Segregation of Duties. What is that?

When one person controls multiple phases of accounting transactions (i.e. accounts payable, payroll, accounts receivable, etc.), the opportunity for fraud in the workplace significantly increases.

By involving at least one other person in the transaction, the risk of fraud can be greatly reduced. According to the Association of Certified Fraud Examiner’s Report to the Nation, the presence of anti-fraud controls such as segregation of duties are associated with reduced fraud losses.

Accounting processes are divided into three separate phases:

  1. Authorization (requires an employee to direct another employee to initiate a transaction)
  2. Custody (the actual possession of the asset)
  3. Recording (adjusting accounts to reflect the transaction within the accounting records)

The “ARC” duties should be se segregated so an employee doesn’t have responsibility for more than one phase (authorization, custody and/or recording) within an accounting process.

Resume “Padding”

Resume padding is more common than you might think. So what is it?

Presenting false or misleading information about one’s education, work experience, credentials, job skills, or other important personal and/or professional data.

The following statistics come from a national survey conducted by CareerBuilder in 2015 among 2,532 hiring and human resource managers. More than half of employers (56%) have caught a lie on a resume. The most common areas around which job seekers lie are as follows:

Embellished Skill Sets – 62%

Embellished Responsibilities – 54%

Dates of Employment – 39%

Job Titles – 31%

Education – 28%


This should be a point of concern for any company motivating you start background checks on your job applicants. This will not only protect your business from risk, but save you money.



The Perfect Storm: Lack of Internal Controls & Financial Pressures

According to the Association of Certified Fraud Examiners (ACFE) 2016 Report to the Nations on Occupational Fraud and Abuse, an organization’s lack of internal controls is the number one weakness contributing to fraud; while living beyond one’s means is the number one behavioral red flag of employees engaging in fraudulent activities.

Like many other fraud examinations, there was a recent fraud loss at an organization due to their lack of internal controls and an executive with the financial pressures to take advantage of those lack of internal controls. The following chart reflects the behavior red flags displayed by perpetrators according to the ACFE’s 2016 Report to the Nations on Occupational Fraud and Abuse. The executive in this situation displayed the top 5 behavioral red flags.


The organization had been going through financial difficulties, all while the executive was engaging in lavish spending for his/her personal benefit with business funds and excessive purchases for the organization. The executive was able to conceal the organization’s financial difficulties and their fraud scheme of personal expenses with business funds by controlling what information was shared with board members, the lack of internal controls regarding job duties and the organization not having the proper policies in place for documenting business’ purchases.

This organization lost hundreds of thousands of dollars and it all may have been prevented/detected earlier with some proper internal controls and additional oversight by board members and/or staff.

Take a minute to reflect on your organization to identify any weaknesses you have in your internal controls and do you have any employees displaying behavioral red flags? If so, address those concerns immediately before it’s too late!


What’s next? Do I need an audit? Who can help me?

You find yourself in a bad situation – you are concerned that an employee has taken advantage of your organization and mishandled company funds. Now what? Do you need to bring in auditors? What is the different between an audit and one of those, what do you call it, fraud examinations?

Financial audits are recurring reviews of financial statements. They provide an independent opinion on whether financial statements are presented fairly but are NOT designed to detect fraud. Often they are completed to give a level of comfortability to stakeholders.

If you are looking to answer the questions of whether fraud has occurred or is occurring, who might be responsible, what amount was taken and having documentation prepared to move forward, you need a fraud examination. Fraud examinations are nonrecurring examinations of financial records designed to detect fraud and resolve specific allegations, without any opinion on financial statements.



From Wikileaks with Love

In the 1990’s, when I first started doing computer forensics and investigating Internet crimes as a police sergeant, it was not unusual to sometimes to use my knowledge for slightly evil v. good. I recall having a co-worker giving me some good natured ribbing, and it was only right that I reciprocate. I turned to my computer, typed a few lines into a Russian website, and asked him if he had seen his new webpage. He stated he didn’t have a web page. I told him he did now, and I had him type his full name into the address bar. Immediately an unusual fetish website appeared with his name in the address bar. He learned two lessons. One, it will cost him lunch to have me remove it from the Internet, and two, you do not mess with someone who can put your name on the world-wide web forever, and on a Russian server no less.

It broke up a tedious day of tracing bomb threats, child pornography websites, and a host of other criminal cases involving computer forensics, emails and the Internet.

