AccountingToday

NEW YORK (FEBRUARY 7, 2013)

BY MICHAEL COHN

A former Grant Thornton partner has been arrested for stealing nearly $4 million in client payments intended for the firm.

Craig B. Haber was arrested by postal inspectors Wednesday morning at his residence in New York City and appeared before a judge in Manhattan federal court that afternoon.

The 59-year-old accountant was a partner at Grant Thornton from 1993 until last July, working at the firm’s offices in Manhattan providing tax preparation and advisory services to investment partnerships and other clients. Grant Thornton’s bills ordinarily included payment instructions directing clients to pay the firm by wire transfer or by sending checks to GT’s headquarters in Chicago. However, on multiple occasions from 2004 through July 2012, Haber allegedly sent bills to clients containing payment instructions directing them to send checks to him at the firm’s New York office instead of the Chicago headquarters.

Upon receiving those checks, Haber allegedly deposited a number of them into a bank account that he had opened in the name of a sham business that was very similar to Grant Thornton’s name. He opened the bank account specifically to receive checks from clients that were intended for the firm, according to prosecutors. After depositing the clients’ checks into that account, he then allegedly transferred the money from that account to two personal bank accounts which he used to pay various personal expenses, including mortgage payments for his Manhattan residence. Haber allegedly stole a total of nearly $4 million in client payments.

“From his perch at a prestigious accounting firm, Craig Haber allegedly betrayed his partners, by deceiving the firm’s clients in order to rob the firm blind—diverting millions of dollars of client payments into his own pocket,” Manhattan U.S. Attorney Preet Bharara said in a statement. “Fraud is always serious, but it is especially alarming when, as alleged here, it is committed by professionals who are supposed to be gatekeepers responsible for ensuring financial rectitude.”

Haber has been charged with one count of mail fraud, and faces up to 20 years in prison and a maximum fine of $250,000, or twice the gross gain or gross loss from the offense.

Grant Thornton said it cooperated with the investigation. “A former partner of Grant Thornton was arrested today by law enforcement authorities in New York for allegedly stealing from Grant Thornton,” said spokesman Tim Blair. “Grant Thornton disclosed this former partner’s conduct to the authorities promptly after discovering possible financial improprieties, which resulted in his separation from the firm. The firm fully cooperated with law enforcement authorities in their investigation and will continue to cooperate in their prosecution of this matter.”

Watching Jean Chatzky on television Friday, I learned that credit card users will suffer yet another financial blow starting as early as next week (February 2013).

Under new credit card regulations, merchants who take credit card payments will be able to charge credit card users more than what other customers will pay using cash or their debit card.  As Ms. Chatzky pointed out, merchants will be slow in adopting new policies and procedures as this comes into effect, but over time it is expected that merchants will add a fee or surcharge to the consumer’s total cost of their purchase, if the consumer uses a classic credit card for their payment.  Credit card users will pay more than other customers paying cash or using their debit card.  Gas stations have worked under this scenario for years.

The end result is that customers like myself who want to protect themselves from identity theft and other unlawful access to their finances, and minimize their exposure to global credit thieves by using a classic credit card (versus a debit card), will pay a premium for the luxury of using credit cards for their purchases.

It is widely known that criminals and identity thieves around the world target individuals and businesses to gain unlawful access to card information.  Much of this crime is targeted against Americans by individuals and groups outside the United States.  The primary target these days continues to be debit cards because they give the criminal instant access to funds within linked bank accounts.  Most often when there is a breech, the funds are gone from the linked bank account before the victim even realizes their account has been violated.  The victim then has to work with their bank to get their funds returned to their bank account.

Conversely, as I have been recommending for years, individuals can avoid the “debit card rush”, and continue to use their classic credit card - Mastercards, Visa, American Express, Discover…  These traditional credit cards are not linked to bank accounts, and do not allow instant access to funds.  Charges are added to the account as they are incurred, and once an unauthorized charge is identified by a cardholder, the charge can be disputed and new cards issued.  The cardholder is out no funds.

There is a cost difference for merchants.  Credit card companies typically charge from 3 to 6 percent on each purchase for processing a credit card charge, a cost paid by the merchant / retailer.  If, however, the customer uses a debit card, the charge for processing the transaction is a fraction of the fees, at times as little as $.25 per transaction.  Hence there is a financial incentive for merchants to encourage debit card use versus credit card use.

