As Construction Booms, So Does Fraud
Wherever financial information and funds flow, there is the potential for losses caused by cyberattacks, fraud, and embezzlement. With the construction industry closing in on a decade of strong performance, all levels of employees should be aware of these threats and the costs of recovery (in both time and expense).
As auditors, we study and understand the most common attacks against construction companies. The damage can be staggering. Often, five- to six-digit losses shock a company into action. Some companies have lost seven-figure or larger sums – never to be recovered. While victims sometimes recover a portion of funds through legal prosecution and insurance, they are rarely made whole. According to the “2018 Report to the Nations” from the Association of Certified Fraud Examiners (ACFE), only about 15% of frauds reported in the survey resulted in a full recovery. The larger the losses, the less likely it gets.
Proper internal controls and segregation of duties act as self-implemented “insurance programs” that could prevent attacks and save your company time and money. The first step is awareness. Below are five schemes to watch for, along with prevention strategies:
- Cyberattacks – One common attack is called spear phishing. The attacker sends an email, ostensibly from someone familiar, with a seemingly reasonable request. Examples include the CFO requesting a wire transfer, a vendor requesting a change to the deposit account number, or an executive requesting copies of W2s for an IRS audit. But responding could be catastrophic – the money or information ends up in the scammer’s account, usually unrecoverable. Ransomware is another attack: The attacker holds sensitive data for ransom until the company pays.How to prevent – Employees should be extra diligent when receiving unusual requests for sensitive information, as in the examples above. Verify the email address is legitimate. Phishing schemes often add or alter a single letter in the address, such as changing “m” to “n,” or change the address format. If the request is out of the ordinary, call the person directly. Spending a few minutes to verify a request is far better than losing tens of thousands of dollars.
- Fictitious vendors – One of the most common and expensive fraud schemes in construction involves fictitious vendors, such as materials suppliers. Inadequate internal controls or lack of appropriate controls let the fraudster input these vendors into the accounting software. Often this scheme is perpetrated on the most profitable jobs, so no one scrutinizes the details. Once these vendors are in the system, the schemes can be nearly undetectable, causing exponential losses. On time and materials jobs, losses affect not only the construction company but also the owner.How to prevent – Start with proper segregation of duties. Contractors should have different personnel who add, verify, and approve new vendors. Verifying that the vendor is incorporated isn’t enough: Many fictitious or shell businesses do legally exist. Consider also verifying the vendor website, calling listed contacts, and searching the address on Google Maps. Existing vendor listings should be reviewed at least annually. Look for similar names (ABC Company, Inc. versus ABC Company, LLC), unused vendors, and vendors used by only one or two employees. Investigate and verify anyone flagged, then purge or disable as necessary.
- Reimbursement fraud – Company credit cards and employee expense reimbursements are prime tools for abuse. Employees could buy personal items along with business expenses, buy gift cards from a legitimate vendor, or request cash back with a legitimate purchase. Many websites exist solely to create fraudulent invoices and receipts.How to mitigate – Companies can request transactional data from their bank or credit card provider and compare to reimbursement records. Request “level 3 data,” which has transaction details that are not included on monthly statements. If available, data analysis software can flag anomalies within high-volume data sets.
- Payroll fraud – One problem prevalent in larger companies – especially in construction, where the workforce fluctuates – is fictitious employees on the payroll. Another issue is payroll manipulation, a scheme where multiple checks go to the same employee in a pay period. A newer trend: An employee alters a legitimate check and deposits it electronically via mobile device, then deposits the original check in person, causing duplicate payment.How to prevent – Best practices include proper segregation of duties for those involved in employee setup and payroll, as well as annual review of payroll registers, employee listings, and pay rate changes. Companies can further incorporate data analysis to detect duplicate bank account numbers and verify that the annual payroll by employee matches the wage listing. One low-tech method: Require each employee to receive their check in person for one random payroll period.
- Document manipulation – Criminals today have sophisticated tools. Electronic statements can be altered well enough to fool even a specialist. Or outsiders can obtain a company check from a legitimate purchase, then copy and alter it to steal funds.How to prevent – Employees must be skeptical. If something seems off (for example, the rows of the bank statement do not quite line up), they should double-check electronic copies of statements against hard copies straight from the source. Also, systems such as positive pay can help prevent check copying and theft of funds.
The best strategies to minimize the risk of fraud are to ensure proper internal controls and segregation of duties, train employees to be diligent, and demonstrate an ethical tone at the top. Most important, every employee should be skeptical and report anything suspicious. An anonymous hotline (or a drop box at the office) is one of the quickest, easiest, and most effective tools available. According to the ACFE “2018 Report to the Nations,” 40% of detected cases of occupational fraud were discovered through a tip.
Education is the best prevention, so familiarize yourself with these common schemes and talk to other construction company executives and your professional advisors. If you have been a victim of fraud or are uneasy about your internal controls, schedule a fraud risk assessment. Remember: Prevention costs far less than the time, effort, and monetary losses of dealing with a fraudulent attack. Contact your KSM construction advisor for help quantifying, detecting, and mitigating these threats.
Keeping you updated on COVID-19 and its impact on businesses and individuals.