Know your fraud
Just as a chess master understands the numerable but finite opening sequences to a chess game, an
antifraud professional should know the numerable but finite fraud schemes. Connie Veates relies on a
fraud taxonomy with six classes of fraud and 123 distinct species. Those include many types of
inventory fraud, manifold check-kiting schemes and techniques with colorful names like cash lapping.
The beauty of a taxonomy is that it's universal. Naturalists can classify newly discovered flora and fauna
in the existing Linnaean system. Likewise, newly discovered fraud schemes are just fresh takes on
established schemes in Veates' taxonomy.
Divide and conquer
While members of her team understand these 123 frauds generally, that's a lot of crimes to master. So
Veates commissions specific team members to become subject matter experts. The goal is to have one
person thinking like a specific kind of thief rather than everyone thinking about fraudsters in general.
This expert will gain a deep understanding of a specific kind of fraud, the type of person who commits
it and his motivation, and tools and techniques to combat it. Veates says, "We'll have one person focus
on inventory fraud, and they'll know to periodically check eBay, for example, to see if goods are being
sold there illegally. We'll have another who knows benefits fraud inside and out, and so forth."
Learn a little psychology
To think like a thief, you have to know how a thief's mind works. The best place to start is with Dr.
Donald Cressey's landmark work on the psychology of fraud and his "fraud triangle." According to
Cressey, the three elements of all fraud are opportunity, motivation and rationalization.
Don't trust your instincts
Sometimes we associate thinking like a thief with thinking like a bad guy, but they are not one and the
same. In order to successfully understand fraud, you need to throw out some prejudices about the type
of person who commits fraud. To start, it's rarely a bad guy, a malicious person with purely malicious
intent. "I started in this thinking only bad people committed fraud," Veates says. "In fact it's usually
good people who make a bad decision and a bad rationalization, who think the pain they're causing is
less than the gain they get. They could be a company's board member. These are usually fairly
intelligent people. Typically male, higher up in the organization and typically, for internal fraud, they
have long tenures at the company." In other words, fraudsters are criminals but not archetypical
criminals. Rather, they're the same people you work with, have lunch with and socialize with every day.
This is why, when fraud's discovered, you often hear victims saying, "He's the last person I'd have
suspected." That's how he got away with it!
Trust your instincts
While you must stifle the natural tendency to generalize about who commits fraud, you should
definitely trust your gut when it comes to sensing fraud might be taking place. Veates encourages all
employees to report it when they have that "something's just not right" vibe. And her subject matter
experts have developed keen senses of smell for something fishy, too.
Hire young turks
Veates believes one of the best sources for thinking like a thief is our nation's youth. Young people
just out of college, often with a better working knowledge of technology than corporate managers, are
both skilled enough and energetic enough to want to suss out fraud techniques. "They have a specific
skill set, these just-out-of-college geeky guys who sit and play games and are intrigued with the
challenge," Veates says. "It's a like a video game to them. A safe way to have fun breaking the rules. We
let them loose and say, 'How would you steal from this system?'"
If you want to think like a thief, act like a thief
The best way to understand how thieves think is to become one yourself, Veates says. Game your
systems. Learn how to break into them, who's vulnerable to social engineering, where the weak spots in
the supply chain can be found. "We've developed a good reputation for this; we've done it for three
years now. Sometimes the business units know we're doing it, sometimes not. Sometimes, we just
game the systems when we're bored. Just break in and take the intelligence back to the business unit.
They see the fraud technique and say, 'Who thinks like this?' And we tell them, 'We do.'"