On the larger scale, new fees added to credit card users is directed to drive more consumers towards debit cards or paying in cash.  Both come with increased risks to consumers, and will likely drive an increase in crime.  For the debit card users, more debit card holders and users will mean more cards and accounts open for targeting worldwide.  I trust the thieves targeting these debit cards are smiling as this regulation goes into effect, as the universe of available cards and accounts to target will only increase for them.  As for encouraging more consumers to use “cash”, there will be an increased risk and occurrence of personal robberies for the cash they are carrying.

At some point the focus needs to be shifted away from how financial institutions (and now merchants) can save money and increase profits, to how laws, regulations and policies can be designed and implemented to truly protect the citizens without continually passing along fees and costs to the consumers (whose same funds are maintained within the very financial institutions imposing the costs).  Perhaps someday state and federal oversight bodies will consult qualified individuals, experienced in these areas, with no agendas or special interests, to help them look at situations as a whole, identify the risks and benefits objectively, and help ensure self-serving changes do not increase risk or cause harm to consumers in other areas.  Contrary to what typically happens every day within government, one can always hope….

The day began in a typical manner, reviewing information recently received from a client to determine next steps.  These records included printed documents, two CDs, and a USB jump drive (also known as a “flash” or “thumb” drive).

So far, so good…

After sorting the printed documents, we inserted each CD into our Windows computer, located the files, and copied them onto a dedicated new folder on the internal hard drive.  We then removed and stored each CD as received for future access.

Next came the USB jump drive.  We inserted it into the computer’s USB port, just as we have with other jump drives countless times before.  Instantly a notification popped up on the screen, indicating the imminent launch of an unfamiliar and unexpected program.

Hmmmmmm…

Knowing we hadn’t launched any programs, but simply inserted the jump drive into the port, we canceled out of the notification.  The insistent message popped up several more times, and each time we selected “Cancel.”

Finally, things appeared normal once again.  We located the desired files on the jump drive, highlighted the list, and copied the files into the folder on our hard drive.

Going, going…gone.

The file-copying process began normally enough, but then it slowed to a halt.  Not knowing why it stopped, we watched to see if it would continue copying…

It didn’t.  The system simply froze.  Frantic, we abruptly removed the USB drive from the computer.  The screen immediately displayed a message indicating we should close the application running before the computer shut down.  My associate and I looked at each other, perplexed, as the computer did not indicate any applications running.  Within moments, before we could formulate a response to the message, the computer shut down on its own.

We pressed the “power” button to restart the computer, and the pilot light glowed once again.  The screen displayed the initial Dell insignia, and then the computer immediately froze, without ever making any of its familiar “start-up noise.”  Our hearts sank.

Over the next hour or so we frantically tried restarting the computer, to no avail.  We found our Windows 7 software CD, inserted it, and followed on-line instructions to restart our computer…

Nothing.  The blue Dell insignia again came up, but otherwise, no power, and absolutely zero functionality.

We called our computer support consultant, who cleared his schedule to come to our aid.  The hour-and-a-half between our call and his arrival seemed like an eternity.  Did our computer die, did that death affect our file server, and, if so, to what extent?

After some initial diagnostics, the consultant advised us the computer would no longer function, and that we would need to replace it.  Then he delivered the worst news: our back-up, which comprised a complete backup of the entire hard drive, would not likely work with a new replacement computer.

He advised us to buy a new computer, re-install all the software applications, and then recover the data files from the backup drive.  At that point we had already lost the better part of the day due to the vicious attack we unwittingly launched vis a vis the client USB jump drive.

The Resurrection

After more tinkering, removing various components, and disconnecting devices from the ill-fated computer, our consultant eventually got the computer machine up and running once again.  With no other components connected, the computer’s display screen appeared as it did at the beginning of our day.

Replacing one element at a time and rebooting to see what would happen, we narrowed down the issue to the USB hub attached to the computer.  The USB hub expanded the number of USB ports available, as often the two or three USB ports contained on the computer prove less than adequate for the number of USB devices we desired to connect.  The hub no longer functioned, although its green power light glowed innocently.

With the USB hub disconnected, the rest of the computer appeared restored.  We deleted every file associated with the project from the hard drive, and sealed the CDs and USB drive in an envelope, never to be used again.

Shortly thereafter our adrenalin rush finally hit, and panic squeezed with a tight-fisted grip.  We had received, copied, and utilized client files provided to us on CDs, DVDs and USB drives since the day we opened our doors for business, always without incident… until today.

What now?

