Ep. 239: AJ Coleman: Insider's Guide to Fraud Detection

< Intro >

– Welcome back to Count Me In.

I'm your host, Adam Larson,

and today we're diving deep into
the world of fraud and internal control.

Joining me is the incredible A.J. Coleman.

He is an author, and serves as

vice president and fraud
manager at Byline Bank.

Today, we'll be discussing the
importance of strong internal controls,

in detecting and preventing fraud,

and how organizations can navigate
through risks and vulnerabilities.

A.J. will share some eye-opening
examples of common fraud cases

and explain how they are
identified and dealt with.

So if you want to learn more about
the crucial role of internal control

in combating fraud, you definitely
don't want to miss this episode.

< Music >

Well, A.J., I want to thank you so
much for coming on the podcast.

Really excited to talk about
internal control, and fraud,

and just all the different things
you have to do in that world.

And I know you're an expert in this field,

and I thought that, maybe, you could start
by giving some examples of how things

like strong internal controls
can help by detecting fraud.

Since I know you see this every day.

– Well, great to be here

and the opportunity to talk
fraud is always rewarding.

But, yes, internal controls are really
the key, is to be able to identify

where there are opportunities or gaps, for
the fraudsters to expose an organization.

And that's really where the first thing you
have to look at is where are we exposed,

and what risks that are out there.

And from there, you then start
crafting those internal controls.

How do you want them set up?

What do you want people's roles to be?

How should things be escalated?

And there's a lot that we
can go into that aspect.

But without internal controls,
nobody understands

what the proper steps are, and how
do you get that message to the expert.

And in terms of fraud, fraud happens
everyday, and it happens in places

that we least expect it.

It could be anything from a personal thing,

where somebody steals your information unknowingly.

All the way up to somebody depositing

a fictitious check in the ATM
deposit, knowing that it's fictitious.

And without internal controls,
how do we detect this?

How do we maneuver through those processes

to, actually, review these transactions?

And, then, at the end, do we need
to escalate this up through leadership?

Does it need to have a certain
suspicious activity report filing?

And without those internal
controls in place is a free fall.

– That makes a lot of sense, and it
begs the question, chicken versus egg,

do you have strong internal controls
unless you've experienced fraud?

Or can you have good internal controls,
if you've never experienced fraud?

What comes first in some cases?

– Well, a lot of depends on the leaders,
and the type of the organization

and how they set up their infrastructure.

Some organizations are very
passive and they are reactive,

in terms of waiting for things to happen.

Other organizations are saying,
"Well, you know what?

We're going to be active in this.
We're going to be proactive."

And a lot of that has to do
with that leadership quality.

In my opinion, from a fraud expert, you
always want to work on the preventive.

Because you can always build something,

and then do your own risk assessments
to determine if there are gaps exposed.

Then work together to figure out
how to close up those gaps.

Instead, of just leaving it open-ended
and waiting for the fraud to happen.

And a lot of times people just sit because
it's easier to wait till something happen,

rather than be proactive and build something.

– Yes, that makes a lot of sense.

Being proactive does seem
like the better option,

but it all comes down to
leadership and those things.

Maybe, we could circle back to

what are some of the most common
types of fraud that you see

in your line of work, maybe,
there are some examples.

I know you can't name any names,
but, maybe, there are some examples

you can give and how it was
identified and dealt with.

– Check fraud, is number one on the list.

I mean, you would think
that in today's world,

that we would be doing
more electronic payments.

But there are just amount of
checks that go out on a daily basis.

And, sometimes, people just
it's easier to write checks,

it's easier to send them through the system,

but I will tell you the post office is compromised.

We are seeing a lot of checks
intercepted by third-party individuals.

Whether it's the postal workers
themselves or they're in a partnership,

maybe, with the fraudster
or they've been approached,

and we read things on the news where
postal workers are held at gunpoint,

their keys are taken, for mailbox.

And all these fraudsters
are looking for is just checks,

where they can either wash them or they
can do a forged endorsement on the back

hoping that nobody will notice that.

Check fraud, is unfortunately not
going away, and in the last two years

I've seen a significant increase.

And there are certain controls
that you can put in place,

not only for the banks, or the institutions,

or the companies, but also
for the customers themselves.

