CIPD | Staff fraud and dishonesty (2024)

Internal fraud is a dishonest act perpetrated by misrepresentation, omission or abuse of position in the workplace. Some acts of fraud may be criminal, but, if it is not a criminal act, the person responsible could still be in breach of the terms in an employment contract.

For the purpose of this guide, the term ‘staff’ is defined as any individual with a contractual arrangement, whether directly or indirectly (for example through a recruitment agency), to provide their personal services to an organisation. This therefore includes, but is not restricted to, permanent staff, temporary staff on short- or fixed-term contracts, and staff supplied by a recruitment agency or third party.

In the UK, the Fraud Act 2006 provides for a general criminal offence of fraud with three ways of committing it:

Fraud by false representation

An individual dishonestly and knowingly makes a representation that is untrue or misleading. For example, if a candidate says they have a degree when they do not.

Fraud by wrongfully failing to disclose information

An individual wrongfully and dishonestly fails to disclose information to another person when they have a legal duty to disclose it, or if the information is of a kind that they are trusted to disclose, or they would be reasonably expected to disclose – for example, when asked, a candidate not declaring that they have been dismissed from a previous role or not declaring they have an unspent criminal conviction.

Fraud by abuse of position

When an individual, who has been given a position in which they are expected to safeguard another person’s financial or other interests, dishonestly and secretly abuses that position of trust without the other person’s knowledge – for example, an employee abusing their position by stealing from their employer or from a customer of their employer, or dishonestly divulging confidential information to a third party.

Although the Fraud Act provides a legal definition, there are other fraud-related activities that may not constitute fraud as defined by criminal law, but could be reported as offences under other acts – for example, the Theft Act offence of false accounting.

For the purpose of this guide, the term ‘fraud’ includes those occurrences when a person dishonestly makes a false representation, wrongfully fails to disclose information or abuses a position of trust, with the intent to make a gain, cause a loss or expose another to the risk of loss.

The term ‘staff fraud’ in this context is also known as:

• employee fraud
• insider fraud
• internal fraud
• workplace fraud
• insider threat.

You can find details of the different types of staff fraud in the download at the end of this guide.

An important legal aspect to bear in mind is employers’ liability for fraud committed by employees.

If an employee causes financial damage to their employer, the employee who committed the fraud will usually be liable. However, they may not be able to compensate the employer. Where a third party is affected, employers may also be liable for fraudulent acts, if the employee acted within the scope of their employment.

The way organisations approach the issue of staff fraud is changing. The days when HR professionals would handle staff fraud cases quietly with no publicity are long gone. Indeed, a number of businesses in the UK are now sharing data actively with each other – under carefully controlled conditions – on incidences of staff fraud within their organisations. Members of Cifas – the UK’s Fraud Prevention Service – reported nearly 270 individuals to the Cifas Enhanced Internal Fraud Database in 2021. According to fraudscape, 41% of those cases were in relation to dishonest actions, the majority being theft of cash. And they reported a growth in other types of dishonest act, such as a 10% increase in filings when job applicants had hidden information on their application form, such as adverse credit history.

The threat from staff fraud can be combated effectively in two ways:

• by cooperating and adopting a common approach that encompasses zero tolerance of all types of staff fraud
• by focusing on prevention and introducing a rigorous anti-fraud internal culture that promotes honesty, openness, integrity and vigilance throughout the workforce.

The challenge lies not only in ensuring that the correct policies and culture are in place to facilitate such an approach, but also ensuring that such policies are consistently followed. However, it’s important to ensure that staff do not misuse business property or systems or carry out any illegal activity, balanced with fostering a culture of mutual trust and respect.

This can be done by adopting a risk-based approach, which takes into account the nature of the business, the industry sector and different job roles. Clear communication on the reasons for adopting a particular approach as well as the potential risks to the business will mean employees are more likely to view any measures put in place as reasonable and necessary.

To combat staff fraud effectively, consider:

• why staff commit fraud
• the profile and common characteristics shared by those who commit fraud.

There is no single profile for someone who commits fraud. Donald R. Cressey, an American criminologist, devised the ‘Fraud Triangle’ of triggers, which can help us to understand what could lead employees to commit fraud.

Opportunity

For fraud to take place, there must be an opportunity to commit it. A lack of internal controls, a blame culture and lack of reporting structure can all create an opportunity.