We never considered that a client’s files or media, once introduced onto our systems, could take down our entire computer environment.  Based on the day’s events, we wondered, “How could we ever again accept files sent to us by clients, knowing that they might contain an element of serious risk to our systems?”   Had the time arrived to implement government-level pre-screening requirements on all files prior to allowing them onto our systems?

We quickly answered our own question: “Yes.”

The Answer: A Quarantine Station

Moving forward, we purchased an inexpensive desktop computer with Windows installed for dedicated use strictly as a quarantine computer station.  Connected to the internet only to maintain a current anti-virus and anti-threat scanning solution, the workstation is not, and never will be, connected to our network.  The unit maintains minimal software on its hard drive.

No data files reside on the computer hard drive.  The sole function of the workstation?  To receive client-provided files, screen them for potential threats, and, once processed and deemed safe for use on our systems, allow us to copy the files onto our internally controlled medium for copying and use on our systems.

Should the computer become infected or get destroyed by “malware” contained on client-provided files, we can simply reformat it, reinstall the operating system, and reestablish the protection software.  Thus no exposure exists to other systems or files within our firm’s environment, minimizing our downtime, should something similar to that dark day’s events occur again.  Worst case scenario, we replace the quarantine workstation with a new one.

Take it from us…

Learn from our experience.  If your firm or organization accepts electronic information from clients or any other parties outside of the organization for use within your systems, your procedures should incorporate a similar quarantine process.  Otherwise, you run the risk of feeling our pain.  Create, document, and distribute policy and procedures to ensure awareness among all staff of the expectations, risks, and consequences associated with circumventing the process.

For all employees and individuals within your organization, create, distribute and implement a similar policy and procedures that prevent users from bringing in files from home or other sources for introduction into your systems without such preemptive screening.

Many organizations already enforce policies preventing employees from installing unauthorized software onto their employer-provided computers.  However, the next question should present itself: “Do your policies also address employees accepting electronic files provided by clients’ systems?”

After a stiff drink and time to reflect on just what occurred, how it happened, and what measures could have prevented this unfortunate scenario in the first place, we felt extremely grateful, especially to our computer consultant, that the loss of our USB hub posed the sole physical loss.

Our technician theorized that our abrupt removal of the client USB jump drive thwarted the complete launch of whatever virus it contained.  Had we left it inserted and simply waited to see what happened, the outcome could have proven much different…and much worse.

Computer forensics can often make that determination after their analysis.  Replacing the computer would have carried a reasonable and fixed cost, but losing the systems and files on that computer and the backups we maintained would have created a far greater loss, and dictated far more time… at the bar.

Just this morning coming home from an 18 hour shift, I only had to stop for two red lights.  In both cases (100%), when my light turned green, a vehicle from my left ran their red light, crossing at a high rate of speed across my green light.  Two for two.  Even with me waiting and my having a green light, they ran the light without any concerns for my safety.  These people have become a menace on the roadways.

Two years ago a judge in Texas ordered a couple to wear a sign on a public street for several months.  The sign stated they were caught steaming $250,000 from a victim’s fund.  See link below.  Just recently there were two more sign sentences.  The first involved a woman who stole from Walmart, and the second was a woman who, each day, drove around traffic, over grass and sidewalks, to go around a school bus with its red lights flashing.  See pictures and links below.

Unfortunately for the woman who passes the bus each morning, when news crews came out to talk with her during her punishment, she expressed no remorse and refused to comment.  Lesson learned – at least everyone now knows these individuals for what they did.

Perhaps each town should work with the courts, and dedicate an area within their town where more convicted sign bearers could march in public – they could call it the walk of shame.  Maybe the risk of being publicly humiliated would act as a deterrent, and start to reverse the sad trends we have been experiencing.

Kudos again to the judges handing out these sentences.

http://fun107.com/woman-made-to-wear-sign-for-stealing-we-need-more-public-shaming/

http://newsfeed.time.com/2012/11/08/woman-to-wear-idiot-sign-as-punishment-for-driving-on-sidewalk/

This week’s target – South Carolina’s Department of Revenue database.  The breach, reportedly perpetrated by an individual operating out of the Soviet Union, exposed the personal information, including names, addresses, social security numbers, debit card and credit card numbers, and earnings information, of over 3.5 million taxpayers.  Anyone who has filed a tax return in South Carolina since 1998 purportedly has been exposed.