Upon retirement, I was engaged to review Phishing emails sent to customers of a major bank. I’d trace them around the world to the source, contact the network service provider, and get the web address and webpage shut down. The schemes were always the same, an email purporting to be from a bank would be sent to a victim, informing them they must click on an embedded link to change their password or some catastrophic event would happen to all their accounts and money. While the link appeared to be from the bank, a close inspection always showed it was not. These schemes were traced to Romania, Brazil, Russia, Germany, Spain, and a host of other countries. Typically, aided by the Phisher hacking into a server of a middle school, café, or other legitimate business without their knowledge and then using their server for the scheme. I remember one Phisher using Korean school servers exclusively. I named him Kimchi. I could always tell a Kimchi Phishing email. Like most Phishers, he always used the same code and text, just repeating it on a new website after he was shut down on the last one. Kimchi had a habit of urging the customer to “earnestly” change their password. Not a word in common use. The embedded code was always the same except for the redirect to his new phishing webpage. Picture placement, formatting and other code always matched Kimchi’s previous attempts. The embedded code would also show an email address where the Phished information was being redirected.

Whenever I was asked to do presentations on the Internet, the obvious signs of a Phish and how to prevent being a victim, such as checking the originating email address to see if it was different from the bank’s, would be emphasized. Directions not to click on the email hyperlink, but use your own bookmark to go to the bank website, etc. were taught. Simple precautions.

So it was with great interest to me this past year when WikiLeaks started producing emails from a Gmail account that involved major players in the presidential election. It was not a typical “hack” as routinely reported, it was a simple Phishing email. As simple as any that have been around since Internet financial transactions started. Instead of going to a known Gmail website, someone apparently clicked on a link and gave up a user name and password allowing for the Phisher to access the account and download documents and emails. I have seen no information in the email that it contained a Trojan virus or other malware that would indicate a more traditional hacking scenario. There are some clues in the Phishing email that should have sent it to the junk folder by the user.

Initial observation of the email showed some Capitalization, punctuation, and grammar errors. As an example sign in to your account instead of using into. The email text states that an attempt was made at signing into the user account from a Ukraine Internet Protocol address and a date and time was provided, except the year was missing from the date. The signature salutation “Best” could routinely be used by Gmail, but I’ve only seen it in emails from my friends in the UK. Hovering a mouse over the Click Here icon showed a Bitly tiny URL, not a Google secure link (https).

Many countries have developed sophisticated programs for obtaining information by hacking or Phishing. As an example, numerous computer programmers and engineers in Russia were primarily involved in the industrial military complex until the 1991 fall of the Soviet Union. Suddenly they found themselves out of work as the need for their skills decreased. During the same time period, IT and network security was not a high priority with companies expanding into e-commerce or institutions. Using their skills for evil, not good, became a viable transition. Groups of programmers developed hacking tools and software that were shared on the dark web with others. Sometimes the programs were sold or just provided free for others to use in schemes. Eventually, governments realized the value of having these specialists back on the payroll. Better they work for us, rather than against us.

Eide Bailly LLP’s computer forensics have investigated a significant number of Phishing cases. In some incidents, an employee opened an attachment in a Phishing email which contained a virus that accessed the company network, in others, fake emails from a company executive caused an employee to transfer funds to the suspect’s bank account. In some cases, client companies and banks, more extensive computer and network forensics were required to ensure/validate that HIPAA information and data of concern to the FDIC was not obtained by the schemes. Thus saving the businesses from the expense of customer notifications, credit monitoring fees, and possible fines.

Based on our Phishing investigative experience, we have provided prevention tips to prospects and clients to protect themselves from these schemes. As an example, networks can be configured to lock out certain Internet Protocol addresses or flag certain emails for closer scrutiny. Employees receiving unusual requests to transfer funds should verify the requests by calling the source or emailing using contact information from the company server, not the suspicious email. Updating policies as it relates to Phishing and suspicious emails to ensure all employees are on alert on the latest schemes all can help to prevent breaches of the systems and data theft.

The schemes seen today are not much different than those in the 1990’s. Perhaps the software is more sophisticated, the Phishing emails having a more professional look or using a slightly different twist to the scheme, but the preventative measures remain the same.

Digging Deeper – How Computer Forensic Investigations can reveal a Treasure Trove of Information

In a previous career, I remember returning from an NICB conference and sitting down at my desk at the St. Paul Police Auto Theft Unit. I was excited to pick up fresh cases and put my new knowledge to work.

One of the first files I picked up was a case in which the auto theft report had more red flags than a Bolshevik convention. It turned out the vehicle had never seen a Minnesota winter. Purchased in Oregon, it immediately went on a container ship to Osaka, Japan. Two weeks after registering it in Minnesota, the suspect filed the auto theft report. Working together with an insurance SIU agent, we traced the vehicle and it was located by Japanese police. Eventually, the suspect was charged. Since the suspect owned an import/export company, I thought it was only fair to also discuss the case with U.S. Customs and tax revenue authorities. He likely is still being audited.

Eventually, my career led me out of the auto theft unit and into our police SIU. I performed computer forensics for a wide variety of cases as part of my duties. It took years for the various units to realize the value of computer forensics in their investigations, which now is something that is taken for granted in law enforcement. Every once in a while, on an auto theft case, an examination would discover forged insurance cards, identifications, vehicle titles, and emails between co-conspirators. Extracting computer evidence is much easier than checking under the hood for EPA stickers and matching seatbelt dates against the vehicle year.

