Ep. 239: AJ Coleman: Insider's Guide to Fraud Detection

October 23, 2023 | 28 Minutes

Join host Adam Larson and expert guest AJ Coleman in Count Me In’s latest episode. Get ready to dive into the world of internal control and fraud prevention.  AJ is an author and serves as Vice President, Fraud Manager at Byline Bank. He explores the importance of strong internal controls in detecting and preventing fraud, while sharing real-life examples of common types of fraud and how they're identified and dealt with. Don't miss out on this engaging and eye-opening conversation.

Full Episode Transcript:
Adam:            Welcome back to Count Me In. I'm your host, Adam Larson, and today we're diving deep into the world of fraud and internal control. Joining me is the incredible A. J. Coleman. He is an author, and serves as vice president and fraud manager at Byline Bank.
Today, we'll be discussing the importance of strong internal controls, in detecting and preventing fraud, and how organizations can navigate through risks and vulnerabilities. A.J. will share some eye-opening examples of common fraud cases and explain how they are identified and dealt with. So if you want to learn more about the crucial role of internal control in combating fraud, you definitely don't want to miss this episode. 
Well, A.J., I want to thank you so much for coming on the podcast. Really excited to talk about internal control, and fraud, and just all the different things you have to do in that world. And I know you're an expert in this field, and I thought that, maybe, you could start by giving some examples of how things like strong internal controls can help by detecting fraud. Since I know you see this every day.
A.J.:                Well, great to be here and the opportunity to talk fraud is always rewarding. But, yes, internal controls are really the key, is to be able to identify where there are opportunities or gaps, for the fraudsters to expose an organization. And that's really where the first thing you have to look at is where are we exposed, and what risks that are out there. And from there, you then start crafting those internal controls.
●       How do you want them set up? 
●       What do you want people's roles to be?
●       How should things be escalated? 
And there's a lot that we can go into that aspect. But without internal controls, nobody understands what the proper steps are, and how do you get that message to the expert. And in terms of fraud, fraud happens every day, and it happens in places that we least expect it. It could be anything from a personal thing, where somebody steals your information unknowingly. All the way up to somebody depositing a fictitious check in the ATM deposit, knowing that it's fictitious. And without internal controls, how do we detect this?
How do we maneuver through those processes to, actually, review these transactions? And, then, at the end, do we need to escalate this up through leadership? Does it need to have a certain suspicious activity report filing? And without those internal controls in place is a free fall.
Adam:            That makes a lot of sense, and it begs the question, chicken versus egg, do you have strong internal controls unless you've experienced fraud? Or can you have good internal controls, if you've never experienced fraud? What comes first in some cases?
A.J.:                Well, a lot of depends on the leaders, and the type of the organization and how they set up their infrastructure. Some organizations are very passive and they are reactive, in terms of waiting for things to happen. Other organizations are saying, "Well, you know what? We're going to be active in this. We're going to be proactive." And a lot of that has to do with that leadership quality.
In my opinion, from a fraud expert, you always want to work on the preventive. Because you can always build something, and then do your own risk assessments to determine if there are gaps exposed. Then work together to figure out how to close up those gaps. Instead, of just leaving it open-ended and waiting for the fraud to happen. And a lot of times people just sit because it's easier to wait till something happen, rather than be proactive and build something.
Adam:            Yes, that makes a lot of sense. Being proactive does seem like the better option, but it all comes down to leadership and those things. Maybe, we could circle back to what are some of the most common types of fraud that you see in your line of work, maybe, there are some examples. I know you can't name any names, but, maybe, there are some examples you can give and how it was identified and dealt with.
A.J.:                Check fraud, is number one on the list. I mean, you would think that in today's world, that we would be doing more electronic payments. But there are just amount of checks that go out on a daily basis. And, sometimes, people just it's easier to write checks, it's easier to send them through the system.
