This article is part of our collection on Cyber Security
Fraud costs UK business £190m a year. More startlingly, about 40% of that figure is stolen by staff. Here’s what you need to know about the threat within.
Last updated: 21 Jul 2020 5 min read
From pocketing a few sticky notes and being a little creative with expense claims to making out personal cheques, inflating commission and diverting assets, unscrupulous staff have plenty of ways to cheat their employers.
Roy Morgan, certified fraud examiner at legal training consultancy Kaplan Altior, says: “Fraud is challenging enough when the threat is external, but it’s even more difficult when that threat comes from previously trusted people in your organisation.”
The potential impact of employee dishonesty is devastating. Data from Action Fraud shows that British businesses reported £88m of insider deception in 2017/18 – double the previous year – with the average loss rising to £62,000. Such sums can cripple your business, and one rogue staff member’s dishonesty can finish it off altogether.
The cases that hit the headlines tend to involve huge sums or large companies, but businesses of all sizes are vulnerable, according to David Kearns, MD of Expert Investigations, a specialist employee fraud consultancy. “This is particularly true in the SME sector, where internal controls are far from robust,” he says. “In fact, fraudsters will often claim they committed the crime because the lack of safeguards gave them the chance.”
The belief that you have a long-standing, loyal workforce is also no grounds for complacency. Employee fraud is thought most likely to happen when the opportunity (for instance, having unsupervised access to the company chequebook) presents itself to an individual; when there is a pressure or incentive to steal, such as being in financial trouble; and when that employee has a rationality for their actions, such as a grievance about the way their company treats or pays them.
This three-step theory, known as the ‘fraud triangle’ and coined by US criminologist Donald Cressey, may explain recent discomfiting research showing two-thirds of all employee fraud is committed by workers with at least five years’ service – and one in five crooks have worked there for over a decade.
“The most serious and damaging employee frauds are often committed by longstanding senior employees,” says Emma Ahmed, professional support lawyer at Liverpool-based solicitor Hill Dickinson. “Such people have built up a level of trust, which they then abuse, treating the company’s cash as their own.”
This is one of the most common instances of employee deception. In 2013, Dennis Harold from Dagenham, Essex, swindled recruitment firm Devonshire Appointments out of £2.9m by inventing temporary staff and paying wages into more than 20 bank accounts with false company names. The then 60-year-old pleaded guilty to fraud by abuse of position and was jailed for four years.
A fifth of workers believe it’s OK to fiddle their expenses, according to research by the Association of Certified Fraud Examiners – with much of the justification being that “everybody does it”. Whether it’s a relatively minor exaggeration of mileage claims, or submitting fake invoices that appear to cover an employee’s company spending, expenses fraud is thought to cost businesses worldwide an average of £30,000 a year.
This can cover anything from falsifying CVs or references to calling in sick while working elsewhere. Britain’s Energy Coast took on trust new finance director James Cox’s CV and references – only for him to defraud the utility firm of £40,000. Investigations discovered that not only were his documents all fake but that he’d been jailed for fraud before – twice.
One of the most common employee crimes is falsifying documents to dishonestly purchase items or services from favoured, or even fictitious, contacts. NHS manager Mark Evill was one of three men jailed in November for defrauding a Welsh health board of £700,000 by awarding contracts to a fictional construction firm. They were caught out after naming “staff” after members of U2 and writing emails and invoices from Paul Hewson and David Evans – the real names of the band’s singer, Bono, and guitarist, The Edge.
Unsurprisingly, this is the fastest-growing modus operandi of the fraudulent employee. The number of court cases relating to theft of confidential company data rose by 25% last year, according to data law specialist EMW, and its prevalence is increasing. Risks to businesses include theft of customer and staff information, client databases or, in technology and finance, algorithms. One of many recent high-profile cases involved a BUPA employee stealing more than 500,000 customer records and attempting to sell them on the dark web.
“Companies are especially vulnerable to this type of employee fraud,” says Morgan. “Not only is technology advancing at such a fast rate that it’s a challenge to keep your business secure, but the General Data Protection Regulation (GDPR) means any company suffering a data breach could face a fine of millions of pounds.” Indeed, BUPA was fortunate to be fined just £175,000 in September 2018 because the breach occurred between January and March 2017. Had it happened when GDPR came into force in May 2018, the fine could have been as much as £17m.
“Managers need to be realistic about employee dishonesty,” says Kearns. “You want to believe everyone is honest, especially if they’ve worked for you for a long time. But employee fraud costs you money, damages your reputation and, if you don’t address it, disheartens and discourages those of your staff who are honest. Companies need to understand the risks of employee fraud and how to monitor and tackle it.”