In Georgia, one Mohawk Industries employee allegedly scammed the company out of $766,000. In New York, a worker at Chevron Phillips Chemical Co. pled guilty to stealing $1.8 million from the firm. And in New Mexico, two Santa Fe government employees were placed on leave following a report that fraud is running rampant in their department.
And that’s just in the last month.
Internal fraud is, unfortunately, an all-too-common problem for businesses and government entities, especially with regards to misuse of p-cards. Dan Zitting, Chief Product Officer at auditing company ACL, highlighted one recent case that was particularly unsettling: a government employee in Gainesville, Florida, who stole $93,000 from the city through fraudulent purchase card (p-card) use, using some of those funds for plastic surgery.
“That certainly doesn’t reflect well on how a local- or state-level government is managing taxpayer dollars,” Zitting said in a recent interview with PYMNTS.
P-card fraud is a common problem across businesses and government entities large and small, he added, whether the headlines capture these cases or not.
“Because of the openness of government data, we tend to find problems in business-to-government payments more often,” he said. “At the state- and local-government level, it makes headlines, but we see cases every day of our customers having been involved in identifying money flowing out to all kinds of crazy things on purchase cards.”
It’s a scary thought for any organization to consider that one of its biggest security threats may be coming from within. But failing to acknowledge that threat, said Zitting, is a recipe for disaster when it comes to cybercrime.
“If you look at the news and what’s at the top of mind in board rooms, cybersecurity has certainly been leading the way,” the executive said. “But I think we spend so much time and focus on cybersecurity that sometimes fraud takes a back seat, and I don’t think fraud threats are any less. It’s a different sort of threat; there’s nothing quite like a big fraud to put a company in the news and really damage their reputation.”
Internal p-card fraud doesn’t discriminate against small and large companies either, he said. For large enterprises, there is often a “it won’t happen here” mentality, he said.
“The reality is, if a company gets big enough, it most certainly is happening,” Zitting added.
Small businesses (SMBs) have that mentality, too, especially with employers operating with the feeling that they and their small group of employees is sort of like a family.
“They think, ‘We’re a family in this business. Fraud doesn’t happen here,’” he explained.
Companies may have faith in the integrity of their employees and company culture, but failing to acknowledge how widespread this problem is means workers can gradually feel emboldened with any fraudulent activity.
According to ACL’s Dan Zitting, internal fraud typically starts small, say, with an employee filling both the company and the personal car up with a company p-card. Eventually, though, workers that get away with little purchases here and there quickly begin to feel more confident in their ability to get away with larger purchases.
“It’s a snowball effect,’ he said. “They build up a rationalization that justifies their actions, and this snowballs unless something happens to reverse the course. They roll downhill, so to speak.”
In corporate payments, the migration away from paper — especially paper checks — is a common tactic to safeguard transactions. Indeed, research from the 2016 Association of Financial Professionals Payments Fraud Survey found checks are the highest-targeted payment method for fraudsters, making the payment rail one of the riskiest for the enterprise.
But the migration away from paper and toward electronic payments like cards does little, if anything, to combat cybercrime from the inside.
“It’s about the last mile,” said Zitting, adding that while electronic payments can arm SMBs and corporates alike with the transaction data necessary to identify and prevent fraud, it’s useless unless a company actually does something with that data.
“It’s taking the last step — the data alone isn’t any good unless there is some monitoring of it,” he continued. “Having data and not looking at it is similar to saying, ‘We have a p-card policy around what you’re allowed and not allowed to use it for, and we consider that policy alone as the control. Because we have that policy, bad things won’t happen.’ That’s just not the reality. Companies need to take the last step to run all of their transactions through analysis, to identify any fraud indications or suspicious patterns, and actually follow up.”