Areas that can lead to opportunity are:

• Weak internal controls: For example, if there is only one staff member who deals with accounts or invoicing, there is more opportunity for embezzlement. Such opportunities could be reduced by implementing dual controls, such as having another staff member checking and signing off transactions.
• Unclear policies and procedures: If there is no clear and concise policy in place, there will be no fear of exposure or reprisal, or a staff member could believe that the activities they were undertaking were acceptable.
• Poor security: Lack of physical security – for example, no CCTV surveillance or computer passwords – may lead to opportunities for fraud. Individuals are more likely to commit fraud if they believe they will not be caught.
• Open doors to criminal infiltration: Organised criminals may attempt to plant a member of staff within an organisation with the intention of defrauding them. When under continued pressure because of high staff turnover, the quality of recruitment and security screening has been known to suffer in order to get people in and working as soon as possible, which such infiltrators can take advantage of. Criminals have been known to target call centres, hospitals, bank branches and retail outlets in this way. Criminals may also approach employees and offer them money in exchange for divulging confidential company or customer data.

Motivation

Motivations for fraud are often rooted in the pressures and temptations in life. These pressures can include:

• Financial pressures: such as keeping up with any day-to-day costs, including mortgage payments or rent, food bills, or any additional pressure caused by looking after family. High costs of living could also be a major influence. As a result of the pandemic, and in the UK the cost-of-living crisis, an employee who would not have previously thought about committing fraud could now find themselves doing so in an attempt to make ends meet.
• Addiction: to fund an addiction such as drugs. You should consider how you can help to support any employees who want help for an addiction.
• Debts: sometimes mounting debts can become unmanageable, adding further pressure if they need to be repaid within a strict timescale.
• Domestic issues: such as pressures attributed to relationship breakdowns, divorce or child maintenance payments, or family pressure to bring in a higher income.
• Modern-day pressures: social media and the internet can have a huge impact as people attempt to replicate the lifestyles they see online, which are often not achievable financially.

Rationalisation

If an employee is unhappy at work, they may find it easier to commit fraud, as they are able to rationalise their own behaviour. Unhappy employees could commit internal fraud as a way to get ‘revenge’ or act maliciously if they don’t feel they have been treated fairly – for example, because of low pay or being passed over for promotion. Personal differences with management, redundancies or if remuneration policies or bonus distributions are thought not to be fair could also be factors. In addition, staff who feel insignificant, powerless or taken for granted are also able to rationalise any fraudulent activity.

• Strengthen your zero-tolerance policy to employee fraud and nurture a culture of ethical behaviour and integrity.
• Aim to create a rigorous anti-fraud internal culture that promotes honesty, openness, integrity and vigilance throughout the workforce.
• Ensure that employees are aware of the whistleblowing policy and how to report suspicious activity, and highlight any support for those who are prepared to do so.
• Provide training and/or guidance that communicates potential early warning signs of fraud, and how to report staff fraud.
• Lead from the top – ensure that those in senior positions within the organisation follow the same rules as other employees.
• Strengthen your policies and practices for employee recognition and development to address the issues that can motivate staff to commit fraud; even if employees are not motivated to commit fraud themselves, unhappy people are unlikely to be committed to combating it or being vigilant with respect to the behaviour of others.
• Provide support and guidance to employees who could be struggling either financially or in other ways.
• Monitor suspicious activity, such as unauthorised access, or sending restricted confidential documents outside of the organisation or to personal email addresses, but in a way that complies with data protection and privacy law, and is justifiable.
• Ensure that policies and practices are reviewed regularly. And whenever there are major changes in your organisation, such as the switch to working from home, review them all again.
• Carry out regular audits and spot checks.
• Consider establishing dedicated units to specialise in proactively targeting and reactively investigating cases of staff fraud.
• Review instances of fraud and ensure that controls are put in place to prevent it from happening again.
• Keep up to date with trends in internal fraud.
• Restrict staff access to systems, databases and communication channels to a level relevant to their individual role.
• Use specialist in-house software to monitor, flag and identify suspicious activity and create exception reports after analysing variables from employee, customer and transactional information.
• Develop an effective communication policy to prevent disruption and a negative impact on morale by dispelling any speculation, misinformation, unsubstantiated rumours or gossip circulating within departments when fraud is suspected or identified.

• Screen all candidates to the appropriate level, driven by risk not seniority, and do not ignore any concerns.
• Consider additional checks throughout the year, such as criminal record, fraud or credit checks, bearing in mind any legal requirements. (For the legal requirements concerning checks, see our guide to pre-employment checks – although focused on checking new recruits, the information is still relevant.)
• Ensure that any anomalies (such as a different reason for leaving a previous employment on a reference) are investigated thoroughly.
• Ensure that temporary and third-party staff are screened to the same standard as permanent employees.
• Verify candidate identities, personal details and references through vetting and security screening, as well as undertake further appropriate background checks on prospective employees.

