I love the movie Office Space. It’s full of what are now classic nerdy memes and tropes including red staplers, TPS reports, flair, and beyond. But a core piece of the movie revolves around fraud. When Peter finds out that Michael and Samir are going to get downsized, they hatch a plot to steal fractions of cents on each financial transaction. They manage to screw it up. There are other lessons in this movie, but that’s the fraud lesson. Expect to screw it up.
Interestingly, in the movie, they stole over $300k. Remember that number.
In the real world, Ermenildo “Ernie” Valdez Castro of Tacoma, Wash is accused of stealing around $300k from Zulily, the online retailer he worked for. In a reported confession to police, he called his plan the OfficeSpace Project and indicated inspiration from the movie.
Heist 101: Don’t name your heist after famous heists, real or fictional.
Ernie’s plan was a little different though. He didn’t steal fractional pennies. The specifics are a little fuzzy, but based on the GeekWire article, Ernie, a software engineer, wrote code to redirect shipping fees collected from certain customers to a Stripe account he controlled. Additionally, it appears that in some cases, the code double-charged customers for shipping and redirected the additional charge to an account he controlled. Those two schemes netted about $240k.
Not content with just that, Ernie changed pricing to buy items at a substantial discount. Those discounts amounted to about $40k. Potentially these items were purchased at a significant discount for resale. The articles aren’t clear, but a pile of products was found at his house.
Ernie’s price fixing was found first. After his laptop was seized, the company found evidence of shipping fraud. The side hustle fraud to his main fraud got him caught.
So where did all the money go? This is always a fun question because it so often evaporates.
Points to Ernie for being creative. Redirecting shipping fees is not your garden variety AP payment fraud or AR lapping scheme. Points are deducted for getting caught because the side hustle to your main fraud was exposed. Sloppy.
So how do companies find or prevent fraud like this?
- Segregation of Duties for code changes. It’s pretty clear that Ernie could change production code without a testing and review process. That’s a big no-no.
- A good budget and reconciliation process would show either shipping costs well below budget or missing cash depending on exactly how the payments were redirected to Stripe. That should lead to a lot of questions.
- Change tracking, like an audit trail on price changes, would show price reductions and an immediate return to the initial price. Definitely a red flag for investigations. Whether that change was done via code or an interface, my assumption is that the price is stored in a database and not solely in code, making change tracking easier. Based on my experience, that is a reasonable assumption.
I see so many companies not wanting to do the work to prevent fraud. It’s work. It takes time. In this case, Zulily is a $200 million dollar subsidiary of a publicly traded, multibillion-dollar entity. Three hundred K is an average fraud and a drop in the bucket. But it could just as easily have been a $3 million startup where a loss of $300k means people get laid off.
At the same time Zulily IS a $200 million dollar subsidiary of a publicly traded, multibillion-dollar entity. SOD for code changes, a robust budget/reconciliation process, and reasonable change tracking should already be in place. They can do better.