Evolution of a Payment Fraud

This one is a little older but it’s one of my favorites because we have so much detail and we have it in the fraudster’s voice. I’ve actually covered it before, but it’s worth another look. The core source here is Journal of Accountancy’s Lessons from an $8 million fraud.

Nathan J. Mueller worked for a Minnesota insurance company, ReliaStar, that was taken over by global insurer ING. Mueller played a lead role in the transition to a new ERP system and along the way he and a co-worker were given payment approval authority up to $250,000. Mueller didn’t even know he had that authority until two years later.

Red flags were present early in that users often logged in as each other to get something done when a co-worker was out. With a pregnant wife and a salary that wasn’t quite covering the bills, Mueller logged in as a co-worker and requested a check made out to Universal for $1,100. He then logged in with his credentials and approved it. Universal was an insurance company they paid regularly. The word Universal was also part of the name of his credit card. [This is not in the article, but suspect this was the AT&T Universal Card.] The check cleared and his credit card account went down by $1,100.

There was a control point here. It was a different user’s job to receive the checks and mail them out. Mueller was a backup for this process so he waited to request a check until he know the primary person would be out. Occasionally, he gave the primary the day off to make it easier. The organization had a segregation of duties control point here, but it wasn’t functioning as designed.

After his start, Mueller paid off his Universal card and then kept transferring balances from other cards and debt to that card. After stealing $88,000 he was out of debt. Right before this though, there was a chance to catch him. He’d send a $4,500 payment without a payment voucher and without an account number. The check was returned to his work and the AP department, instead of investigating, forwarded it to Mueller. It was a close call and the fraud could have been stopped there.

It took a few months for Mueller to get past the scare and from there he got smarter. Like the term “Universal”, Ace was part of a company name that regularly received payments so Mueller opened a shadow “Ace”, Ace Business Consulting. He would request and approve payments as before, but now he could just deposit the checks. He did this to the tune of $8 million over 4 years.

Mueller needed to cover his tracks. He primarily used two schemes, hiding amounts in accounts with a lot of ledger activity and manipulating foreign currency accounts. He started by simply hiding the payments in high volume accounts.

For every credit (to the bank) there has to be a debit, and my debits needed to be hidden somewhere. Our payments were usually for insurance claims, commission expenses, various refunds, or an administrative expense. In 2003 and 2004, I hid all the debits in ledger accounts that had a lot of reconciliation activity, making sure that my debit helped the account reconcile to zero.

As Mueller’s scheme evolved, he would intentionally weaken the Canadian dollar when calculating the exchange rate for their Canadian subsidiary. Effectively this hid his theft as exchange rate losses. Mueller was the only person to manage the exchange rate calculation for 7 years.

He also had to hide his theft from his wife. He had significantly upgraded his lifestyle so he needed an explanation. Mueller decided that he was a successful gambler. He would take junkets to Vegas and return with his own stolen money. His wife remained suspicious and eventually, they divorced.

What got him caught was that Mueller’s ex-wife became friendly with one of Mueller’s co-workers. His wife said that she didn’t believe the gambling stories. That set off the alarm bells that led to the discovery of Mueller’s scheme.

We know why Mueller did it, financial pressure that morphed into greed. The core issue here is Mueller’s ability to bypass segregation of duties controls. The ability to log in and request payments as a coworker was the key to this scheme. Without that, it might have been possible to redirect a few payments or sneak through a fake Universal invoice, but not to the tune of $8 million.

With that access, he managed to avoid the preventative control of a user creating and approving their own invoices. That access made it possible to bypass the control of check mailing being done by a different user.

Interestingly, no detective controls caught the fraud either. No large, unexplained budget differences that someone investigated. There was no follow-up on the returned check. There was no application of statistical tools or forensic analysis.

Finally, Mueller’s lifestyle of expensive cars, watches, and trips didn’t raise red flags within the company until the very end. Of the $8 million, he paid back $860,000, mostly in seized property. In prison, he paid $75 a month as part of a prison repayment plan. As with other frauds we’ve seen. The money was gone.

Mueller’s scheme started out as simple payment fraud. He just cut an extra check to Universal and simply hid it in a complex account. That got him as far as $88k. From there Mueller had to evolve. He set up Ace Business Consulting. He hid the fraud in exchange rate losses and created a gambling backstory. Each adjustment added complexity. Still, once someone decided to look, the fraud was easy to find.