Positive Pay is really important,
where you can look to see

if you can be protected and be notified,

if there's a counterfeit check that gets presented.

You can do a payee Positive Pay,
that looks at the payee information

to see if it's been washed.

Alternatively, go with the electronic.

It's a lot easier on the cash flow,

but you also don't have to
worry about a paper copy.

So check fraud is definitely number one.

The other thing we're seeing a lot

is what we call Business Email
Compromise, BEC, as it's known.

And what this is, is with fraudsters,
they penetrate into an organization.

Whether it's through a phishing
attack or other metrics,

and what they do is they clone the
server, once they're in the organization.

And they operate as if they
are an authoritative figure

and emailing different groups,
different business units,

as well as, maybe, even the financial
institution, changing payment information

or making requests for ACHs
or wires to go out.

And what happens once the clone
server is done, the primary customer

or the vendor has no idea.

And the fraudsters are the ones

that are letting certain emails go
through, intercepting other emails.

So, a lot of times, these
customers have no idea

that they've been compromised, as well as
they just quickly change that information

and say, "Hey, we need to pay
this person X amount of dollars."

But nobody questions a lot like
"Why did this payment information

suddenly change from our vendor?

We've been sending this to this
bank, for the last five years,

but now we're getting a payment
request to send it to a different area."

But we just hide behind emails all day long,

instead of picking up a phone and calling.

So, as a result, the fraudsters hedge on
you not picking up that phone,

and you're just trading emails,

and you're going to just cycle
through whatever the request is.

And this goes from the customer, to the vendor,

to the financial institution, all the way up.

And this is where the second area,

what we're seeing for fraud, is really
significantly increased in recent years.

And now with everybody remote, in many places,

there are more interactions done
on email as opposed to in person.

Where somebody just doesn't
get up from their desk

and walk across to the accounting department,

and say, "Hey, we've got a change here."

And the accounting department looks at it

and says, "Yes, this looks a little different."

The third aspect is account takeovers.

Where the fraudsters socially
engineer themselves onto the victim,

as to getting their credentials, in
some cases logging in as their victim.

In other cases, they'll socially engineer

thinking the tech company that somebody
has something wrong with their computer,

and they will request remote
access into the computer,

and then do a lot of key logging to retrace
some of the steps; passwords, websites.

And many people, as we know, because
it's hard to keep track of all the passwords,

we use the same password for
every website we can think of,

and all they need is one.

And they have sophisticated software

to figure out what your passwords
are and if they penetrate through,

And, in many cases, a consumer is protected

by their bank with the account takeovers.

But in other cases they may not be,

depending on how your financial
institution controls, and procedures

are designed and communicated.

Very difficult to discover
when you've been victimized.

But a lot of people realize
when they see money

leaving the account that's not theirs.

And I think today's generation,
in my opinion, they don't do

regular, bank reconciliations of their personal.

They just look to see whatever
balance they have in the account,

and they just operate as they're, I think,
that's another area that they hedge on.

But the third aspect with account
takeovers, is just to be very careful.

You talk to most places
will never come out

and ask you for your online credentials,
which includes your password,

giving out the multifactor
authentication numbers.

And many times there's
a little disclaimer that

these institutions share with
them, "We will never ask you."

But people freak out when
it comes time to fraud,

and they feel like there's something
really wrong with the account.

So I would say those are the top three.

I mean, we can go through
debit cards, credit cards.

We can go through the human
trafficking and all those other aspects.

But I would say those are the top three,

at least, that I see today,
that are impacting most people.

– Yes, that is in line, and
I thought it was very surprising

to hear that checks were still the top one.

And that goes back to the
importance of organizations,

to utilizing new technologies like the
e-checks and online types of payments

that are definitely more secure.

Do you think that if more people

were to adopt those things
that that would come down?

Or do you think there are some people
just stuck on using checks forever?

– I think it's mixed, there are organizations,

and they're so used to writing
checks and issuing checks,

it's put in their procedures.

And the bigger the organization,

to change procedures, there are a lot
more people that need to be involved.

Processes have to be vetted out and
then approved, by the senior leadership.

So, sometimes, these processes just
stay the same for many years to come.

