Dusting your data for fraud's fingerprints: Six number patterns that fraudsters use

Cynthia Mills diverted $14.8 million from her employer, Matthews International, for her own use. Her embezzlement scheme began in 1999. At first, she took possession of the company’s customer payments, but from 2013 onward she used a fictitious vendor, “Designs By Cindy.” The company estimated that the losses for 2013, 2014 and 2015 were $1.2 million, $1.7 million and $2.2 million, respectively. Legitimate vendors are unlikely to have high percentage increases in companies that are growing in line with the increase in the economy.

Rapidly rising numbers is one of six common number patterns that fraudsters unknowingly use in their thefts. The others are:

• Round numbers
• Threshold numbers
• Non-Benford numbers
• Duplicate numbers
• Outlier numbers

We can identify these patterns with software, such as spreadsheets, IDEA, database queries and R (a program). The fraud types I consider here are asset misappropriation schemes in which a fraudster (internal or external) uses deception to divert resources or assets for their personal gain, and corruption in which a fraudster gives something valuable to a person in a position of trust to influence their judgment or conduct. Asset misappropriation schemes orchestrated by an outsider have some attributes of a cyberattack in that they’re intrusions into computer systems with the objective of achieving a monetary gain.

Round numbers

Round numbers such as 10-year anniversaries or 100-degree days act as key reference points. Fraudsters also tend to favor round numbers even in situations where round numbers should be rare or nonexistent.

Michelle Higson was the part-time bookkeeper of a company that manufactured high-tech electronic equipment for the semiconductor, energy and medical industries. Her fraud scheme involved preparing company checks made payable to cash or petty cash. She then cashed the checks and used the funds to pay for personal expenses. See the check amounts in Figure 1 below.

Figure 1: Michelle Higson's fraudulent checks

The dollar amounts are at odds with the way that a petty cash imprest system works. Under an imprest system a check is drawn every week that equals the amount of the cash disbursements. The replenishment check brings the balance back up to, say, $500.

In bygone days a surprise count of petty cash was a routine and required audit procedure. The chances of a round-number replenishment check ($3,000, $1,000, $3,000 and $3,500) were minimal and would only occur if all the disbursements were round amounts or by some rare coincidence.

The dollar amounts are also way too high for petty cash because these balances are usually kept low to avoid a large loss in the event of a theft of these funds. Finally, there were six consecutive checks for $4,730, followed by five other amounts, followed by a repeat of the familiar $4,730. These number duplications are anomalies for petty cash because the dollar amounts of the cash disbursements are unlikely to be equal (and high) period after period.

In September 2017, Higson was sentenced to prison for three months plus nine months of home confinement. The judge allowed her to go to work during the months of home confinement. An extract from her court documents notes that, “Ms. Higson has been working at an event planning company called The Art of the Event since March 2017. She has provided undersigned counsel with paychecks verifying her employment. Ms. Higson has told undersigned counsel that her duties in this position do not involve any contact with money, checks, paying vendors, or bookkeeping.”

In November 2018 (one year later), Higson was indicted on fraud charges relating to a fraud scheme that began in February 2015 while she was the bookkeeper of “an event planning and design company [The Art of the Event].” That fraud started one month after the date of the January 2015 check. The new indictment shows that the annual totals for that four-year fraud were $76,368 (2015), $148,992 (2016), $146,772 (2017), and $41,735 (2018). At publication, Higson was to have been sentenced Oct. 13 for her most recent fraud scheme. (Her sentencing had been postponed several times because of the pandemic.)

Bribes in corruption cases are most often round numbers. In 2016, the president of the Correction Officers’ Benevolent Association (COBA) and a manager of a Manhattan hedge fund were charged with honest services fraud.

The hedge fund manager paid the COBA president, Norman Seabrook, a kickback of $60,000 in cash in exchange for Seabrook channeling investment funds to the hedge fund. An intermediary paid the kickback, and the hedge fund manager agreed to reimburse the intermediary for the disbursement.

