JYOTI KHETARPAL
The culprits in this case had different motivations, methods and expectations but they shared one trait — they were united by their decision to commit fraud. Some were disgruntled employees at recruiting companies hoping to branch out and open their own businesses. Others were stressed-out recruiters who had unrealistic budgets and time constraints placed upon them. And still others were simply unscrupulous business owners trying to save a buck. The one thing they had in common was that they targeted the same victim.
Serve.com was founded by Linden McNally to provide online recruitment and related professional services to corporations. Serve established and maintained a network of 60 offices nationwide and employed 2,500 people; it was considered the nation's leading job portal. The client list included employers, screening companies, consultants and job seekers, and it was strictly an Internet business. It had a Web site on which corporate clients could place recruitment classifieds and it offered online tools for conducting searches in resume databases and applicant screening programs. These services required Serve's customers to be able to download large amounts of data from the Web site.
Serve also provided lists of consultants, including their addresses, the top 100 companies in the country, the industry leaders and so forth; these services were mainly used by individuals. Individuals made online payments and either downloaded the compilation or requested it in printed form.
Serve began outsourcing the processing of online payments to its bank, and suddenly discovered problems with fraudulent transactions, which were costing Serve not only financially but in damage to its reputation as well. Media reports began claiming that Serve's employees may have been involved in the fraudulent transactions.
I was enjoying a lazy Sunday afternoon in the peak of the winter season when I received a phone call from my old friend Linden asking if I could help out with a problem his company was facing. He said that since he contracted Serve's online bill-pay services to an outside bank, the payment rejection rate increased from 2 to 16 percent. Linden was worried that existing clients might be downloading subscribed data from Serve's Web site but then disputing the payments.
Linden stated that reputable corporate clients were availing themselves of Serve's downloadable products but, at the time of payment, they disputed the transactions. He suspected somebody in the organization was involved in fraud, but said that he could not discuss much over the phone. I tried to calm Linden down and we arranged a meeting at his office for the following day.
A little basic research on the Internet gave me fair idea of the products and services offered by Serve, the nature of the company's online transactions and the clientele. Although I was told that the problem was with rejections of online purchases, the details were unclear to me.
I met with Linden in his office the next day. He told me that long-term customers had recently begun rejecting payments because they claimed the transactions were unknown to them. The rejection rate had surged almost 700 percent from the acceptable threshold levels of the previous few months. He also said that upper management at Serve suspected Michael, who was a member of the IT team, was somehow involved. Michael was in charge of account maintenance and management was considering firing him, depending on the outcome of a parallel investigation that was being conducted on Michael by an independent agency. They were trying to determine whether there were discrepancies in his lifestyle and income.
Linden said that Michael was a hardworking employee who got along well with other staff members. Linden did not personally suspect that Michael was involved in the increased payment disputes, but so far the evidence pointed to him. To begin my investigation, Linden gave me Michael's personnel file. He had been with the company for nine years, was promoted gradually and was even awarded "employee of the month" recently. I told Linden that we needed to conduct a thorough investigation before blaming anyone, which meant I was going to study Serve's entire payment process to find loopholes that could indicate the possible malfeasant involvement of employees. Linden walked me through Serve's operational procedures, starting with the creation of a new account through the client's online payment for services or products. The process outwardly seemed standard and was monitored with proper checkpoints.
I asked Linden if his organization had prepared comparative analyses or a matrix to pinpoint the problem area, but he said no. Linden was able to give me the data on past and current rejections during our meeting and promised to send other information by the end of the week. We arranged a follow-up meeting in another two weeks.
I found the problem intriguing. Serve was a well-established company. Its processes seemed to include proper control checks and segregation of duties, the staff members appeared to be of high integrity and the clients were respected employers and recruitment consultants. I had seen nothing yet to raise suspicions toward anyone in the chain of operations, including Michael.
To begin my investigation, I reviewed the current rejection files Linden gave me. I asked my team to analyze the rejections in terms of rate, type and amount to prepare a matrix. Three days later, the results were in and we were surprised by what we saw. The facts were pointing to the element of the chain that we least suspected — Serve's corporate customers. I did not reveal the results to Linden immediately but asked him to send the other data as soon as possible.
After I received the records for the past year, my team compiled a matrix of the rejections; the results did not change. We noticed a trend in the rejection rates. At the beginning of the year, the problem was individual account holders downloading resumes or other basic information about job seekers from Serve's Web site but then denying the transactions and refusing to pay. Gradually the problem shifted from individual accounts to small-time consultants and eventually we saw the large corporate customers denying payments. The trend was shocking because we thought the corporate customers would probably be more organized and trustworthy.
Our initial analysis and discussions indicated that the culprits were mostly employees of Serve's corporate customers. They had acquired their employers' login details and were able to misuse them because authorization was not required to purchase products online. These employees were divided into two categories: those who used the main identification (main ID) and those who created sub-identifications (sub-IDs), whether through their personal or work e-mail accounts.
I discussed my team's findings with Linden during our next meeting and he was thrilled that we had identified the root of the issue. He had a razor-sharp mind and knew the company inside and out; he had a fair understanding of what I was trying to establish. Our initial discovery ruled out Michael as a suspect in the fraud. He was an IT employee who had no contact with clients. Linden was happy to clear the name of an honest employee whose integrity had been challenged due to process faults. Linden ordered the independent investigator to discontinue the investigation into Michael.
I requested that Linden allow two of my team members to work with his IT department and Michael. Linden readily agreed. I sent Alex and Christine to Linden's office to have a structured walk-through to understand the technical processes related to creating corporate account IDs, confirming service requests, downloading data after online payments and tracing the necessary audit trails. The report created by Alex and Christine clearly depicted the following problem areas:
Limited information was requested from clients at the time the primary accounts were created.
Once they had an ID for a primary account, customers could create unlimited sub-IDs with limited connections to the primary account.
Clients did not have to provide authorization at the time they purchased products or services from Serve's Web site.
There was a significant lack of controls in the ordering process.
Serve did not maintain a database of disputed payments.
Our analysis of the rejections indicated that established accounts were being used by dishonest employees of good clients to make unauthorized purchases. Part of the problem was that Serve's upper management insisted new customers be granted nearly instantaneous access to the company's Web site and downloadable products, which meant that Serve's employees did not have time to conduct thorough checks of new clients when the accounts were opened. Also, because it was easy to create sub-IDs that were piggybacked to one main corporate account, a scam artist only needed to uncover the main account ID, and could then create an endless supply of sub-IDs with which to make purchases in the client's name. Our investigation revealed that 94 percent of the rejections were due to unknown transactions. The question turned to how to curb it, considering the large number of users. Linden and I had various discussions and came to the conclusion that half of the problem could be resolved by correcting the account-creation process. To fix the other half, we asked the IT department to write new algorithms that would send an e-mail to the main-ID holder of an account when a sub-ID attempted to download data from Serve.com.
Once we had identified the culprits and knew that the problem was most severe with the corporate customers, Serve's management chose to send an official notice to its large clients explaining the problem. The notice stated that Serve was working to improve its enrollment process and would soon be asking the clients to protect their accounts by following a few additional but necessary steps.
Jyoti Khetarpal is a qualified chartered accountant in India with more than 12 years of corporate experience with organizations including Dun & Brad-street and American Express. She has been instrumental in outlining risk management methodology, analytics and assessment. Jyoti is currently working with Alea Consulting to provide reputational due diligence, corporate (fraud) investigations, intellectual property protection, KYC and other related services.