Culture, COVID and change

Technological advancements and massive COVID-relief packages have opened a world of opportunity for fraudsters in recent years. In the U.S. alone, criminals have stolen billions of dollars in pandemic aid in what some are calling the biggest fraud in a generation. Scammers across the globe are also finding easy pickings among mobile phone and computer users as they learn technological sleights of hand to trick their victims. Yet social media and a rising speak-up culture are changing the dynamics of corruption and fraud in the corporate world, helping to reveal and stamp out wrongdoing at the highest levels.

Members of the Board of Regents sat down with Fraud Magazine at the 33rd Annual ACFE Global Fraud Conference to talk about these topics and more, bringing with them a wealth of experience from the private and public sectors in countries across the globe.

FM: According to ACFE Occupational Fraud 2022: A Report to the Nations, CFEs are catching frauds 33% faster now than they did in 2012, and median losses from frauds have shrunk by 16% over the past 10 years. In what ways have CFEs upped their game over the last 10 years and why?

Mike Ware: I think we find frauds faster because we live in a digital age, and we have advanced our data analytics capabilities even within the government space. We have invested quite a bit in data analytics, and it has done wonders thanks to machine learning and artificial intelligence. It keeps getting better and better at identifying the red flags, connecting them to other red flags and allowing us to know which cases we should work on. We’re much more laser-focused. It’s like we have a scalpel at our disposal now. And I think that’s allowed us to move a lot faster than we would have in prior years.

The other thing is our ability to work across agencies thanks to the Inspector General Independence and Empowerment Act, which among other things requires IGs to notify Congress if agencies deny access to requested information. [See “H.R.2662 – IG Independence and Empowerment Act,” 117th Congress (2021-2022), and “OMB tells agencies to cooperate with IGs overseeing COVID-19 spending,” by Jory Heckman, Federal News Network, Dec. 7, 2021.]

For example, for us at the Small Business Administration [SBA], we conducted a simple crosswalk to the Treasury’s Do Not Pay List, and we were able to identify billions and billions of dollars in fraud. The list contains people who have been convicted or can’t enter government programs anymore, not to mention those people who have passed on. Dead people get a lot of loans nowadays.

Alexandra Sagaro: I definitely agree that working in the digital age has allowed us to pivot as scenarios are developing. We can now quickly identify red flags so we can mitigate fraud ahead of time and catch it. By using digital platforms, for example, we can identify nuances that might require a deeper dive such as a newly created email account by someone who is older and likely to have had an email for quite some time.

FM: I can’t imagine how difficult it was without all this technology. How did you assess for fraud in the past?

Ware: We used to sample 20, 40 or maybe 50 loans out of millions of transactions. Now we can look over the entire portfolio, and that has transformed our oversight and the way we fight fraud.

FM: Of course, fraudsters have access to technology too. How are they using their technological skills to avert detection and commit wrongdoing?

Sagaro: They are helping to create the technology. That’s why government agencies will hire hackers to help them understand how they are infiltrating systems to be able to combat and investigate fraud. Fraudsters are always going to be a step ahead because they’re creatively figuring it out as they go along. They also have darknet platforms that provide a safe space to exchange ideas on how to infiltrate different systems and to develop new schemes. They share information and identify the best targets by having different people focus on individual institutions.

Collins Wanderi: I come from a jurisdiction where technology has now become the main driver of fraud. Just to give you an example, between December last year and March this year, 10,194 Kenyans lost a sum of 1.1 billion Kenyan shillings, which is equivalent to around $10.2 million. This fraud was perpetrated by a company registered at a fictious address in the U.K., owned by Chinese nationals and operated through agents based in Kenya. The fraudsters promised the victims that they would buy cryptocurrency for them using the money-transfer system platform of a major telecommunications company. Because the telco is a major business in the region people trusted it. After stealing funds over a 97-day period, the fraudsters sent an email to their victims, telling them that “I am going to buy beautiful things, and you will not catch me.” The website went down, and the fraudsters disappeared with $10.2 million. (See “Chinese Cryptocurrency Scam Bitstream Circle hits Kenyans,” by Jackson Okoth, The Kenyan Wall Street, March 21, 2022.)

[See sidebar: “How technology is driving fraud in Kenya”.]