The hedge fund manager approved an invoice for payment that showed the intermediary had sold the hedge fund “8 Knicks Games @7500 per game” for two seats. This is an example of a round-number bribe, and the case also shows that intermediaries are used to make the payments, and the disbursement is usually disguised in the financial records of the payee.

The court documents related to the parents charged in the recent university admissions scandal (actor Lori Loughlin and many others) show SAT score manipulation payments of $2,000, $4,000, $5,000, $10,000, $13,000, $15,000, $15,600, $18,000, $20,000, $25,000, $35,000, $40,000, $50,000 and $75,000, with many amounts used multiple times.

The bribe payments were $100,000, $125,000, $160,000, $170,000, $200,000, $244,000 (a series of installments), $250,000, $300,000, $400,000, $500,000, $950,000 and $1,200,000 with many amounts used multiple times. The only precise bribe amounts were $24,443.50, $101,272, $249,420 and $251,249, and these were all related to the parents making (fraudulent) tax-deductible charitable contributions of appreciated stock to William Rick Singer’s foundation to make the payments tax deductible by the parents. (Singer was the scheme’s organizer.)

Tests that identify round numbers will generate many false positives because round numbers are also overused in valid transactions. Fraud examiners should assess whether they’ve carefully planned and performed their tests and then rerun them in iterative processes to reduce the number of audit targets.

With each iteration, fraud examiners can eliminate round numbers that have an inherently lower risk of being a part of a fraud scheme or a bribe. For example, when searching for bribes, the first query could identify round-dollar payments. The next query could identify cases in which the payment date was within five days of the payment request date (urgent payments), and the description field included high-risk keywords such as “expedite,” “facilitation pay” or “special payment.” The next query could filter on locations based on a company’s compliance investigation database (including whistle-blowing data) so the results are the highest risk transactions.

Rapidly rising numbers

Rapidly rising numbers refer to transaction totals that increase at an abnormally high rate over time. These increases come about because, loosely speaking, fraudsters “don’t know when to stop.”

We revisit the opening scheme of Cynthia Mills who diverted $14.8 million for her own use. Her employer, Matthews International, filed a form 8-K with the U.S. Securities and Exchange Commission on July 30, 2015, in which it reported her embezzlement scheme that began in 1999. Real vendors are unlikely to have high percentage increases (losses for 2013, 2014 and 2015 were $1.2 million, $1.7 million and $2.2 million, respectively) in companies that are growing in line with the economy’s increases.

Salvadore Galvan was one of two deputy city treasurers for the City of Compton, California. The treasurer’s office had three window cashiers that collected payments for water bills, business licenses, building permits and parking tickets from residents who paid via cash, checks and credit cards.

At the end of each day, cashiers reconciled their cash and checks with the receipts that they’d issued. The accounting system prepared a bank deposit slip for the contents of their till. The till’s metal boxes were then locked in a safe in the vault of the treasurer’s office until the next morning when Galvan counted the cash at his desk (unsupervised) and then prepared a bank deposit slip. He sealed the entire deposit, which included checks, cash and other forms of payment, and gave it to an armored service that drove it to the bank.

In 2010, after only a few months in that position, Galvan added two extra steps to his banking-related tasks. Each day, he’d remove a portion of the cash, prepare a new deposit slip for the reduced cash amount and send the system’s deposit slip for the correct amount along with the accurate daily cash reports to the controller’s office.

On Dec. 6, 2016, the other deputy city treasurer, Ralph Salgado, by chance, compared Galvan’s deposit slip to the deposit slip prepared by the accounting system, and he noticed a $7,000 shortfall. He asked Galvan for an explanation.

The next morning Galvan was at work especially early. When Salgado went to the vault to get the money to count that day, he noticed a bank bag with a deposit slip in Galvan’s handwriting for the unaccounted $7,000. Galvan told Salgado that he found the money in his desk drawer and that he’d put the money in his drawer when he went to the bathroom and had forgotten about it. Salgado then audited the cash deposits going back just two weeks and found other discrepancies. An audit showed that Galvan had embezzled $3,721,924.42 from 2010 to 2016. Galvan’s month-by-month totals for 2010 are shown in Figure 2.