But I will tell you the post office is compromised. We are seeing a lot of checks intercepted by third party individuals. Whether it's the postal workers themselves or they're in a partnership, maybe, with the fraudster or they've been approached, and we read things on the news where postal workers are held at gunpoint, their keys are taken, for mailbox. And all these fraudsters are looking for is just checks, where they can either wash them or they can do a forged endorsement on the back hoping that nobody will notice that.
Check fraud, is unfortunately not going away, and in the last two years I've seen a significant increase. And there are certain controls that you can put in place, not only for the banks, or the institutions, or the companies, but also for the customers themselves. Positive Pay is really important, where you can look to see if you can be protected and be notified, if there's a counterfeit check that gets presented. You can do a payee Positive Pay, that looks at the payee information to see if it's been washed. 
Alternatively, go with the electronic. It's a lot easier on the cash flow, but you also don't have to worry about a paper copy. So check fraud is definitely number one. The other thing we're seeing a lot is what we call Business Email Compromise, BEC, as it's known. And what this is, is with fraudsters, they penetrate into an organization.
Whether it's through a phishing attack or other metrics, and what they do is they clone the server once they're in the organization. And they operate as if they are an authoritative figure and emailing different groups, different business units.
As well as, maybe, even the financial institution changing payment information or making requests for ACH or wires to go out. And what happens once the clone server is done, the primary customer or the vendor has no idea. And the fraudsters are the ones that are letting certain emails go through, intercepting other emails. So, a lot of times, these customers have no idea that they've been compromised, as well, as they just quickly change that information and say, "Hey, we need to pay this person X amount of dollars."
But nobody questions a lot like "Why did this payment information suddenly change from our vendor? We've been sending this to this bank for the last five years, but now we're getting a payment request to send it to a different area." But we just hide behind emails all day long, instead of picking up a phone and calling.
So, as a result, the fraudsters hedge on you not picking up that phone, and you're just trading emails, and you're going to just cycle through whatever the request is. And this goes from the customer, to the vendor, to the financial institution, all the way up. And this is where the second area, what we're seeing for fraud, is really significantly increased in recent years. And now with everybody remote, in many places, there are more interactions done on email as opposed to in person.
Where somebody just doesn't get up from their desk and walk across to the accounting department, and say, "Hey, we've got a change here." And the accounting department looks at it and says, "Yes, this looks a little different."
The third aspect is account takeovers. Where the fraudsters socially engineer themselves onto the victim, as to getting their credentials, in some cases logging in as their victim. In other cases, they'll socially engineer thinking the tech company that somebody has something wrong with their computer, and they will request remote access into the computer, and then do a lot of key logging to retrace some of the steps; passwords, websites.
And many people, as we know, because it's hard to keep track of all the passwords, we use the same password for every website we can think of, and all they need is one. And they have sophisticated software to figure out what your passwords are and if they penetrate through. And, in many cases, a consumer is protected by their bank with the account takeovers.
But in other cases they may not be, depending on how your financial institution controls, and procedures are designed and communicated. Very difficult to discover when you've been victimized. But a lot of people realize when they see money leaving the account that's not theirs. And I think today's generation, in my opinion, they don't do regular, bank reconciliations of their personal. They just look to see whatever balance they have in the account, and they just operate as they're, I think, that's another area that they hedge on.
But the third aspect with account takeovers, is just be very careful. You talk to most places will never come out and ask you for your online credentials, which includes your password, giving out the multifactor authentication numbers. And many times there's a little disclaimer that these institutions share with them, "We will never ask you."
But people freak out when it comes time to fraud, and they feel like there's something really wrong with the account. So I would say those are the top three. I mean, we can go through debit cards, credit cards. We can go through the human trafficking and all those other aspects. But I would say those are the top three, at least, that I see today, that are impacting most people.
Adam:            Yes, that is in line, and I thought it was very surprising to hear that checks were still the top one. And that goes back to the importance of organizations, to utilizing new technologies like the e-checks and online types of payments that are definitely more secure. Do you think that if more people were to adopt those things that that would come down? Or do you think there are some people just stuck on using checks forever?