But there are organizations
that are, actually, taking steps

to properly try to combat check fraud
and the intercepting of checks,

that they'll, actually, start moving
towards that electronic model.

Now, just because you move to
the electronic, it doesn't, necessarily,

make you less fraud prone.

It just means that you may be susceptible
in other areas like account takeover.

Where somebody may try to socially
engineer to get into the company account,

so they can certainly send out bill pays

and all that other payment, through their systems.

But, yes, checks, they're always here,
people like to touch something.

They like something that's tangible,
they like giving something to somebody.

I mean, if you think about back in the day,

my grandparents used to
love going to the bank.

They got all dressed up,
and they'd go to the bank

and make whatever transactional activity

that they're looking to do, and then
they'd take it over to the post office,

and they made a whole day of it
because they like the tangible stuff.

And I just think that, again,
it goes where you believe,

it's where you're comfortable with.

If you're comfortable writing checks,
you're going to write checks.

If you're going to take preventive
measures by going on Positive Pay,

doing a bank reconciliation.

Really understanding your institution disclosures

that are, probably, how to
report incidences of fraud.

Then you can have that
safeguard measurement to say,

"Okay, I'm comfortable writing checks."

Others are going to go the electronic route

and, again, same process that I just described.

So a lot of it is just the comfort level,

but it also goes back to the strong
internal controls each organization has.

To enable that the process is being
followed, each time a transaction is made.

– Mh-hmm, yes, it makes a lot of sense.

So no matter how big your business is

because small business might not be able
to afford to use some software company,

and other ones may not be able to have
the room or they don't want to move it.

So having good internal controls
is the most important thing,

no matter how you make your payments.

– Yes, that's really critical, and
reviewing those internal controls,

I think, on an annual basis is important

because fraud changes,
business models change.

And, again, I understand the
pain points of having to go through,

and then getting all the proper sign offs.

But if you really want to protect yourself
and strengthen the organization,

those internal control are
really the key for success.

– Yes, so we can't talk about fraud without,
possibly, at least, a little bit mentioning

the fraud triangle—Pressure,
opportunity, and rationalization.

How does having a good understanding
of that help prevent fraud?

– The fraud triangle, it's pretty
straightforward, and to understand it

you have to understand what
each component represents.

And a lot of times when there's
fraud it, basically, is opportunity,

"Is there an opportunity for
somebody to commit this?"

And it could be any type of fraud.

But what happens is there are certain
aspects that people try to go through

this type of fraud and say,
"I have an opportunity.

I do not like that company.

I can steal money from them,
and they'll never know."

The opportunity is there for
them to take, and in real way,

they can do misappropriation of the
funds, to try to conceal what they've done.

Now, the justification part,
what I call the rationalization,

it's really important because this is
where they start thinking about,

"Well, I'm justifying my action.

You know what?

My boss passed me up on a promotion.

I missed out on some bonuses.

You know what?

I'm going to take some funds from
the company because I'm owed that."

A lot of times, also, during the pandemic,

when it first started, we would
see people looting stores

and creating havoc on the street.

And I remember watching the news, one night,

and they interviewed one of the
looters, and she said, "You know what?

I lost my job, I have no financial means.

I have a baby, I can't afford diapers,
I need to get diapers for my baby."

And what they did is she
rationalized her situation,

as a means of justifying why she was looting.

Now, we can go into the whole ethics

and talk about whether
that's appropriate or not,

but that's not for this discussion.

Then, obviously, the motivation,
the pressure, that comes through it.

It's like, "What is the incentive
for them to commit the fraud?

What is the payoff?"

And a lot of times people just say,

"I'm just going to do it
one time, no harm, no foul."

But, then, like other aspects,
you do it one time,

you're like, "Hey, that wasn't
so bad, I didn't get caught."

Or, "Maybe I'll just increase my next attempt,

maybe, from $100 to $200
dollars, see who notices?"

And, then, you know what happens is

it becomes almost like a
game of, "Who can catch me?"

Because we all think as kids, we're
untouchable when we're outside, at recess,

running around playing tag, "Nobody
can catch me" and you start taunting.

So the fraud triangle is really put into place,

where it's just really just kind of think
about from a fraud perspective.

Like, why do people commit fraud?