Upon retiring, I was approached by a public accounting firm, Eide Bailly LLP, to do computer forensic examinations for their fraud and forensic accounting unit. They made me an offer to exit retirement that my wife couldn’t refuse. I found the cyber hunt for fraud, embezzlers, hidden assets, co-conspirators, and forged documents were only limited by the engagement hours. The cases, though, can be much more interesting and entertaining. Some case examples include:

  • The soon to be ex-husband who claimed poverty in the divorce proceedings, but revealed in a recovered Skype chat with his girlfriend that he was hiding assets in bank accounts set up in her name and sending loaded pre-paid credit cards to her.
  • The company accountant who was embezzling funds to support his addiction to gentlemen clubs and prostitutes. Information recovered from his work computer included hotel reservations, multiple 40l(k) loans, and even video files of him with the prostitutes. All ATM deposits using stolen funds and withdrawals came from the same gentlemen’s club location.
  • A manager discussing a loan fraud who stated in an email, “I’m not going to jail over this!”
  • An insurance SIU case where they wanted detailed information from the cash registers’ hard drives. Employees’ names, receipts, and most important to SIU, the last use time/dates on the registers were all obtained using computer forensics.
  • In a non-compete case, finding that the respondent tampered with computer evidence during the discovery process allowed for a client not only to win the case, but also have the court order the respondent to reimburse for all legal costs and expenses because of the spoliation of evidence.
  • Emails, deleted two years prior to a computer forensic examination, show a conspiracy to hide information from a college internal investigative authority. The presence of romantic chat that was found also was documented for corporate counsel. This was done to assist the college (and vicariously the insurance company) in any future litigation arising should a quid pro quo civil suit result from the supervisor/subordinate romance between two employees.
  • In a voter fraud case, a district attorney had only three weeks before and election to verify if an individual running for public office had committed voter fraud. The suspect’s live-in companion had been deceased for over five years, but her absentee ballots had been mailed in after her death. The district attorney was comfortable have the forensic examination done by retired law enforcement. In less than a week, deleted emails were found in which the suspect admitted the offense to several individuals. The emails identified local witnesses to be interviewed and identified them as grand jury witnesses. The suspect dropped out of the campaign and subsequently pleaded guilty to voter fraud.

Computer forensics pairs well with forensic accountants. Inventories, income, and expenses all can be compared to other data. Typically, audits and accountants only look at the 20 percent of information that is structured, ignoring the 80 percent of the unstructured information. Chat, deleted data, emails, and metadata showing forged documents are all unstructured in nature. A complete fraud investigation should attempt to gather both structured and unstructured information.

Computer forensics is a cyber hunt. It is different than data recovery performed by information technology specialists. In computer forensics, one red flag leads to a second and a third. In many cases, the results of computer forensic examination can uncover evidence immediately that cause a third party to the litigation to give up the suit or settle.

Phishing Attacks and Your Business – It’s Not Just Nigerian Princes Emailing You Anymore

Phishing scams, or fraudulent emails used to acquire banking and personal information, are getting more sophisticated. General emails blasted to thousands of email addresses by a Nigerian Prince wanting to share $10,000,000 with you are still out there on the web, however other schemes are hitting closer to businesses.

Spear Phishing is a type fraudulent email that is directed towards a company and its employees. The scammers take great care in doing their research on the company organization and its employees. Think for a moment. Most companies allow, and in fact encourage, employees to create social media accounts to promote business and branding opportunities. Would a search of LinkedIn or your webpage provide information on your employees, your company, and institutional knowledge of management and operations? This type of information is extremely valuable in a Spear Phishing attack of your company. “Whaling” occurs when the target of the Phishing attack are employees at the executive level.

Eide Bailly LLP computer forensics have been engaged to trace several of these Spear Phish attacks where hundreds of thousands of dollars have been lost by companies and banks. Here is how some of the more recent schemes are performed.

Typically, someone working in a company’s finance department receives an email that appears to be from a high level executive of the company. The email signature is correct, the format and font are the same as the companies. The appropriate logos are also present. The email, usually proclaiming some urgency in paying an overdue invoice, or a need to transfer funds, directs the lower level employee to transfer a fixed amount of money via wire or bank transfer to a routing and account number provided by the Phishing email. The employee, believing the email is legitimate, performs the money transfer and replies back to the email that funds were sent.

The problem is the email never came from the company executive. Close inspection of the email address revealed a single character difference. As an example, becomes The funds are now gone, and the likelihood of a Federal criminal investigation into the theft are minimal unless substantial funds are lost. That is why the Phishing scheme typically deals with amounts of money that would not normally raise concerns to the email recipient in payroll or finance.

Companies should review policies dealing with ordinary, and out of the norm, requests for the wire transfer of funds. Policies should include independent verification with the source of the request, either by company phone line or by initiating an email using the company directory email address. A reply to the original email would only go to the Phishing suspect.