A.J.:                I think it's mixed. There are organizations, and they're so used to writing checks and issuing checks, it's put in their procedures. And the bigger the organization to change procedures, there are a lot more people that need to be involved. Processes have to be vetted out and then approved, by the senior leadership. So, sometimes, these processes just stay the same for many years to come.
But there are organizations that are, actually, taking steps to properly try to combat check fraud and the intercepting of checks, that they'll, actually, start moving towards that electronic model. Now, just because you move to the electronic, it doesn't, necessarily, make you less fraud prone. It just means that you may be susceptible in other areas like account takeover. Where somebody may try to socially engineer to get into the company account, so they can certainly send out bill pays and all that other payment, through their systems. 
But, yes, checks, they're always here, people like to touch something. They like something that's tangible, they like giving something to somebody. I mean, if you think about back in the day, my grandparents used to love going to the bank. They got all dressed up, and they'd go to the bank and make whatever transactional activity that they're looking to do, and then they'd take it over to the post office, and they made a whole day of it because they like the tangible stuff. And I just think that, again, it goes where you believe, it's where you're comfortable with. 
If you're comfortable writing checks, you're going to write checks. If you're going to take preventive measures by going on Positive Pay, doing a bank reconciliation. Really understanding your institution disclosures that are, probably, how to report incidences of fraud. Then you can have that safeguard measurement to say, "Okay, I'm comfortable writing checks."
Others are going to go the electronic route and, again, same process that I just described. So a lot of it is just the comfort level, but it also goes back to the strong internal controls each organization has. To enable that the process is being followed, each time a transaction is made.
Adam:            Yes, it makes a lot of sense. So no matter how big your business is because small business might not be able to afford to use some software company, and other ones may not be able to have the room or they don't want to move it. So having good internal controls is the most important thing, no matter how you make your payments.
A.J.:                Yes, that's really critical, and reviewing those internal controls, I think, on an annual basis is important because fraud changes, business models change. And, again, I understand the pain points of having to go through, and then getting all the proper sign offs. But if you really want to protect yourself and strengthen the organization, those internal control are really the key for success.
Adam:            Yes, so we can't talk about fraud without, possibly, at least, a little bit mentioning the fraud triangle—Pressure, opportunity, and rationalization. How does having a good understanding of that help prevent fraud?
A.J.:                The fraud triangle, it's pretty straightforward, and to understand it you have to understand what each component represents. And a lot of times when there's fraud it, basically, is opportunity, "Is there an opportunity for somebody to commit this?" And it could be any type of fraud. 
But what happens is there are certain aspects that people try to go through this type of fraud and say, "I have an opportunity. I do not like that company. I can steal money from them, and they'll never know." The opportunity is there for them to take, and in real way, they can do misappropriation of the funds, to try to conceal what they've done. 
Now, the justification part, what I call the rationalization, it's really important because this is where they start thinking about, "Well, I'm justifying my action. You know what? My boss passed me up on a promotion. I missed out on some bonuses. You know what? I'm going to take some funds from the company because I'm owed that." 
A lot of times, also, during the pandemic, when it first started, we would see people looting stores and creating havoc on the street. And I remember watching the news, one night, and they interviewed one of the looters, and she said, "You know what? I lost my job, I have no financial means. I have a baby. I can't afford diapers. I need to get diapers for my baby." And what they did is she rationalized her situation, as a means of justifying why she was looting. 
Now, we can go into the whole ethics and talk about whether that's appropriate or not, but that's not for this discussion. Then, obviously, the motivation, the pressure, that comes through it. It's like, "What is the incentive for them to commit the fraud? What is the payoff?" And a lot of times people just say, "I'm just going to do it one time, no harm, no foul." 