Figure 2: Salvadore Galvan’s embezzlements by month for the first year of his fraud scheme

The monthly totals show an amount in May that could be blamed on a small accounting error. After that, he was cautious. He then took even larger amounts followed by some caution. That was followed by an amount he stole in excess of everything he previously pilfered, and by an even larger amount in December. Figure 3 show the embezzlement totals by years.

Figure 3: Salvadore Galvan’s embezzlements per year

The graph of the annual totals shows rapidly rising totals from 2010 to 2015. There’s a decrease in 2016 because that’s when Salgado discovered the scheme in early December 2016.

To run this test in Excel we could use pivot tables, in IDEA we could use Summarization and in the software, R, we could use aggregate and sum.

A programming issue arises when the audit unit (a vendor or loyalty program member) has zero activity in the prior period because we can’t calculate a percentage increase when going from $0 to a positive number. Also, a large percentage increase might not be a red flag if the prior and current amounts are small. For example, a $51 total that increases to $1,805 is a large percentage increase, but it’s an increase from a small base. As before, run these tests in an iterative process.

Threshold numbers

Threshold numbers (also called hurdles) are numbers that are a level, point or numeric value at which something is true, such as transaction limits on corporate purchasing cards and the per diem rates that can be reimbursed to federal employees while on official travel. Internal-control thresholds are values at which additional checks or procedures will take place. Thresholds have consequences, which give people a disposition to act in a certain way.

In June 2011, Cory Werito founded CW Transport, which he registered as a medical transportation provider with Arizona Health Care Cost Containment System (AHCCCS). AHCCCS is Arizona’s Medicaid agency that offers health care programs to serve Arizona residents. The agency paid for non-emergency transportation for indigent residents for scheduled medical and dental appointments. The first red flag should’ve been that CW Transport was based in a town that was in New Mexico — 50 miles from the Arizona border. AHCCCS paid the company a fixed fee plus a variable amount for the miles driven for each passenger. For example, the fixed fee could be $300 with a rate per mile of $1.50. Prior authorization from AHCCCS was required for all trips that were more than 100 miles in length. From July 2011 to July 2013, Werito billed the agency for false claims for medical transports that never occurred. To settle these claims AHCCCS paid him $1,959,405.

An audit showed that more than 90 percent of Werito’s transportation claims were defective. In many cases CW Transport claimed to have provided medical transport for patients that received no medical services on that day. The company made claims for transport on weekends or holidays when the clinic or the doctor’s office, where the patient was supposedly getting treatment, was closed.

Patients received medical services at the facilities in fewer than 10 percent of the cases. CW Transport often claimed to have provided transports on a day in which other transportation companies operated by Werito and his relatives also claimed to have transported the same patients.

In almost every case, CW Transport billed the agency for 99 miles of transport (exactly one mile under the threshold of 100 miles) regardless of the actual distance traveled. The indictment lists nine invoices together with the relevant 2012 invoice dates, the payment details and amounts.

Figure 4: CW Transport’s invoice numbers and dates shown in indictment

AHCCCS settled three or four days after the invoice date, which suggests it automatically paid the claims without manually reviewing them. This is consistent with the agency’s website that states that it uses more than 60,000 service providers, and in 2012, total payments to providers amounted to $9.5 billion. AHCCCS’ Office of Inspector General announced in 2016 that it had a special task force devoted to non-emergency medical transportation that would, among other things, monitor the use of these services for various provider types. Fraud examiners could’ve detected this scheme using analytics tests that identified those providers with the highest percentages of their trips that were for or exceeded 90 miles.

Non-Benford numbers

Fraudulent numbers have the potential to distort the frequencies of the digits in accounting data. Benford’s Law gives us the expected frequencies of the digits in accounting and finance-related data sets. The first two digits of a number are the two left-most digits, and we ignore minus signs, decimal points and leading zeros (such as 0.0046).

