Cyber fraud alert

One of our clients was the victim of a major fraud recently. A trusted member of staff received one of those emails purporting to be from the managing director instructing her to transfer some funds to a bank account.

The trusted member of staff who had been with the company for many years had authority to make payments to suppliers. She did not question why she would get an email on an iPhone from the MD when they were in the same building at the time or why such large amounts were being asked to be paid. She didn’t think the email looked unusual. She made one payment and then as requested by the fraudster another. £159k was paid in all.

The amount represents more than a year’s profit for this business and it’s not clear whether there is anything they can do to get the money back or whether they are insured at all. They don’t even have that much in their business account but the bank does an automatic transfer of surplus funds from their current account to the reserve and vice-versa to avoid it going overdrawn so effectively the fraudster got to dip into the business’s life savings. Is your business safe from such a fraud?

At A4G, we have had several of these emails ourselves. Most went to staff who did not deal with our internal bookkeeping so smelt a rat immediately. But one did land in the “right” email inbox resulting in a call to me querying some details. Of course, we realised it was a fraud (albeit a clever one) immediately.

Even if the call hadn’t been made, we would still have been ok because we have segregation of responsibilities. Staff who enter payments onto our banking system do not have authorisation to approve those payments so two people would need to be fooled.

It’s easy to be complacent about these sorts of frauds. Most of the time it’s obvious it’s a fraud. But of course these people send tens of thousands of these emails and they rely not on finding a sucker but on finding a situation where the person receiving the email might not question it. For example, many of you have at one time or another have a big building project going on; either for your business premises or perhaps your home. Big payments could regularly be leaving the account. So if an email arrives instructing your bookkeeper to pay a construction why would they question it?

Trusting your team

It’s tempting for the average owner-manager to become frightened by this sort of thing that they remove all levels of authority from everyone. Effectively an entire organisation becomes centred around one person.

This is a disaster but in a completely different way because everything grinds to a halt. It is totally exhausting for the owner-manager. Kirk Smith of A4G Growth recently sent me a link to a really interesting video that you might like to watch.

If you haven’t clicked on the link it is all about how authority for decision making was delegated down through the organisation with amazing results.

I like to think it’s an approach we have aspired to at A4G through the use of systems and education about our core values. That strategy has enabled many of our staff to progress through the organisation really quickly.

One of the techniques I use (and which you might now want to look out for) is stolen and adapted a little from “The one minute manager meets the monkey”. It arises when someone either sends me a piece of work they’ve done which I think they could do better on or asks me a question that I think they could perhaps come up with an answer themselves. In both situations the suspicion is that they are either being a little bit lazy by engaging in “upward delegation”, are not confident enough to say what they think should be done. My approach is the same whichever and is to throw the question back at them or (if it’s work that they have done) ask them if they think they’ve covered everything.

The week before last I did this twice. The first person came back with some fantastic answers and because they were closer to the issue than me, came up with things that I would not have been aware of. The second person having received an email reply from me which said “what do you think we should do?” found someone else to upwardly delegate the issue to. One excellent, one disappointing.

Using numbers to tell the truth

The trick in any business is to get the balance right between empowering the team to make decisions themselves and putting the business in a position where it becomes vulnerable to the sort of mistake referred to at the start of this article.

The way to do that is to ensure that there are adequate controls in place. Not controls which restrict anyone from doing their job but controls which prevent excess. Segregation of duties is one aspect of this but the other aspect is measurement of performance. We do this using our KPI spreadsheet and many of our staff get an email every month with the KPIs which we can measure (some things are too difficult to measure) with some feedback from me about what they can do to improve those figures.

These KPIs perform a number of tasks. The first one, is that it makes everything a little bit more competitive. Competition’s good right? And keeping score is crucial to that competition.

Sometimes, numbers tell you everything but sometimes they tell you absolutely nothing. Performance by sales staff is up 5%. Great, I think.

But what if everyone in your industry is up 10%? What if one salesperson is up 100% and everyone else is down? Find out who’s performing and who isn’t. And then dig deeper and find out why. That’s the real insight and from that real decisions can be made.

Averages often hide insights instead of exposing them. What you need to know are what are the outliers? Are there trends which tell you what’s really going on? And what are you going to do about what you’ve discovered? The challenge with numbers often isn’t finding the truth it’s being brave enough to share the truth and make decisions.

If you can measure it you can manage it and the prevention of fraud

There is a whole bundle of stuff on our website about the importance of monthly management information so I won’t repeat it all here.

One thing has stood the test of time in the 30 years of my career to date. And that’s that every client who has ever suffered a fraud by a member of staff either didn’t get monthly management accounts or didn’t understand them. Every single one.

When the owner of the business does not have get monthly figures or doesn’t understand them, that creates opportunity. Most frauds start very small. A member of staff who makes a false expense claim or steals some goods. And when that initial action is not uncovered, they get bolder. The amounts get bigger. The newspapers regularly carry stories of businesses who have gone to the wall before a fraud is uncovered.

I have no doubt that many of you are victims of fraud at the moment. Few owner-managed businesses have audits anymore and even those that do often routinely ignore the advice in the management letter about how to reduce the risk of fraud or inaccuracies.

There is no substitute for accurate monthly figures backed up by information about important KPIs and asking awkward questions.

A4G do of course do lots of work for businesses on their monthly figures. Sometimes our work is fixing what’s wrong, sometimes it training members of your staff, sometimes its providing commentary. But if you don’t have this information, then you are highly vulnerable to failures in your business or worse, fraud going undetected for years. Call us now if you want to get control back without having to do everything yourself.