What is their intention and why?
What's the rationale behind it?

How can they live with themselves

after doing something because
we have been taught, from young age,

"Thou shalt not steal, honor thy neighbor."

But the fraud triangles just put
things in different perspective.

– It really does, and, I think, it goes back
to that gray area, the rationalization,

because everybody has a reason
for the things that they do.

And, you're right, you have to go back to
personal ethics and just business ethics

because a lot of things aren't so black
and white, especially, in today's world.

And, so, it's very difficult.

And, so, how do you encourage
your employees to avoid these things,

and to look out for the pressures
and the opportunities?

Because if you tell them too much about
it, maybe, some people will get ideas

and say, "Oh, that's a really
good idea, I should try that."

How do you find that balance
when you're trying to educate?

– That's definitely spot on, that's
something that I get concerned with.

We build out some of these
schemes and how we detect,

and then we talk about how
we can educate and train others.

What information do we provide
so it can't be used against us.

Really, the first line of defense
is hiring the right employees,

that's part of where the
internal control starts.

If you hire the right employees,
if you do their background checks.

You set them up to manage expectations,

understand what is acceptable,
what is not acceptable,

but also educate them on
what they can tell others.

We can never tell anybody, in our field, who
are filing a suspicious activity reports.

So that is instituted on day one,

managing those expectations
and reinforcing those ideas.

The other aspect we have is
we create different materials,

and this is how we're able to distinguish

what is more proprietary, internally, for us,
and what can be shared outside our walls.

That if it were to be released, yes, it's
informative, but it can't come back

and somebody can leverage that against us.

Now, we're not going to be able to cover
everything because it's just impossible.

But, I think, it really starts with hiring
the right people, doing ongoing training.

Reinforcing some of these concepts
that the organization has,

and even, sometimes, putting it to a test

and just having somebody call in and
see if they can get information out

that, maybe, necessarily, shouldn't be.

And, again, use this as coaching opportunities.

The last aspect of how you can
also prevent it is, again, do an audit.

Work backwards and say,
"Okay, did we let anything slip?

Is there something that's out there

that maybe we couldn't disclose,
that we should have, or vice versa?"

And it's critical because you have
to not only start somewhere,

you got to end somewhere.

And it's always good to re-evaluate
the progress and then update.

A lot of times what we use are standard
operating procedures to outline,

what can be shared, what cannot be shared.

And we also have a separate
guidelines that we call unwritten rule.

Like, "We don't say this to this team,
but we can say this to our team."

And that's, again, where you set
those expectations from day one.

– Do you think the advent of great
technology, that's coming down the road,

do you think that will help with
the ability to do the constant audit?

Because when you were saying
all those things about auditing

and constantly checking, I'm thinking,
"How do you progress, as an organization,

if you're constantly monitoring auditing?"

But do you think, in the advent of new
technologies, will that help companies

still be able to advance and become better.

But also be able to still detect
the fraud, as they're going along?

– Technology is great
when it's leveraged properly.

It solves one problem but, sometimes,
opens the door for another problem.

But I do think that having the right team
that understands the technology,

understand how it's set up, from the
beginning, is really critical in that audit

Because a lot of times we're inheriting
technology, when we start a new job,

and we really don't have a true
understanding of how decisions

were made, at the beginning
of implementation.

To allow something to go through that,

necessarily, we would not want to go through.

So the technology aspect, at any point,

in what I call the lifeline of it,
is you really have to understand

what is the full functionality of it,
that can help you with those audits.

And where there are gaps, that's
when you might have to do

some manual audit reviews
and use different parties

from different areas to review it, so you
have that proper checks and balance.

Technology is wonderful, it can
really help improve efficiencies,

point out, maybe, some areas that are exposed.

And I think that's what we're moving more
toward with AI technology, in the future,

as they continue to craft it, and
being able to use it appropriately.

I'm a big fan of technology, it definitely
beats, I would say, the manual process.

But I will say this, if you don't understand

and have the basic knowledge of something,

it's hard to really challenge that technology.

And if I may give a great example.

Back in school, accounting,
we learned all about T-accounts

and we learned about what the debits

and what the credits are, and how
do you move, and post certain things,

and what are the implications behind it

because we're physically using these T-accounts.