In 2004, internal auditors, using Benford’s Law in an analysis of an electric utility’s kilowatt-hour (kWh) debits and credits, discovered a kickback scheme perpetrated by the company’s collections personnel. In the first step of their investigation, the auditors sought to identify customers with large decreases in the amounts billed. This was essentially the opposite of a rising numbers test because with revenues the company was concerned with decreasing revenues. This test generated too many false positives to be of much practical use. The auditors then ran a series of analytics tests on the kWh numbers credited to customer accounts. The fact that these credits even existed was an anomaly. The Benford’s Law graph is shown in Figure 5.

Figure 5: Using Benford’s Law to find a kickback scheme

The curved line in Figure 5 shows the expected first-two-digit proportions of Benford’s Law, and the bars show the actual first-two-digit proportions. When a bar protrudes above the Benford’s Law line it means that the actual proportion for that first-two-digit combination exceeds the expected Benford’s Law proportion.

For the customer credits, the actual proportion for the 99s (the right-most bar) was about twice as large as the Benford proportion. The next step identified all the first two digit 99 credits and then sorted the credits from largest to smallest. There were eight credits averaging 998,000 kWh and about 200 credits equal to 99,999 kWh. (A kWh is worth about 10 cents.) The investigation found that collections personnel were giving customers large kWh credits (that reduced the amounts billed to the customers by $3.8 million) in exchange for kickbacks.

A Benford analysis is a useful technique to identify fraud numbers that are just below control thresholds. In these cases, we might see spikes at, say, 99, 49, or 24 (perhaps where a receipt is only required for expenses of $25 and above).

The follow-up work would drill down into the data and extract the actual amounts that were most “responsible” for the spike or spikes. Auditing journal entries using Benford would be effective if the fraudulent journal entries were a large portion of the population and contained some systematic attribute, such as being from $2,000 to $5,000. The auditors would examine the attributes of the fraudulent amounts (such as the dates, the ledger accounts affected, the creators, the approvers, the descriptions, etc.) to identify all the fictitious transactions.

Duplicate numbers

Fraudsters with accounting authority can use intentional duplicate payments in occupational fraud schemes. (They can also use duplicate payments to generate funds for bribery schemes.) An accountant, for example, would request a refund from a vendor and then divert that refund for their own use. The employee might also conspire with a vendor to make the fraud even easier to execute. If the fraudster wasn’t greedy or careless, they could blame the duplicates on innocent errors.

Ryan King was an accounting manager at Carrier Corporation in Indianapolis, Indiana. In 2013, he opened a personal checking account in the name of “Carrier Services.” He then purposely made duplicate payments to four vendors. He instructed two of the vendors to refund overpayments by check, and two of the vendors to wire overpayment refunds directly to his Carrier Services bank account. King embezzled $1,233,343.80 from June 2013 to February 2015. His attorneys blamed the ease with which he executed his scheme on the director of finance’s “lax supervision.” These overpayments weren’t detected during the annual internal audit, the annual external audit or the controller’s group audit. King’s replacement discovered his predecessor’s fraud by inspecting the regular monthly account reconciliations, which King had altered to conceal his scheme.

Brantley Thomas was the CFO of the Berkeley County (South Carolina) School District (BCSD). Over 16 years, ending in early 2017, Thomas enriched himself from embezzlements and kickbacks to the tune of $1.23 million. The first leg of his embezzlement scheme was to intentionally overpay certain vendors and then deposit those refunds to his Bank of America credit card for his personal use.

The second leg of Thomas’ embezzlement scheme was to divert vendor rebates or refunds (not because of overpayments) for his own use. For example, the Berkeley Electric Cooperative issues regular rebates to its customers for various reasons. An insurance broker also gave Thomas $32,000 in kickbacks for steering school-related insurance purchases to the broker.

The sentencing memorandum noted that Thomas was intelligent and charismatic, and he could be kind and faithful to his family, friends, coworkers and peers. Before his scheme was discovered (through a tip) he was respected at work and in the community.

At his sentencing the judge said Thomas “had no respect for the law, since after he got out on bond in this court, he went around and stole $36,000 from his next employer. … Mr. Thomas has what they used to say in State Court, an OPM [other people’s money] addiction.”

This test often gives many duplicates to manually review. Fraud examiners should focus on the higher-dollar items and on vendors that received multiple regular high-dollar duplicate payments in a period.