FM: How do you protect yourself and combat this sophisticated band of fraudsters?

Sagaro: The collaboration of IT and cyber-threat analysts. We work together to mine for certain data points, figure out how systems are being infiltrated and how the scheme works from beginning to end. It’s that partnership that you constantly must have with people who are subject-matter experts in specific fields. Together we are a much stronger force, as we are leveraging all our expertise on one platform against a set of perpetrators.

Ware: That’s absolutely correct, and that’s the way we did it with the task forces across government when over $5 trillion in COVID-relief money was poured into the economy. None of us individually have the resources to address relief packages of this size. The fraud was so prevalent and so huge that we had to come together with the whole-of-government approach. So, we are working hand in hand with the Secret Service, the FBI, the Department of Justice, IRS and the U.S. Treasury Inspector General for Tax Administration, for example. (See “Running a marathon at a sprinter’s pace,” by Paul Kilby, Fraud Magazine, May/June 2021.)

Wanderi: Recently the Kenyan government has created the Directorate of Criminal Investigation Forensics Lab, which is doing some joint training with the FBI and the Serious Fraud Office in the U.K. to create capacity to get these fraudsters. There is also the Information Communication and Technology Authority and Office of the Data Protection Commissioner, whose job is to simply create standardization of what is required, in terms of data, the privacy of data, what information a telco requires from subscribers and in what circumstances that telco passes that information to any other organization.

Safaricom is the largest telco in Kenya, and it has got to a point where the government itself is unable to operate without the telco because it carries the bulk of the digital payments. It is so big that some people are now agitating for its breakup. You can see the inherent fraud risks. You just need to register once with them. Somebody gets your information, sells it to a fraudster who gets into your bank account, and then takes your money through the mobile transfer system.

FM: Are there tougher rules being enacted to prevent this easy exchange of information?

Wanderi: Yes, the government has changed the way it enacts rules for detecting fraud. Instead of using statutes, i.e. acts of parliament, ministers have been given the direct power to make regulations. Regulations are easy to make or change. You can also engage the stakeholders in the business more easily when promulgating regulations.

FM: According to the Report to the Nations, more perpetrators are in roles with higher levels of authority, 62% in 2020 versus 56% in 2012. Why do think this is, and is this a growing problem?

Wendy Evans: I think there is some psychology involved here. These are people with great authority and trust bestowed on them, and subordinated employees may feel intimidated to speak up. After the pandemic there was a lot of pressure on these higher-level executives, and it is worse today with supply-chain issues. So much is going on, and executives are under pressure to perform, and this may be one reason why you are seeing people in higher positions commit more fraud.

At the same time, employees are just inherently a little more nervous to speak up if they see possible misconduct on the part of their leader — after all, this person is their superior. They may sign your check, or they may be in a position to retaliate.

... executives are under pressure to perform, and this may be one reason why you are seeing people in higher positions commit more fraud.

Many employee surveys tell us there is a still a huge fear of retaliation among employees. Even though there are few actual cases of retaliation, people still have that fear. We all want speak-up cultures, but if you have a leader you are afraid to speak up to, or you have inherent trust that if they say it’s so, it must be true, we really don’t question them.

Chrysti Ziegler: I think there is more of a speak-up culture in companies today than there was in the past. Some companies think it is just there inherently, but it is not. And you must communicate and advertise and really push the fact that there is a speak-up culture. Many companies need it now more than ever. This speak-up-culture movement helps people understand that they are helping their company and not just telling on somebody. It’s a different mindset. More and more companies are encouraging a speak-up culture and advertising it to their employees: “Let us know. How is it going? Tell us what you think is wrong.” And people are more comfortable in doing that. So, I think that’s why we are seeing an increase in reports about fraud and why we are taking more action. With that, people are less afraid to speak up about their supervisor or even an executive.

FM: What has CITGO’s experience been after U.S. sanctions effectively took control of the company out of the hands of the regime of Venezuela’s sitting president, Nicolas Maduro?

Ziegler: The new PDVSA Board replaced the U.S. subsidiary boards and senior management at CITGO Petroleum Corporation. I was one of the people who was a replacement for someone who departed at that time. I have been very active in the ACFE and anti-fraud community for many years, and my addition to the company demonstrates the company’s intention to overcome its past. Also, for the first time, CITGO hired a full-time chief ethics compliance officer, so the company was again demonstrating an intentional pivot from the perceived culture that existed before to one that supports ethics and compliance. (See “Citgo names Steven Scarpino as first stand-alone CECO,” by Aaron Nicodemus, Compliance Week, April 26, 2021.)