Today, a lot of the accounting
is done by software.

Where people aren't having
that same understanding

of where the debits and
the credits go, what happened?

They're just doing a lot of memorization.

They're looking to see,
and where technology helps,

yes, it helps audit some of those mistakes

but, sometimes, it doesn't
provide the rationalization

as to why it's done certain ways.

And when you're looking in fraud,
you have to go back to the basics

to really understand, "How did we get here?"

It's like the root-cause analysis
type; in how did we get here?

How do we look, and craft, and
prevent something from happening?

But technology can only get
us there on the back end.

And that's where you have to be able to
create and build something from scratch.

– I think you've really highlighted
something really important there.

That no matter how far technology advances,

it's still important, for us,
to understand the basics

and the foundation of how things work.

Because we can't utilize
that technology, properly,

unless we understand
how it's supposed to work.

And that's something that is being
talked about in accounting education.

And it's really important, especially,
with the rise of things like Chat GPT,

and the generative AI type, elements.

If you don't know how to
ask the questions properly,

you won't get the proper answers to
be able to utilize the technology right,

so that's a really great point.

And just speaking of generative AI,

how do you think elements like
that will affect your profession,

especially, when it comes to fraud?

I'm sure you can use it for good,
but I'm sure that other people

can use it for bad, just as well.

– When it comes to fraud,
it is definitely a confidence.

It's also sort of a bragging right,
who can do it better?

Is the fraudster better than the catcher?

What can they do differently
to conceal their actions?

So with AI, I think, eventually,
what's going to help is

you're using the machine learning,

you're using some of the
digital imaging, that's out there.

And they can look at
certain checks, for example,

and compare different check
stocks between the customers.

If one customer uses a certain check stock

and, all of a sudden, they see a check

that's presented with a different check stock.

The system is capable of flagging and
saying, "Hey, this doesn't look right,

somebody needs to review it."

They can also look and learn at
the behaviors that customers use.

Most people get regular
standard paychecks, usually,

on certain days of the week,
perhaps certain times of the month.

And what happens there,
it can flag for anything

that might be out of scope
and look for different algorithms,

that are out there, to help flag
and detect incidents of fraud.

In terms of account takeover,
Business Email Compromise,

it can almost register where
payments have always gone,

and then flag it for when there is
sudden change of payment information.

And, again, it's not designed to,
basically, be all and stop everything.

What AI can leverage is to
help us with the notification.

Where it informs us that
something doesn't look right,

"Here's what doesn't look right,
somebody needs to go and look at it."

Now, some people may argue,

"Well, we just want them
to automatically do that."

And that's, again, where you
have to really understand

the behavioral aspects of people.

You have to understand how
systems work and set things up.

And, today's, day and age, we're always
looking for the faster, the better,

and the ease of working on something.

But if you're in the fraud space, like myself,
we like puzzles, we like challenges,

but we look at things holistically.

And that's really important
because not only did one transaction

may have triggered the fraud,

but there may have been
a whole series of other things.

And that's where technology, like AI,
can help leverage those changes

and, at least, give us a jump
start when they can look at,

maybe, thousands of checks,
instantaneously, and say,

"Hey, here are five that doesn't quite meet
the parameters that have been built."

That's where, I think, there's going to
be a tremendous amount of value.

The downside, again, is that
we become too reliant on it

and not understand our true crowd,

not understand the true
behaviors behind something.

– Yes, I really like that answer, and it's
going to be a continuously evolving thing.

And A.J., this has been a great conversation.

It's hugely important to talk about fraud,

and I just want to thank you so much
for coming on the podcast, today.

– Great, thank you for having me.

< Outro >

– This has been Count Me In, IMA's podcast,

providing you with the latest
perspectives of thought leaders

from the accounting and finance profession.

If you like what you heard
and you'd like to be counted in,

for more relevant accounting
and finance education,

visit IMA's website at www.imanet.org.

Creators and Guests

Adam Larson
Adam Larson
Producer and co-host of the Count Me In podcast
AJ Coleman, MBA, CAMS, CFE
AJ Coleman, MBA, CAMS, CFE
Vice President, Fraud Manager at Byline Bank
©Copyright 2019-2024 Institute of Management Accountants. All rights reserved.