Ep. 239: AJ Coleman: Insider's Guide to Fraud Detection

Join host Adam Larson and expert guest AJ Coleman in Count Me
In’s latest episode. Get ready to dive into the world of internal
control and fraud prevention.  AJ is an author and serves as
Vice President, Fraud Manager at Byline Bank. He explores the
importance of strong internal controls in detecting and
preventing fraud, while sharing real-life examples of common
types of fraud and how they're identified and dealt with. Don't
miss out on this engaging and eye-opening conversation.


Full Episode Transcript:
Adam:           
Welcome back to Count Me In. I'm your host, Adam Larson, and
today we're diving deep into the world of fraud and internal
control. Joining me is the incredible A. J. Coleman. He is an
author, and serves as vice president and fraud manager at Byline
Bank.


 


Today, we'll be discussing the importance of strong internal
controls, in detecting and preventing fraud, and how
organizations can navigate through risks and vulnerabilities.
A.J. will share some eye-opening examples of common fraud cases
and explain how they are identified and dealt with. So if you
want to learn more about the crucial role of internal control in
combating fraud, you definitely don't want to miss this
episode. 


 


Well, A.J., I want to thank you so much for coming on the
podcast. Really excited to talk about internal control, and
fraud, and just all the different things you have to do in that
world. And I know you're an expert in this field, and I thought
that, maybe, you could start by giving some examples of how
things like strong internal controls can help by detecting fraud.
Since I know you see this every day.


 


A.J.:             
  Well, great to be here and the opportunity to
talk fraud is always rewarding. But, yes, internal controls are
really the key, is to be able to identify where there are
opportunities or gaps, for the fraudsters to expose an
organization. And that's really where the first thing you have to
look at is where are we exposed, and what risks that are out
there. And from there, you then start crafting those internal
controls.


       How do you want them set up? 


       What do you want people's roles to
be?


       How should things be escalated? 


 


And there's a lot that we can go into that aspect. But without
internal controls, nobody understands what the proper steps are,
and how do you get that message to the expert. And in terms of
fraud, fraud happens every day, and it happens in places that we
least expect it. It could be anything from a personal thing,
where somebody steals your information unknowingly. All the way
up to somebody depositing a fictitious check in the ATM deposit,
knowing that it's fictitious. And without internal controls, how
do we detect this?


 


How do we maneuver through those processes to, actually, review
these transactions? And, then, at the end, do we need to escalate
this up through leadership? Does it need to have a certain
suspicious activity report filing? And without those internal
controls in place is a free fall.


 


Adam:           
That makes a lot of sense, and it begs the question, chicken
versus egg, do you have strong internal controls unless you've
experienced fraud? Or can you have good internal controls, if
you've never experienced fraud? What comes first in some cases?


 


A.J.:             
  Well, a lot of depends on the leaders, and the
type of the organization and how they set up their
infrastructure. Some organizations are very passive and they are
reactive, in terms of waiting for things to happen. Other
organizations are saying, "Well, you know what? We're going to be
active in this. We're going to be proactive." And a lot of that
has to do with that leadership quality.


 


In my opinion, from a fraud expert, you always want to work on
the preventive. Because you can always build something, and then
do your own risk assessments to determine if there are gaps
exposed. Then work together to figure out how to close up those
gaps. Instead, of just leaving it open-ended and waiting for the
fraud to happen. And a lot of times people just sit because it's
easier to wait till something happen, rather than be proactive
and build something.


 


Adam:           
Yes, that makes a lot of sense. Being proactive does seem like
the better option, but it all comes down to leadership and those
things. Maybe, we could circle back to what are some of the most
common types of fraud that you see in your line of work, maybe,
there are some examples. I know you can't name any names, but,
maybe, there are some examples you can give and how it was
identified and dealt with.


 


A.J.:             
  Check fraud, is number one on the list. I mean,
you would think that in today's world, that we would be doing
more electronic payments. But there are just amount of checks
that go out on a daily basis. And, sometimes, people just it's
easier to write checks, it's easier to send them through the
system.


 


But I will tell you the post office is compromised. We are seeing
a lot of checks intercepted by third party individuals. Whether
it's the postal workers themselves or they're in a partnership,
maybe, with the fraudster or they've been approached, and we read
things on the news where postal workers are held at gunpoint,
their keys are taken, for mailbox. And all these fraudsters are
looking for is just checks, where they can either wash them or
they can do a forged endorsement on the back hoping that nobody
will notice that.


 


Check fraud, is unfortunately not going away, and in the last two
years I've seen a significant increase. And there are certain
controls that you can put in place, not only for the banks, or
the institutions, or the companies, but also for the customers
themselves. Positive Pay is really important, where you can look
to see if you can be protected and be notified, if there's a
counterfeit check that gets presented. You can do a payee
Positive Pay, that looks at the payee information to see if it's
been washed. 


 


Alternatively, go with the electronic. It's a lot easier on the
cash flow, but you also don't have to worry about a paper copy.
So check fraud is definitely number one. The other thing we're
seeing a lot is what we call Business Email Compromise, BEC, as
it's known. And what this is, is with fraudsters, they penetrate
into an organization.


 


Whether it's through a phishing attack or other metrics, and what
they do is they clone the server once they're in the
organization. And they operate as if they are an authoritative
figure and emailing different groups, different business units.


As well as, maybe, even the financial institution changing
payment information or making requests for ACH or wires to go
out. And what happens once the clone server is done, the primary
customer or the vendor has no idea. And the fraudsters are the
ones that are letting certain emails go through, intercepting
other emails. So, a lot of times, these customers have no idea
that they've been compromised, as well, as they just quickly
change that information and say, "Hey, we need to pay this person
X amount of dollars."


 


But nob...