• Put strong policies in place covering investigations, dismissals and the involvement of law enforcement in the event someone commits fraud, balancing the potentially competing demands of the internal investigation, disciplinary process and the external police investigation.
• Make sure anyone investigating fraud has received and completed appropriate training.
• In the event of fraud, follow your fraud response plan if you have one. Secure any evidence such as audit trails, CCTV, etc, so it can no longer be tampered with.
• Follow your internal policies – for example, your disciplinary policy.
• Engage with any relevant stakeholders, such as communications teams, if reputational damage is expected as a result of fraud.
• Engage with a third-party company who can investigate fraud if there is insufficient knowledge/ability within your organisation to investigate.
• Consider engaging law enforcement if your losses are substantial.
• Form a solid working relationship with fraud investigators so that if you need to work together, the relationship is already there.

To take a holistic approach to fraud prevention, you will need a company culture that supports this. Your culture should stress the need for openness and trust between employees at all levels. This does not simply mean that people are comfortable reporting suspicions of staff fraud, but also reporting personal issues that could impact the performance of other staff members and increase the likelihood they will commit fraud. It must be made clear that if staff have concerns about co-workers, they have an obligation and duty to report this. You should have a whistleblowing policy that facilitates an independent and confidential way to report these concerns that creates an environment where people feel able to report instances and are confident that the matter will be dealt with in a discreet, professional and considerate manner.

It is also vital that staff are made fully aware that, should they commit fraud, there will be zero tolerance. However, you should also be careful that, while making employees aware of the zero-tolerance policy, the honest majority of the workforce do not feel that everyone is under suspicion and being monitored.

Good people management can also make a difference when it comes to opportunistic fraud. If an employee is happy in their workplace, this could mean they are less likely to commit fraud than if they feel undervalued. To help create this organisational culture:

• Consider the impact of any new policies on your employees, especially when a change in policy will result in an employee spending more – for example, on commuting, or utility bills if working from home.
• Ensure salaries are fair. Differing salaries could make an employee feel unhappy if they are doing the same job as a colleague but not being paid as much.
• Treat employees fairly and with respect.

Tools such as employee assistance programmes offering confidential counselling and mediation services are useful in helping to create a trust-based culture.

When seeking to create a prevention culture, it is important that clear and direct policies are formulated that are consistently and fairly followed. Policies are the core educational and awareness tools for all employees and should support the overall business approach to preventing staff fraud, setting the parameters and risk exposure. They should also ensure clarity, transparency and fairness when dealing with incidences of staff fraud.

There are various policies that can help you to create the right culture. As a minimum, you should have policies covering:

• fraud management
• staff fraud prevention
• code of conduct/business ethics
• staff assistance
• whistleblowing
• fraud specialists/HR working together
• investigations
• disciplinary matters
• fraud reporting.

The Fraud Advisory Panel has published anti-fraud policy statements and templates on its website that may help you.

To help reduce the risk, you should also put policies and practices in place to support the welfare of your employees. The help could be something as simple as ensuring employees are aware of employee assistance programmes, or signposting to relevant organisations that can help.

However, a policy alone cannot ensure that the appropriate controls to prevent staff fraud are maintained. This is only achieved by action and by others seeing that action is taking place. It is this that creates the preferred behaviour the policies set out to achieve. The anti-fraud culture needs to be endorsed and followed at all levels, meaning that, for example, managers and high-performers must follow the rules just as any other employee is expected to do.

You should give all new entrants a code of conduct/business ethics or staff handbook clearly setting out their responsibilities and requirements for discretion and security. These documents should indicate what disciplinary procedures exist and the consequences of breaking the rules, and state any monitoring they can expect to make sure the code is being followed. There should also be an awareness session on staff fraud as part of the induction programme. During induction training, staff should also be made aware of their responsibilities and the consequences of committing fraud. The key messages should therefore focus on actions and consequences. Any related policies should be communicated by senior management so that it is clear fraud is taken seriously.

You should also make new staff aware that every computer transaction they undertake leaves a footprint for audit trails, and that they are personally responsible for all activity undertaken using their logins and/or passwords. Staff who have committed fraud have been known to use unlocked computers and co-worker logins and passwords; therefore, it is best practice to update passwords regularly and ensure everyone is aware that they are responsible for any activity carried out using their password, and so they should not under any circ*mstances share or disclose it.

Regular education and awareness of fraud is key to embedding an anti-fraud culture. Currently, many organisations do not have any staff fraud awareness training, while others have it only in high-risk business areas. The threat from staff fraud is such that all staff should receive training, not simply during induction but on a continuing basis. Training should communicate what early warning signs to look for, what to do if approached by a third party, personal safety issues, the whistleblowing policy and how to report staff fraud.

