An increase in workplace fraud

February 2021  |  SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION

Financier Worldwide Magazine

February 2021 Issue

In 2019, 929 UK companies were involved in money laundering in England and Wales, and it is estimated that fraud costs individuals and businesses in the UK £130bn a year.

At the start of the pandemic and the first lockdown, the warnings to businesses were clear – fraud and bribery will escalate, and you need to keep tabs on staff and your internal processes. This was predicted on the probability of skeleton staff being kept on with their colleagues being furloughed. Corners were likely to be cut, and staff were to have less oversight. We then had the enforcement of mass home working to contend with.

Many businesses were not equipped to handle large numbers of staff working remotely, leading to another layer of possible weakness in protocols. Who changes their WiFi code from the default setting at home? How many businesses use a VPN connection or two-factor authentication? Who can concentrate on checking the validity of an urgent email while teaching the times tables? This may make some people smile but are real examples of what many home workers have experienced in 2020, and will continue to experience in 2021.

Fraud presents a challenging problem to handle and businesses often lack the most simplistic measures to protect against it. The recent, impromptu move to remote working has exposed this even more, calling for stricter cyber security in a bid to promote protective working practices. The National Crime Agency (NCA) reported that the internet plays a role in at least 54 percent of all fraud. Beyond this, it is reported that 85 percent of fraud is cyber enabled, strengthening the argument for increased cyber security. With employees relying more heavily on home broadband providers rather than corporate internet services, server protection and device encryption are increasingly important, especially as data equates to financial power.

Recently there have been many examples of cases involving email interception. One involved the intercepting of emails between a solicitor and their client in relation to a conveyancing transaction. In a scenario that has affected thousands of people in recent times, emails were intercepted and the false bank details in PDF attachments were inserted in an attempt to divert monies for the transaction.

This highlights the importance of the ‘call to confirm’ process implemented by businesses to ensure that the bank details they hold are correct for the company they are attempting to pay. While common practice in the corporate setting, this may not be as commonplace when dealing with individuals on a personal transaction. Nevertheless, it is a practice that corporate entities should insist upon in addition to other protective measures, such as password-protected PDFs.

However, another case shows that corporates are just as fallible. This also involved email hack and interception, most likely due to a weak password. An experienced employee, working from home, was encouraged to pay an invoice which was sent from what was, on the face of it, a genuine client. This case demonstrates the increasing need for protective measures, such as two-factor authentication, identification checks and strong passwords.

As expected, the sheer volume of attempts to hack into systems and then socially engineer a payment have escalated to an unprecedented level.

While the warning signs of fraud may be glaringly obvious to the trained eye, they may not be so obvious to those with little or no exposure to fraud. Therein lies the importance of employee training; while policies and procedures may be in place, employees need to maintain a true understanding of what they mean and what the warning signs are. Without this, effective implementation and therefore protection against fraud becomes strained.

Employee dishonesty is one of the biggest battles faced by businesses. In 2019-2020, corporate employee fraud resulted in a loss of £277m. A recent case concerned potential fraudulent activity by a financial director who allegedly raised false invoices when providing supporting evidence for a banking facility. This activity was only uncovered after the employee had left the business. Again, the individual was working from home and had a senior role in the business.

Without even discussing directors’ duties, responsibilities and liabilities, this conduct demonstrates the risk of exposure resulting from trust placed among employees. The increasing difficulty here is that there is no protection against an employee who is intentionally complicit in fraudulent activity. Legislation and training are simply not enough to protect businesses against those who are willing to engage in fraud. However, suitable oversight and relevant checks and balances might be.

Businesses operating in regulated sectors including (but not limited to) credit institutions, financial institutions and high value dealers are subject to stringent obligations under the Proceeds of Crime Act 2002 (POCA). This includes a requirement to submit a suspicious activity report (SAR) to the NCA where there is knowledge or suspicion of money laundering activity or criminal property. A SAR can (but may not always) result in a permissible defence against the risk of committing an offence under POCA. However, if the activity is historic it presents a dilemma for the business.

In some cases, a SAR may result in the suspension of relevant bank accounts concerned, thus bringing the business to an untimely halt.

Whilst POCA highlights the importance of employee training and robust policies and procedures to protect against money laundering, it is impossible to cover every eventuality. The legislation protecting against economic crime is designed to raise awareness of and encourage good working practices against economic crime.

We have recently seen the introduction of ‘confirmation of payee’ – a name-checking service implemented by banks to warn customers when a payee’s name does not match the account number provided. This increases vigilance among users, but it does not prevent users from continuing with a transaction and may still result in fraud. For example, if a finance manager is presented with what appears to be a legitimate invoice and processes the payment using what they believe is the trading name of the company, they are likely to be inclined to ignore the confirmation of payee prompt and continue with the transaction. In such a case, the bank is unlikely to offer any protection.

While this brings into question the effectiveness of the protective measures in place, it also highlights the earlier point that legislation and protective measures are simply not enough to prevent against economic crime. Training and vigilance will be the ultimate protectors against economic crime, and with increasingly sophisticated crimes, this process must be ongoing and mandatory for most, if not all, employees.

Without the effective checks in place against economic crime, fraud in the workplace will continue to rise. Employers must make it difficult for employees to process financial transactions. By requiring the authorisation of transactions, employees will be accountable for the transaction they approve or seek approval of, with the fear of accountability closing the window of opportunity.

 

John Hartley is a partner and Inayah Noormahomed is a trainee solicitor at Shoosmiths. Mr Hartley can be contacted on +44 (0)20 7282 4068 or by email: john.hartley@shoosmiths.co.uk. Ms Noormahomed can be contacted on +44 (0)3700 864 057 or by email: inayah.noormahomed@shoosmiths.co.uk.

© Financier Worldwide

BY

John Hartley and Inayah Noormahomed

Shoosmiths

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.