Outlier numbers

Fraudsters would presumably want their numbers to look “normal.” However, from time to time, fraud numbers are outliers. Michelle Higson (see “Round numbers” above) used petty cash checks that were just too large for that type of outlay.

In this scheme, programming steps would identify the largest amounts, and fraud examiners could run tests to find, for example, employees earning the most overtime pay, the employees claiming the most for travel and expense reimbursements, employees voiding the largest number of sales at the cash register or the customer credit cards receiving the most in sales refunds.

In another outlier-numbers scheme, Harriette Walters, who was the tax assessments manager for the District of Columbia, worked with others to approve 143 fraudulent property tax refunds from $2,300 to $248,800 and 96 fraudulent property tax refunds ranging from $250,000 to $543,000 for a total loss of $49.3 million. Walters was arrested in 2007.

In yet another outlier-numbers case, Charlene Corely, a former defense supplier, received $20.6 million from the U.S. Department of Defense (DOD) for fraudulent shipping charges. In one example, the DOD paid her $998,798 for shipping two 19-cent washers and locks. Her fraud scheme began in November 1997 and ended in September 2006.

Combining number patterns to find fraud

In 2013, the Oregon Audits Division (OAD) set out to proactively detect fraud in the state’s Supplemental Nutritional Assistance Program (SNAP). Households in the program could use their benefit cards to buy food or seeds and plants that produce food. Households couldn’t use their cards to buy certain prepared foods, beer, wine, liquor, cigarettes, tobacco or non-food items.

OAD’s objective was to identify cases in which a SNAP recipient had a merchant run their benefit card as if they were paying for food, but the merchant gave the recipient cash instead — 50 cents on the dollar. The SNAP recipient would then pocket the cash, and the merchant would be reimbursed for the “sale."

The OAD auditors analyzed store claims for conformity to Benford’s Law. They also looked at the percent of even dollar (round dollars such as $20) transactions (round numbers) and the trend over time of the even-dollar percentages (rapidly rising numbers). They looked at the average transaction amounts and the trend over time of these averages (rapidly rising numbers). The auditors also identified cards with a high count of same-card, same-dollar and same-day transactions (duplicate numbers).

OAD, using Geographic Information System software, also identified stores with high proportions of customers that traveled more than 10 miles to stores (threshold numbers) and those stores where this proportion was increasing (rapidly rising numbers).

OAD’s success highlights the value of using multiple, well-planned, relevant tests.

Un-random randomness

All fraudsters think they’re unique. That assumption is incorrect because they generally use similar methods that range from using numbers designed to “fit in with the crowd” to those that are blatant outliers. Running analytics tests to find the patterns reviewed in this article, at a minimum, should give you some interesting discoveries.

Mark J. Nigrini, Ph.D., is an associate professor of accounting at West Virginia University and author of “Forensic Analytics: Methods and Techniques for Forensic Accounting Applications” and “Benford’s Law: Applications for Forensic Accounting, Auditing, and Fraud Detection.” Contact him at mark_nigrini@msn.com.

---

Bibliography

Fraudulent Tax Refunds: The Notorious Career of Harriette Walters, by Phillip F. Jacoby, Sebastian Lorigo and Brent T. McCallum, Current Issues in Auditing, volume 5, issue 1, 2011.

Forensic Analytics: Methods and Techniques for Forensic Accounting Investigations, by Mark Nigrini, Wiley, 2020.

The Guide to Corporate Compliance, June 2020, chapter 9, “Embracing Technology,” by Matthew Galvin and Vincent Walden.

Round numbers: A fingerprint of fraud, by Mark Nigrini, Journal of Accountancy, May 1, 2018.

Matthews International’s Form 8-K, filed on July 30, 2015.

Oregon Audits Division, YouTube presentation of Fraud Analysis and Detection: Using Benford’s Law and Other Effective Techniques, at National Association of State Auditors, Comptrollers and Treasurers.

Secretary of State Oregon Audits Division Advisory Report, Supplemental Nutrition Assistance Program (SNAP) Fraud Investigations, June 2018.