There have been a lot of positive changes. And the whole reason I wanted to join the company was to be a part of that and know that they are serious about my role as chief audit executive. Management is looking at fraud and considering the risk and the exposure of the company — many of these new members of management come with loads of outside experience. There are plans to look at ethics and compliance trainings and education to make them more impactful so that people don’t just click on the required training to just say they have done it. The idea is that they are providing education and making an impact on the person receiving that training and that content.

FM: Lockheed Martin has also had a few high-profile ethical lapses in the past. How has the culture changed at the defense contractor, and how do you encourage management to adopt a robust fraud prevention and ethics program?

Evans: It’s perhaps easier to convince management about the importance of an ethics program when faced with regulators saying, “Perhaps this requires a monitor.” It started in the 1980s for the defense sector, with the $640 toilet seats and overbilling for fuel on the C-130 aircraft used by the U.S. Air Force. (See “Only the Pentagon Could Spend $640 on a Toilet Seat,” by William D. Hartung, The Nation, April 11, 2016, and “Lockheed Martin Agrees To Pay $2 million To Settle Allegations That It Overbilled The Government,” U.S. Department of Justice, March 27, 2015.)

I think as a company — as an industry — we said we have got to fix this. And, actually, a number of aerospace and defense industry folks got together and said: “Hey, we have got to do the right thing here, and we must look at self-governance. Not that we will never have a mistake or misstep in the future. That is going to happen, but we have got to do everything we can to prevent fraud, waste and abuse.”

We started with self-governance. All that is to say that at Lockheed Martin we really cultivated a culture in which employees were encouraged to voice their values. You can’t take culture for granted. We established multiple ways for employees to contact us. I think that is so important. We call it a helpline — versus a “hotline” — on purpose. And we do get calls, and we have a means for anonymous reporting, which is not a bad thing. You would rather have the report than not know about the issue. Actually, some anonymous reports have resulted in some of our more significant cases, perhaps where someone feared retaliation.

We answer our own helpline with ethics and compliance officers. I am part of that team. We take the call. People start to feel comfortable because we understand the nuances of our company when we hear of a specific concern. This does not take away from the use of third-party companies who assist some organizations with intake — that is still a great option — but we prefer to answer the phone because we have so many diverse global business areas. We connect them immediately to their ethics officer and ensure that relationship is established. It is a multilayered approach. We have three corporate values: Do what is right, respect others and perform with excellence. And perform with excellence happens when you do the first two.

What our employees are learning, based on Mary Gentile’s book, “Giving Voice to Values,” is most people have a moral compass, for lack of a better word. Ethics training in the past used to teach: “This is really bad — don’t do this,” and our employees were amused at how obvious the portrayed wrongdoing was. “Oh, that was really hard to figure out what the problem was there.”

But we found that sometimes fraud can be so subtle, so interwoven in the fabric of a process. We found the issue wasn’t recognizing when something was amiss — it was encouraging people about how to speak up and assuring them of the protection they can expect when they do speak up.

So, we have annual and quarterly training scenarios that demonstrate ways you can speak up if you are nervous: how to reframe an issue, how to ask a person who is in authority a question and what you do if you don’t feel they are addressing the issue.

Sagaro: Companies today have very extensive ethics programs. They are a lot more interactive than what I have seen during my time in government and at other financial institutions. They have very interactive platforms, where you can’t just check a box. You must answer questions, and there are scenarios throughout. It gives you a more overarching opportunity to know there are many forums to reach out to, and you must reach out if you want to solve problems. There is no excuse in waiting.

FM: I’d like to return to all the fraud that took place during the massive COVID-relief programs over the past year or so. What lessons have we learned from that experience and what is the government doing to address these problems?

Ware: The most important lesson learned is that we must consider the fraud risk environment prior to rolling out government programs. We are way past not considering that. I was at the table before the first dollar went out, sounding the alarm on this. I had three reports out basically screaming you must do this, you must do that. And nobody wanted to listen until I came to the table and said in the first couple of weeks that we found $87 billion in fraud.

