Ep. 239: AJ Coleman: Insider's Guide to Fraud Detection

Join host Adam Larson and expert guest AJ Coleman in Count Me In’s latest episode. Get ready to dive into the world of internal control and fraud prevention. AJ is an author and serves as Vice President, Fraud Manager at Byline Bank. He explores the importance of strong internal controls in detecting and preventing fraud, while sharing real-life examples of common types of fraud and how they're identified and dealt with. Don't miss out on this engaging and eye-opening conversation.

Full Episode Transcript:
Adam: Welcome back to Count Me In. I'm your host, Adam Larson, and today we're diving deep into the world of fraud and internal control. Joining me is the incredible A. J. Coleman. He is an author, and serves as vice president and fraud manager at Byline Bank.

Today, we'll be discussing the importance of strong internal controls, in detecting and preventing fraud, and how organizations can navigate through risks and vulnerabilities. A.J. will share some eye-opening examples of common fraud cases and explain how they are identified and dealt with. So if you want to learn more about the crucial role of internal control in combating fraud, you definitely don't want to miss this episode.

Well, A.J., I want to thank you so much for coming on the podcast. Really excited to talk about internal control, and fraud, and just all the different things you have to do in that world. And I know you're an expert in this field, and I thought that, maybe, you could start by giving some examples of how things like strong internal controls can help by detecting fraud. Since I know you see this every day.

A.J.: Well, great to be here and the opportunity to talk fraud is always rewarding. But, yes, internal controls are really the key, is to be able to identify where there are opportunities or gaps, for the fraudsters to expose an organization. And that's really where the first thing you have to look at is where are we exposed, and what risks that are out there. And from there, you then start crafting those internal controls.

● How do you want them set up?

● What do you want people's roles to be?

● How should things be escalated?

And there's a lot that we can go into that aspect. But without internal controls, nobody understands what the proper steps are, and how do you get that message to the expert. And in terms of fraud, fraud happens every day, and it happens in places that we least expect it. It could be anything from a personal thing, where somebody steals your information unknowingly. All the way up to somebody depositing a fictitious check in the ATM deposit, knowing that it's fictitious. And without internal controls, how do we detect this?

How do we maneuver through those processes to, actually, review these transactions? And, then, at the end, do we need to escalate this up through leadership? Does it need to have a certain suspicious activity report filing? And without those internal controls in place is a free fall.

Adam: That makes a lot of sense, and it begs the question, chicken versus egg, do you have strong internal controls unless you've experienced fraud? Or can you have good internal controls, if you've never experienced fraud? What comes first in some cases?

A.J.: Well, a lot of depends on the leaders, and the type of the organization and how they set up their infrastructure. Some organizations are very passive and they are reactive, in terms of waiting for things to happen. Other organizations are saying, "Well, you know what? We're going to be active in this. We're going to be proactive." And a lot of that has to do with that leadership quality.

In my opinion, from a fraud expert, you always want to work on the preventive. Because you can always build something, and then do your own risk assessments to determine if there are gaps exposed. Then work together to figure out how to close up those gaps. Instead, of just leaving it open-ended and waiting for the fraud to happen. And a lot of times people just sit because it's easier to wait till something happen, rather than be proactive and build something.

Adam: Yes, that makes a lot of sense. Being proactive does seem like the better option, but it all comes down to leadership and those things. Maybe, we could circle back to what are some of the most common types of fraud that you see in your line of work, maybe, there are some examples. I know you can't name any names, but, maybe, there are some examples you can give and how it was identified and dealt with.

A.J.: Check fraud, is number one on the list. I mean, you would think that in today's world, that we would be doing more electronic payments. But there are just amount of checks that go out on a daily basis. And, sometimes, people just it's easier to write checks, it's easier to send them through the system.

But I will tell you the post office is compromised. We are seeing a lot of checks intercepted by third party individuals. Whether it's the postal workers themselves or they're in a partnership, maybe, with the fraudster or they've been approached, and we read things on the news where postal workers are held at gunpoint, their keys are taken, for mailbox. And all these fraudsters are looking for is just checks, where they can either wash them or they can do a forged endorsement on the back hoping that nobody will notice that.

Check fraud, is unfortunately not going away, and in the last two years I've seen a significant increase. And there are certain controls that you can put in place, not only for the banks, or the institutions, or the companies, but also for the customers themselves. Positive Pay is really important, where you can look to see if you can be protected and be notified, if there's a counterfeit check that gets presented. You can do a payee Positive Pay, that looks at the payee information to see if it's been washed.

Alternatively, go with the electronic. It's a lot easier on the cash flow, but you also don't have to worry about a paper copy. So check fraud is definitely number one. The other thing we're seeing a lot is what we call Business Email Compromise, BEC, as it's known. And what this is, is with fraudsters, they penetrate into an organization.

Whether it's through a phishing attack or other metrics, and what they do is they clone the server once they're in the organization. And they operate as if they are an authoritative figure and emailing different groups, different business units.

As well as, maybe, even the financial institution changing payment information or making requests for ACH or wires to go out. And what happens once the clone server is done, the primary customer or the vendor has no idea. And the fraudsters are the ones that are letting certain emails go through, intercepting other emails. So, a lot of times, these customers have no idea that they've been compromised, as well, as they just quickly change that information and say, "Hey, we need to pay this person X amount of dollars."

But nob...