You should make people aware that they have a duty to report suspicions of staff fraud by others and instances of approaches by colleagues or third parties. The messages sent to staff through training should be strong and direct, providing support as well as a deterrent. Managers and team leaders should be specifically targeted for training.

It can be difficult to instil an anti-fraud culture when the possible punishment may not be enough to deter, so explaining the impact of even a light prison sentence on an individual’s life chances is important, as well as highlighting other sanctions, such as being recorded on the Cifas Internal Fraud Database, withdrawal of pension and benefits to pay for losses, and civil action.

It is also best practice for staff to sign code of conduct/business ethics documents annually to confirm that they are aware of their obligations. This will prevent staff claiming that they were unaware of any policies they have breached.

A ‘whistleblowing’ policy and clear way for staff to confidentially report any concerns about the conduct of other employees are important elements in tackling staff fraud. You should give thought to how your whistleblowing process is promoted within your organisation to deliver maximum benefit. You should also ensure that you protect and support those who expose corruption, dishonesty or unethical behaviour.

Whistleblowing is consistently a key feature of an anti-fraud culture and is integral to an organisation’s code of ethics. According to Cifas members, whistleblowing is the least common way that internal fraud is detected in the UK. When employees see corruption or fraud in their organisation, they do not seem to want to report it. Surveys show some are not interested, and some fear being ostracised by their peers or losing their job. Media stories about whistleblowers being unfairly dismissed don’t help in this respect. As a result of these surveys, businesses have enhanced their whistleblowing policies (for example by having a direct phone line to the board to report unethical incidents – not just fraud or corruption) or have tried to rebrand the image of whistleblowing. Either way, whistleblowing must be an essential part of any thinking about how to tackle staff fraud.

"Monitoring staff" is a complex term with varied definitions and you must be careful to comply with any related privacy laws. In the UK this would include GDPR, the Data Protection Act 2018 and privacy law. You should only monitor staff if it is justified and there is a lawful basis. Protecting a business from theft or legal action and ensuring company resources are used appropriately is a legitimate basis. However, monitoring must be reasonable, necessary and proportionate, and you need to find a balance between your interests and any intrusion into employees’ personal lives. You should always consider less intrusive ways of achieving the same results, such as training or regular performance reviews.

Policies must state clearly when monitoring, including covert action, might take place. There may be exceptional circ*mstances when advanced notice would defeat the point of the monitoring, such as if serious fraud is suspected and the employee who is under investigation could be tipped off, which could lead to the disposal of evidence. But you should carry out a data protection impact assessment before any covert monitoring, and any such monitoring should only be done as part of a specific investigation for a limited period.

Due to the complexity of the problem, larger organisations should give serious thought to creating dedicated teams of fraud investigators and fraud detection specialists dealing specifically with staff fraud. If you have limited resources or small fraud teams, you should consider creating ‘staff fraud champions’, who will act as specialists for your organisation. If you are part of a small organisation that doesn’t need an internal fraud team, set out a clear process of who should be notified when potential/confirmed fraud is identified. In smaller organisations, any investigation should be undertaken by somebody who has received sufficient training to do so or by a third-party company who specialises in internal fraud investigation.

Effective policies need to be in place to investigate allegations or suspicions of fraud, without which investigations may fail because:

• Potential evidence or relevant legal processes are compromised by people who are not trained properly.
• Those qualified to undertake the investigation are deployed too late to gather the necessary evidence.
• Law enforcement is not involved early enough in the investigative process.
• Managers or others conceal information or evidence to hide perceived failure in their management or control of the business area.

Any investigation should be used to gather enough evidence to suspend, arrest or clear an individual. You should ensure that there are clear communication procedures in place to make certain that any witnesses are not interfered with. Anyone involved in the investigative process should avoid protracted conversations or unnecessary confrontation.

During an investigation there are likely to be interviews conducted with the staff member suspected of fraud and any possible witnesses. It is vital that organisations clearly set out who is responsible for interviews and ensure that they do not become entangled with any disciplinary procedures. The interviews should inform the disciplinary decision, but the disciplinary process should be kept completely separate.

You should approach the police at an early stage in the investigation if the matter is going to be reported. In some sectors a criminal investigation may not be necessary, and you can decide whether to involve the police, but you should check if you have any legal obligation to report it. Guidance should be given on this in any related policy.

In the UK there is a legal obligation to report fraud to the police or to any other body only if an individual or the business concerned is part of a regulated sector, such as accountants, solicitors and financial services firms. Overall, the UK Government encourages the voluntary reporting of fraud to law enforcement agencies, to help protect others and improve the overall national intelligence picture.