FM: Could you explain your role as the inspector general and what influence you had in preventing the theft of the billions of dollars in SBA loans connected to COVID-relief programs?

Ware: What happens is that the inspector general recommends, unless it is criminal. If it is criminal, we do more than recommend. When we are dealing with program inefficiencies, we are recommending a fix. I was trying to make it a little stronger than a recommendation, but that’s where we are. Keep in mind what they were faced with. They had the challenge of getting this money out very, very quickly. And in the first tranche there was about $380 billion that went out in 14 days. They had to implement the program that came down from Congress within five days.

So, I mean dealing with the control environment was not their No. 1 priority. Getting the money out rapidly was.

The CARES Act didn’t allow them to keep all the controls the existing loan programs had in place. I came to the table with a way to get around that. But they only started to implement the changes around December 2020, when there was already $600 billion to $800 billion out the door. Now we are starting to really stop a lot of it by improving the control environment. One of the main changes that has come out of it are the “gold-standard” meetings, which bring together different federal agency officials to fine-tune pandemic relief programs and build on lessons to help reduce fraud. (See “PRAC Oversight of Pandemic Relief Cited as Model for Infrastructure Funds,” PRAC, May 4, 2022.)

I was very leery about this at first, mainly because they were asking me to come to the table before a program started, and I thought they wanted me to bless the controls. And I said I can’t do that. I can’t create your program and provide oversight of it.

But it didn’t work out that way. It is designed to force the agencies to consider the control environment. You must sit in front of the White House, the inspector general and staff, and say these are the controls we are putting in place prior to launching this program. That changes everything. Of course, I am still going to test these controls; that is my role. But the fact that they must do that means we should have stronger programs.

FM: The argument when COVID hit was that government agencies needed to prioritize speed over controls so that Americans could receive much-needed help as soon as possible. What’s the right balance between speed during a global crisis and the necessary protections to prevent fraud on the scale we have seen over the past few years?

Ware: What difference would five more days have made? All I had asked for was to investigate some red flags [before disbursing those funds]. So, for example, there might have been a good reason that 1,000 applications were coming from the same IP address or the same Social Security number. But I was asking them to flag it and deconflict it. How long would that have taken? Now, for those people where red flags didn’t come up, their loans would have gone through at the same speed. The others just required a secondary look. I wasn’t asking for much.

There were quite a few casual fraudsters — people who were just dabbling with this type of thing for the first time because they had seen on the internet that we didn’t have any controls. We were seeing people talk on the darknet, or through YouTube videos, about how to get this money. They said programs run by the Small Business Administration only required self-certification. And that is another lesson: We cannot rely on self-certification in government programs any longer. It doesn’t work. So, what happened when we questioned these red flags, these first-time fraudsters walked away from the money. They didn’t even try.

FM: According to the latest Report to the Nations, corruption is the most common occupational fraud scheme on every continent on the planet, and the percentage of cases is on the rise. What is driving this trend? Is it because people are paying more attention to it, or is there more corruption?

Ware: I believe as fraud fighters (a) we have more tools at our disposal now than ever before and (b) in the digital age that we live in I think it might be easier to perpetrate fraud from your phone as you chill in a basement.

Ziegler: Yes, not only are these digital resources available to fraudsters, but they are available to fraud fighters. So, you see an increase in identification of fraud and different aspects of corruption.

Evans: We no longer have these tight circles in companies: “What goes on in the family, stays in the family.” It is not like that anymore. I think corporations are being held accountable by the communities, regions, countries and cultures in which they operate. You have more outlets for the people reporting potential wrongdoing, and then, if they don’t feel heard, they will go to other sources such as social media like Twitter, YouTube, etc.

Ziegler: Your point is important. Social media is having a broad impact in society. It is amplifying issues across the globe that in the past would only be news in local communities. So those are new channels that have only been in place over the last few years and people are realizing that “Wow, I can really make an impact if I am unhappy with my company,” or “I have communicated it up the chain and nobody is doing anything, so I am going to post it on my Facebook page and let the world know.” Because of those channels, there is a lot more reporting about corruption and fraud.

FM: How successful has the Ethics and Anti-Corruption Commission (EACC) in Kenya been?