But, then, like other aspects, you do it one time, you're like, "Hey, that wasn't so bad, I didn't get caught." Or, "Maybe I'll just increase my next attempt, maybe, from $100 to $200 dollars, see who notices?" And, then, you know what happens is it becomes almost like a game of, "Who can catch me?" Because we all think as kids, we're untouchable when we're outside, at recess, running around playing tag, "Nobody can catch me," and you start taunting. 
So the fraud triangle is really put into place, where it's just really just kind of think about from a fraud perspective. Like, why do people commit fraud? 
What is their intention and why? What's the rationale behind it? 
How can they live with themselves after doing something because we have been taught, from young age, "Thou shalt not steal, honor thy neighbor." But the fraud triangles just put things in different perspective.
Adam:            It really does, and, I think, it goes back to that gray area, the rationalization, because everybody has a reason for the things that they do. And, you're right, you have to go back to personal ethics and just business ethics because a lot of things aren't so black and white, especially, in today's world. And, so, it's very difficult.
And, so, how do you encourage your employees to avoid these things, and to look out for the pressures and the opportunities? Because if you tell them too much about it, maybe, some people will get ideas and say, "Oh, that's a really good idea, I should try that." How do you find that balance when you're trying to educate?
A.J.:                That's definitely spot on, that's something that I get concerned with. We build out some of these schemes and how we detect, and then we talk about how we can educate and train others. What information do we provide so it can't be used against us?
Really, the first line of defense is hiring the right employees, that's part of where the internal control starts. If you hire the right employees, if you do their background checks. You set them up to manage expectations, understand what is acceptable, what is not acceptable, but also educate them on what they can tell others. We can never tell anybody, in our field, who are filing a suspicious activity reports. So that is instituted on day one, managing those expectations and reinforcing those ideas. 
The other aspect we have is we create different materials, and this is how we're able to distinguish what is more proprietary, internally, for us, and what can be shared outside our walls. That if it were to be released, yes, it's informative, but it can't come back and somebody can leverage that against us. 
Now, we're not going to be able to cover everything because it's just impossible. But, I think, it really starts with hiring the right people, doing ongoing training. Reinforcing some of these concepts that the organization has, and even, sometimes, putting it to a test and just having somebody call in and see if they can get information out that, maybe, necessarily, shouldn't be. And, again, use this as coaching opportunities.
The last aspect of how you can also prevent it is, again, do an audit. Work backwards and say, "Okay, did we let anything slip? Is there something that's out there that maybe we couldn't disclose, that we should have, or vice versa?" And it's critical because you have to not only start somewhere, you got to end somewhere. And it's always good to re-evaluate the progress and then update. 
A lot of times what we use are standard operating procedures to outline, what can be shared, what cannot be shared. And we also have separate guidelines that we call unwritten rule. Like, "We don't say this to this team, but we can say this to our team." And that's, again, where you set those expectations from day one.
Adam:            Do you think the advent of great technology, that's coming down the road, do you think that will help with the ability to do the constant audit? Because when you were saying all those things about auditing and constantly checking. I'm thinking, "How do you progress, as an organization, if you're constantly monitoring auditing?" But do you think, in the advent of new technologies, will that help companies still be able to advance and become better. But also be able to still detect the fraud, as they're going along?
A.J.:                Technology is great when it's leveraged properly. It solves one problem but, sometimes, opens the door for another problem. But I do think that having the right team that understands the technology, understand how it's set up, from the beginning, is really critical in that audit. 
Because, a lot of times we're inheriting technology when we start a new job, and we really don't have a true understanding of how decisions were made, at the beginning of implementation. 
To allow something to go through that, necessarily, we would not want to go through.
So the technology aspect, at any point, in what I call the lifeline of it, is you really have to understand what is the full functionality of it, that can help you with those audits. And where there are gaps, that's when you might have to do some manual audit reviews and use different parties from different areas to review it, so you have that proper checks and balance. 
