes. They’re not. There’s always a victim,” says Popik.

Pressure, or incentive, is someone’s mindset toward committing fraud. It could be a personal incentive – for example, to fund a gambling addition, substance abuse or pay household bills. Or it could be societal pressures, such as meeting investor expectations.

Companies can mitigate pressure by providing employee assistance programs or setting realistic goals for compensation.

Lastly, opportunity often refers to weak internal controls or policies that open the door to fraudulent activity such as inflating sales numbers, false invoicing or even selling proprietary company information to competitors. This could be related to a lack of supervision, poor documentation of processes or inadequate accounting policies.

Popik urges companies mitigate opportunity for fraud by focusing on strengthening internal control such as better asset management or strengthening cybersecurity protocols to take opportunity away from external scammers.

To the opportunity side of the fraud triangle, Hawco also suggests actions such as segregating duties, reviewing payrolls and even something as simple as checking the balance sheets regularly.

“One of the simplest things I advise companies to do is check the bank statement once a week to make sure everything makes sense,” she says. “A lot of business owners just assume the administration is being taken care of. They need to be interested.”