Wanderi: If you were to ask the ordinary citizen in the street whether they have been successful, the answer would be no. The reason is that corruption in Kenya, and basically Africa, isn’t perpetrated in or by the very large corporations. The government remains the major driver of the economy because we don’t have very large corporations. So essentially there is a lot of corruption within government: abuse of office, maladministration, embezzlement and direct pilferage of funds. You have individuals involved in what we call “tenderpreneurship.” They simply look for government tenders, inflate the costs, receive payments and share the proceeds.

The EACC only has investigative power. It wanted to have the power to prosecute but they needed a quality controller — a role taken up by the Office of Director of Public Prosecutions (ODPP). Yet while the EACC is an independent commission, OPDD is more of an appendage of the executive. They are “independent,” but it is very easy for the executive to remove whoever is in charge. So, what has happened is that it appears as if there is no resolve to investigate high-level corruption. So, EACC has changed tack because prosecution is not working.

People want to see people convicted and going to jail. And since that’s not happening, the EACC has now decided that there is a lower threshold in terms of burden of proof. If you say that so and so has this amount of money, which is not consistent with his known sources of income, and he is unable to explain the difference, that is proof.

Recently the government froze $100 million of assets belonging to a former member of parliament, who was also a regional administrator. He can’t do anything with them. He can’t transfer them. He can’t sell them. He has no access to his bank accounts. That is what the commission has done. The commission has decided to focus on tracking, tracing, seizure and freezing of assets. And it is working wonders because for the first time people now have confidence and are speaking up.

In the past if you gave information that so and so has a disproportionate amount of money, they would take a lot of time to prosecute. But now when you tell the authorities that so and so has this bank account, this money and car, the EACC is acting quickly. It is asking the banks, which in turn are providing the information, and the employer about how much that person earns. Just on Friday, they froze the account of a single individual who was a clerk in a government ministry who had assets worth $10.1 million.

This has raised confidence among the public who are saying if you can’t take them to jail, at least stop them from using the ill-gotten gains. Don’t let them enjoy the proceeds of the crime. The difficulties are in prosecution, but the government has also added an Assets Recovery Agency, so if now they freeze the assets and if the accused can’t explain his sources of income, the money moves to the Assets Recovery Agency. The government can’t use the money recovered as it wills. It goes to finance public and community projects. That now has changed the dynamics a bit.

The criminals may not be going to jail, but I can assure you in the last one or two months there have been some very high-profile cases of seizure and freezing of assets suspected to be proceeds of crime and corruption.

Jennifer Liebman is editor-in-chief of Fraud Magazine. Contact her at jliebman@ACFE.com.

Paul Kilby is former editor-in-chief of Fraud Magazine. Contact him at pkilby@ACFE.com.

How technology is driving fraud in Kenya

Collins Wanderi: Kenyans are the innovators of the so-called M-PESA, a mobile-based money transfer platform created by the Vodafone-owned Safaricom. Banks have tied their platforms to M-PESA, and Kenyans can move money from a bank account through a push-and-pull system on their mobile telephones. They can send money to somebody or have money sent to their bank account. And because Safaricom and the banks are licensed by the government, people feel the system is safe. This exposes a lot of people in Kenya and East Africa to scams such as the SIM swap, where the fraudster convinces the telco’s customer care agents to switch a victim’s phone number to their subscriber identity module (SIM) through deception. (See “Sim Swap Fraud,” I&M Bank.)

In between you also have intermediaries with mobile money payment systems such as petrol stations, bars, restaurants and hotels. And they also get the data of subscribers to the telco. These intermediaries collect data and sometimes sell this information to the fraudsters. If you are buying a lot of things using a mobile-app platform, they pick up your number and they then sell this information to the fraudsters. It has become such a big business. (See “Safaricom axes 28 staff in fraud war,” Business Daily Africa, Sept. 30, 2021.)

We had somebody who flew from Kenya to South Africa, and by the time they landed, $21,000 had been taken from their account during the three-hour flight. That is how easy it has become for the criminals. People are simply giving their credentials. Sometimes you register using your National Identification Number, so the criminals can get this information very quickly. (See “Sim card swap: How Farah Bashir lost Sh2.6m to fraudsters in hours,” by Steve Otieno, Nation, May 30, 2022.)