Minimise Business Fraud
In today’s business world of increasing activity being online, the reality is that business owners must take precautions to minimise business fraud or embezzlement in the world of today’s technology.
Any business that uses social media, email and online applications should be aware of the risks of doing business online and taking measures to protect against fraud.
According to the Australian Competition and Consumer Commission (ACCC) Targeting Scams report for 2017, small business with fewer than 20 staff are most likely to be targeted by scammers, with an average of $11,000 being lost. Between 2016 and 2017, there was an increase of 23% in the number of reported scams. Most common scams were false billing, employment and investment scams.
Each business will be slightly different in its areas of greatest exposure, but there are some common areas of vulnerability that you can assess.
Fraud Targets
- Sales—invoices can be altered to show fraudulent bank details; customers pay into the incorrect (non-business) account. Customer refunds can be paid into a sham account instead of the customer’s account.
- Purchases—purchase orders can be fabricated and goods delivered to a non-business address; meanwhile the business pays for the goods; bills can be altered with ‘extra’ amounts added; the bill is then paid to two accounts, with the correct amount going to the supplier and the ‘extra’ amount going to the fraudulent account. GST may also be an issue with bills, as some suppliers knowingly charge 10% GST on bills without being registered.
- Cash—there is no problem with a business handling a lot of cash so long as it is controlled and reported correctly. We’ll go into the best practices for handling cash in a future blog. This is commonly a massive problem for business owners who do not implement good control practices and instead simply trust people to ‘do the right thing’. Cash is often too much of a temptation. Good practices make it easy to track the cash in and out of the business.
- Stock—another common area of fraud, it can be easy to manipulate stock delivered, sold or damaged. I know of a case where an employee hired a warehouse, had hundreds of thousands of dollars worth of goods delivered there and she made millions over the course of several years. Meanwhile her employer never suspected her and paid for all the goods. It was eventually discovered by an external bookkeeper who came in to assist the business.
- Payroll—fabricated expense claims, timesheet fraud, ghost employees receiving wages or pretend travel to pretend events can happen.
Fortunately, there are many simple practices that will assist you to minimise the risk of being defrauded by anonymous hackers or by people you know.
Xero has an excellent system of security and data audit tools, allowing the account owner to see who has logged in at what times, what kind of activity users have been doing, how many and exactly what type of alterations have been made to a transaction and more. Not all software shows this detail—for example, some allow any number of edits to be made to an invoice with no history of who made the changes or what the changes were, which makes it very easy to commit fraud.
Simple Steps You Can Take
- If you don’t already do current period proactive bookkeeping, and instead do historical catch up bookkeeping, change your systems now. It is much more difficult to get away with any strange transactions, mysterious payment, altered invoices etc when the bookkeeping is done regularly and immediately. It is however much easier to get away with things when there is a big time lag between an invoice being altered and it being reconciled in the accounts. The longer you leave your accounts, the harder it is to know if something was a genuine mistake or deliberate fraud.
- Implement clear business policies for external payments. For example, you may have a transaction limit placed on debit cards, or you may require two signatures for all payments over a certain amount.
- Make sure you know who has access to what parts of your accounts, point of sales and other business systems.
- Make sure all staff have a unique login. Never allow logins to be shared. Also insist on two-factor authentication where your software allows it. (For Digital Service Providers that interact with the ATO this will soon be mandatory).
- Educate staff on how you want unsolicited phone calls that insist on verifying their identity handled. Similarly, educate staff on how to look for deceptive emails that may be impersonating someone within the business.
- Use technology to your advantage. Okay, it is because of technology that we have a higher risk of fraud, but developers have to constantly stay ahead of the security risks in order to comply with the Australian Privacy Act 1988. Good technology will assist you to stay secure.
Technology Tips for Security
- Get a password protector now! These excellent solutions have been around for years yet still many people do not trust them or don’t know about them. It should be a recognised and encrypted password protector and yes you should pay for the service. Don’t use a free one that can easily be hacked.
- Get two factor authentication (2FA) on every application you use that offers it. Google Suite, Dropbox, Xero, Outlook, Facebook, LinkedIn, Twitter, WordPress and many other popular online apps offer 2FA. If your bank doesn’t already offer it, consider changing banks (at least for your business) to one that does offer this level of security.
- Backup of your computer and online apps should be a regular event, preferably set up to be automatic, but even if you do it manually, at least do it.
- Use a secure and authenticated digital signature provider. Again, don’t use the free options, as they may be electronic without being authenticated, and therefore easily hacked or duplicated.
- Check new suppliers on the Australian Business Register ABN Lookup. This allows you to check whether a supplier is registered for GST and charging you correctly.
- Pay suppliers by batch payments uploaded to your bank. This is far more secure and accurate than making manual bank payments to suppliers, and also saves time.
- Never email anything that can be used to identify you such as driver’s licence or birth certificate and never email credit card details.
Mistakes Happen!
If you suspect something is amiss in your accounts, don’t jump to conclusions. Investigate first, quietly put your detective hat on and dig into things a little. Innocent mistakes do happen and you don’t want to alienate staff or others by jumping to unfounded conclusions. If mistakes and errors are found these can be fixed and used as education and process improvement for the future.
If you do suspect fraud you will need to get advice, possibly from an outside bookkeeper, your tax agent, or the police.
By implementing these simple steps now, you have an excellent chance of minimising the risk of fraud in your business, and it will be much easier to differentiate between fraud and human errors. This allows you to continue focussing on your business operations and maintaining positive staff relations, without wasting time on managing unexpected security crises. While we can’t control every risk out there, at least you can take responsibility for reducing the likelihood of it happening.