Fool Me Once

From The Wall Street Journal:

You know the saying: “You can’t cheat an honest man.” It assumes that those who are the target of a cheat asked for it. The investment fund with the suspiciously high returns, the inside racing tip, the stock trade that’s a “sure thing”—the investors knew, or should have known, that something was off. The victims thought they were in on the con, and it turned out they were the marks.

The truth is that honest people can be and are cheated all the time. In “Fool Me Once: Scams, Stories, and Secrets From the Trillion-Dollar Fraud Industry,” Kelly Richmond Pope explores how this happens. Small-business owners are blindsided when their bookkeeper turns out to have been cooking the books; multinational financial institutions find executives funneling out cash; the government of a small city discovers that an official has been skimming from its accounts for decades. Ms. Pope, a professor of forensic accounting at DePaul University, even includes a class of “accidental” perpetrator for those who start out as inadvertent beneficiaries of a mistake but who, rather than confessing, decide to lean into the opportunity.

As Ms. Pope argues: “We all have to understand the cycle of fraud because at one point or another you’re either impacted by it, you did it, or you were in a position to expose it.” She has spent time with fraudsters, interviewing the incarcerated and paroled, to understand why they made the choices they did. She has also spoken to victims, examining how they became vulnerable, and whistleblowers, who reported their co-workers, often at high personal cost.

Some of Ms. Pope’s observations make intuitive sense, like the conclusion that community groups and churches are among the softest of targets: they’re typically run by volunteers, hold lots of cash and apply very little oversight. But any organization can be vulnerable. Most of us ignore the red flags or don’t even know whatto look for. We don’t want to treat our friends andco-workers with suspicion, and keeping a beady eye feels unnatural. That’s why the perp is always the “trusted” employee. (The person everyone thinks is kind of shady is rarely given access to the bank accounts.) In my experience, systems designed to prevent fraud probably make scams more possible: Forcing users to change their passwords every 30 days results in passwords written on Post-it notes and found in obvious locations. Convoluted swipe-card systems end up with doors propped open.

A threat can come from anywhere, given how much of our lives is online. Maybe you’ve seen the Facebook message saying your grandson has been mugged and could you please wire some money. I’ve received emails, purportedly from my boss, asking me to send him some gift cards. Ms. Pope notes how victims often don’t report crimes like this out of shame and embarrassment. The thief didn’t lift their wallet—they willingly handed it over.

But this isn’t a “protect grandma from getting scammed” book. It’s a study of who does it, whom they do it to and who reports it. Ms. Pope’s profiles of fraudsters include the typical corporate swindlers, but there’s also one shocking case of a pharmacist who diluted cancer medicine for profit. (My gut instinct is to call this a homicide rather than fraud.) The diversity of the people in this book reminds us that almost anyone could perpetrate a fraud—or be the victim of one.

“I’m fixated on how people cheat,” Ms. Pope writes. The prevailing answer seems to be by taking advantage of opportunity and impunity. An ATM technician grabs a few handfuls of cash. An insurance-account manager creates fake transactions. If a novice cheater gets away with it the first time, he’ll probably keep doing it.

The biggest fraudster in this book is Rita Crundwell, who stole more than $50 million from the city coffers as the comptroller of Dixon, Ill. She was caught when a colleague looked at some accounts while Crundwell was out of the office. According to Ms. Pope, a high proportion of fraud comes to light this way. We depend on these human monitoring systems as much as any password setup or background check.

Link to the rest at The Wall Street Journal