Would Your Employees Notice Millions in Fraud?
The United States Department of Justice (DOJ) announced indictments against two individuals suspected of familiar fraud schemes that led to $8 million in losses for Massachusetts Bay Transit Authority commuter rail operator Keolis between July 2014 and November 2021. Both the scope and the longevity of these schemes are exceptional, although the methods used to steal the money are very common, raising questions about why the individual charged was able to commit this fraud for so long.
What Happened in the Keolis Familiar Fraud Case?
John P. Pigsley of Beverly, Massachusetts, a former Assistant Chief Engineer of Facilities for Keolis Commuter Services, has been accused of running two schemes that netted $8 million. In the first scheme, Pigsley is accused of conspiring with John Rafferty of Hale’s Location, New Hampshire, the former General Manager of LJ Electric, to create fraudulent invoices for vehicles and equipment, leading to more than $4 million in losses.
In the second scheme, Pigsley is accused of ordering copper wire for Keolis projects, picking it up himself or delivering it to his home address, then selling it to scrap yards. Over the course of several years, Pigsley is alleged to have made more than $4.5 million from the scheme. The actual value of the stolen material was not disclosed.
In a statement, Keolis Commuter Services said, “In late 2021, our enhanced financial controls and project management oversight identified project anomalies linked with the practices of an employee.” According to the DOJ indictment, this was 7 years after the fraud began.
Employees Must Be Empowered to Recognize Risks
Cyber threats are not the only challenges that businesses face. Familiar fraud, committed by an employee, family member or trusted business partner, can be more devastating and more difficult to detect. As with cyber security, employee training is essential to prevent losses. Employees must know how to recognize fraud and trust their instincts. They must also feel empowered to call out anything suspicious.
In the DOJ indictment against Pigsley, three common familiar fraud techniques that should have been caught stand out:
- Phony invoices: This is one of the most common types of familiar fraud. An employee with purchasing authority may conspire with a third party to create fake invoices and split the proceeds, or set up shell companies to invoice for goods and services that do not exist. This type of fraud can be difficult to detect in large, complex organizations, such as a railway operations company, or in businesses that frequently order large volumes of material from multiple vendors. Strong vendor approval and verification processes must be in place to detect this type of fraud; all new vendors should be verified by someone other than the person placing the orders. Shipments should be tracked and matched against invoices for at least the first 90 days of any new relationship. Any changes in volume or frequency in orders with a particular vendor should be flagged for follow up.
- Home deliveries. There are very few circumstances where an employee should receive materials shipments at home. Home addresses for all employees with purchasing authority should be kept on file by accounting staff. Any deliveries that match against a home address should be flagged for review. Any changes in regular delivery addresses, even if they only account for a portion of a shipment, should also be flagged for review.
- Personal pickup. Some employees may pick up and deliver materials as a regular part of their job. In an ideal world, purchasing and pickup are separate, so that no single employee has the ability to order and collect goods. When this is not practical, regular audits must be conducted of employees who can both order and deliver supplies, services and materials. Employees should be able to provide invoices for what was ordered, receipts for what was received and documentation for what was delivered.
Familiar fraud is one of the most difficult challenges that businesses face, because it comes not from external actors, but from trusted co-workers, friends and family. Proper business controls can prevent it, but only if employees understand what to look for and how to respond. Protect Now’s CSI Protection Certification training focuses on cyber crime but enables employees to spot any kind of suspicious behavior by teaching them to trust and act on their instincts. To learn more about our training programs, contact us online or call us at 1-800-658-8311.