The role of HR and fraud specialists should be clearly set out within your general fraud management policy or fraud specialists/HR working together policy. These policies should include the following general principles:

• All concerns or allegations of fraud and other criminal behaviour will be investigated fairly and thoroughly.
• Any staff member suspected of fraud will be presumed innocent until proven otherwise.
• The responsibility for the investigation of staff will be completely entrusted to fraud specialists as soon as it becomes evident that criminal or fraudulent activity may be involved.
• Staff identified as involved in fraudulent or dishonest activity will be dealt with consistently and fairly under your disciplinary procedures.
• If necessary, any fraudulent activity may be reported to relevant law enforcement agencies.
• Legal action may be taken against any individuals involved in fraudulent or criminal activity.
• Assistance will be provided to law enforcement, regulatory authorities and other organisations in their fight against fraud and crime.

Alleged fraudulent conduct will need some form of action. Even minor fraudulent activity is likely to affect the employee’s suitability for their role, their relationships with colleagues and the organisation’s reputation. If criminal proceedings do follow, you can put your investigation on hold until the criminal proceedings have concluded, or you can still carry out your own investigation if it is reasonable to do so. If you continue with your own investigation, you must do so thoroughly and must not prejudice the criminal proceedings.

If the police investigate, they can undertake interviews and gather evidence. Indeed, police contributors to this guide have indicated that businesses should involve law enforcement agencies at an earlier stage in the investigation process, as often, for evidential purposes, they need to be involved when the fraud is happening rather than at the end of the process.

The police will bring many benefits to an investigation, including expertise and experience, power to search, seize and arrest, access to forensic techniques and asset recovery potential. However, the police may be reluctant to share information with you that could jeopardise their investigation. Police will require from organisations:

• total honesty
• details of similar activity
• early notice
• commitment to the investigation
• cooperation
• sufficient evidence.

When criminal proceedings are a possibility, the employee may be advised by their lawyers that participating in a workplace investigation could be harmful to their defence and they may therefore refuse to provide any information to you. This can make it difficult for you to properly investigate, but you may not feel able to delay dealing with an employee until the outcome of any criminal proceedings, as this can take several months or years, and if you are considering dismissal for gross misconduct you need to act promptly to ensure any processes are followed fairly.

In the UK, the Acas Code (Paragraph 11) also requires employers to hold disciplinary meetings without unreasonable delay while allowing the employee reasonable time to prepare for the meeting.

Even if an employee is charged or prosecuted, you will still need to follow a fair disciplinary procedure. If possible, you should give them an opportunity to attend a disciplinary meeting and respond to the allegations before taking any disciplinary action. This may not be possible if the employee is in custody. If the employee refuses to cooperate or is unable to do so, you can make a decision based on the evidence available, provided that you have warned the staff member.

If fraud specialists are involved, they will be in charge of the investigation and you will be in charge of the disciplinary process, but there is no harm – and indeed in some cases it may be helpful – in your HR team sitting in on interviews conducted by fraud specialists and vice versa. The extent of this interaction will vary depending on the size of the organisation and internal culture. It is considered best practice for the two groups to work closely together, communicate effectively and ensure that they complement each other.

However, you must ensure that these two processes are kept separate and do not become entangled. Therefore, there are numerous stages in investigating and dismissing an individual:

• The fraud specialist is made aware of an allegation or suspicion of fraud.
• The fraud specialist commences an investigation and informs HR.
• The fraud specialist and HR consider whether to suspend the individual during the investigation because of the level of risk, evidence, and so on.
• Interview stage could be a fact-finding or investigative interview; the line manager and possibly HR should attend.
• The fraud specialist and HR again consider whether to suspend the individual based on the evidence uncovered during the investigation.
• The fraud specialist should complete the investigation and produce a report, which should be viewed by the line manager and HR.
• HR should consider whether gross misconduct has occurred.
• The fraud specialist who conducted the investigation may be required to assist with any disciplinary meetings by clarifying certain matters.

Organisations should refer to the Acas Code of Practice on Disciplinary and Grievance Procedures.

If you decide to dismiss an employee, you must show that your response was fair, and within the band of reasonable responses. The police investigation or criminal proceedings are different, as the standard of proof needed is beyond all reasonable doubt, a much higher level. Because of this, the police may not continue with proceedings, but your decision is still okay as long as you had a reasonable belief and acted fairly.

The Acas guidelines say the following offences relating to fraudulent behaviour are normally regarded as gross misconduct, and these should be made clear in any related policies:

• theft, fraud, deliberate falsification of records
• unauthorised entry to computer records.