Technology is wonderful, it can really help improve efficiencies, point out, maybe, some areas that are exposed. And I think that's what we're moving more toward with AI technology, in the future, as they continue to craft it, and being able to use it appropriately. I'm a big fan of technology. It definitely beats, I would say, the manual process. 
But I will say this, if you don't understand and have the basic knowledge of something, it's hard to really challenge that technology. And if I may give a great example. Back in school, accounting, we learned all about T-accounts and we learned about what the debits and what the credits are, and how do you move, and post certain things, and what are the implications behind it because we're physically using these T-accounts.
Today, a lot of the accounting is done by software. Where people aren't having that same understanding of where the debits and the credits go. What happened? They're just doing a lot of memorization. They're looking to see, and where technology helps, yes, it helps audit some of those mistakes but, sometimes, it doesn't provide the rationalization as to why it's done certain ways. And when you're looking in fraud, you have to go back to the basics to really understand, "How did we get here?" It's like the root-cause analysis type; in how did we get here?
How do we look, and craft, and prevent something from happening? But technology can only get us there on the back end. And that's where you have to be able to create and build something from scratch.
Adam:            I think you've really highlighted something really important there. That no matter how far technology advances, it's still important, for us, to understand the basics and the foundation of how things work. Because we can't utilize that technology, properly, unless we understand how it's supposed to work. And that's something that is being talked about in accounting education. And it's really important, especially, with the rise of things like Chat GPT, and the generative AI type, elements.
If you don't know how to ask the questions properly, you won't get the proper answers to be able to utilize the technology right, so that's a really great point. And just speaking of generative AI, how do you think elements like that will affect your profession, especially, when it comes to fraud? I'm sure you can use it for good, but I'm sure that other people can use it for bad, just as well.
A.J.:                When it comes to fraud, it is definitely a confidence. It's also sort of a bragging right, who can do it better? Is the fraudster better than the catcher? What can they do differently to conceal their actions? 
So with AI, I think, eventually, what's going to help is you're using the machine learning, you're using some of the digital imaging, that's out there. And they can look at certain checks, for example, and compare different check stocks between the customers. If one customer uses a certain check stock and, all of a sudden, they see a check that's presented with a different check stock. The system is capable of flagging and saying, "Hey, this doesn't look right, somebody needs to review it."
They can also look and learn at the behaviors that customers use. Most people get regular standard paychecks, usually, on certain days of the week, perhaps certain times of the month. And what happens there, it can flag for anything that might be out of scope and look for different algorithms, that are out there, to help flag and detect incidents of fraud.
In terms of account takeover, Business Email Compromise, it can almost register where payments have always gone, and then flag it for when there is sudden change of payment information. And, again, it's not designed to, basically, be all and stop everything. What AI can leverage is to help us with the notification. Where it informs us that something doesn't look right, "Here's what doesn't look right, somebody needs to go and look at it."
Now, some people may argue, "Well, we just want them to automatically do that." And that's, again, where you have to really understand the behavioral aspects of people. You have to understand how systems work and set things up. And, today's, day and age, we're always looking for the faster, the better, and the ease of working on something. 
But if you're in the fraud space, like myself, we like puzzles, we like challenges, but we look at things holistically. And that's really important because not only did one transaction may have triggered the fraud, but there may have been a whole series of other things. And that's where technology, like AI, can help leverage those changes and, at least, give us a jump start when they can look at, maybe, thousands of checks, instantaneously, and say, "Hey, here are five that doesn't quite meet the parameters that have been built."
That's where, I think, there's going to be a tremendous amount of value. The downside, again, is that we become too reliant on it and not understand our true crowd, not understand the true behaviors behind something.
Adam:            Yes, I really like that answer, and it's going to be a continuously evolving thing. And A.J., this has been a great conversation. It's hugely important to talk about fraud, and I just want to thank you so much for coming on the podcast, today.
A.J.:                Great, thank you for having me.
Announcer:    This has been Count Me In, IMA's podcast, providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in, for more relevant accounting and finance education, visit IMA's website at www.imanet.org.