I was under the belief that taxing authorities maintained seven years of taxpayer information, which would have only exposed South Carolina filers from 2005 forward.  That appears not to be the case.  One could wonder why any taxing authority needs to maintain detailed data going back 15 years, especially since the IRS record retention schedule only requires taxpayers to maintain copies of filed tax returns for the prior 3 – 7 years.

Per Publication 552:

The period of limitations is the period of time in which you can amend your return to claim a credit or refund or the IRS can assess additional tax. Table 3 contains the periods of limitations that apply to income tax returns. Unless otherwise stated, the years refer to the period beginning after the return was filed. Returns filed before the due date are treated as being filed on the due date.

 Table 3. Period of Limitations

“Going Green”, “Cloud” computing, paperless, cellular banking, picture depositing checks… the latest trends in conducting business and banking.  Each of these developments and  ”improvements” under today’s societal pressures of instant and constant access, convenience and connectivity are creating more and more exposure to global threats.  It remains unclear whether any internal controls can be implemented to truly prevent breaches similar to South Carolina’s from occurring through these “improved” means of conducting business.

The question I ponder is this – wasn’t there less risk and fewer crimes of this nature when these “improved” systems were not available.  Have we really gained anything through implementing these “improvements” in our daily lives?   Cost savings are typically behind implementing these “improvements,” but is the true cost savings really known when daily global threats are hacking away to gain access.

Sadly I predict that these events will only continue and become even more commonplace as more and more “improvements” are developed, exposing information that historically was maintained within secured means to world-wide access.

Here are two links to the South Carolina breaches:

http://www.computerworld.com/s/article/9232965/South_Carolina_breach_exposes_3.6M_SSNs

http://www.computerworld.com/s/article/9233074/S.C._governor_s_post_breach_data_encryption_claims_are_off_base_analysts_say

The US Government continues to incur staggering debt, raising the debt limits and national debt beyond astronomical amounts, and state and local governments continue to be underfunded, maintaining minimal services at times while trying to remain financially solvent.

One economy seems to be doing extremely well, especially for the individuals operating within that economy.  Every day I witness or experience a vendor or business who is clearly operating under the radar of our tax enforcement agencies, using cash (currency) as their form of finance to avoid reporting income for tax purposes.  Yet, those same individuals and businesses seem to enjoy all the same benefits all the government agencies and programs provide.

Today I supported a local restaurant by meeting a colleague for breakfast.  As I paid my bill at the counter, the waitress rang my order through the register (a means for tracking their sales).  I thought for a moment I had finally found a local restaurant who was actually tracking their sales to ensure a complete and accurate reporting of their sales income.  I asked the waitress for a printed receipt (to be used to support the business purpose of my meal per IRS Publication 463).  I don’t know why I was surprised when the waitress told me she would have to hand write a receipt for me, as they didn’t keep register paper in the register (ergo no means to ever know what sales actually were versus their deposits and reported sales).  She hand wrote a receipt on a restaurant dupe pad (the same pad used to take orders) – really official looking.

Tree companies have been clearing trees and bushes in my neighborhood for the past 12 months since last year’s storms.  Each and every company has offered discounts to my neighbors if they paid in “cash.”  The companies now all run new trucks.  An individual we know works full time as a municipal employee.  He is also a mechanic.  On the weekends he repairs cars at his house.  He only accepts cash payments, and none of his income ever makes it onto his tax return.  He earns in excess of $1,000 per weekend after paying cash for the parts.

The level of tax fraud and non-reporting of income is likely highest today than I have ever seen.  I often imagine what would happen if every taxpayer actually reported all their reportable income, and paid their share of taxes on ALL their income (and not just the minimal amount they actually reported).  Would the country even have a deficit? One can only ponder.  One thing I have learned is that there are insufficient resources currently employed to equally enforce the tax laws, and collect the funds required of the government(s) that is selfishly, inappropriately and unlawfully being used to self-promote individual’s personal wealth and situations.

The candidate(s) I am watching for in the upcoming elections is the candidate that will increase the tax enforcement agencies on all levels, to collect the taxes actually due from each and every taxpayer, individual and business alike, regardless of what each taxpayer reported on their return.  The biggest issue seems to be that there isn’t a candidate out there who is even considering collecting all the taxes that are actually due the government under the existing tax rates and laws.

As tax increases and government funding strategies are debated, the funding for tax enforcement agencies will likely decrease.  One can easily predict the disparity between actual reportable income versus the income actually reported will only get bigger, further compounding the funding issue of running the local, state and federal agencies and programs.  Yet individuals operating within the thriving “cash” market will continue to get wealthier and wealthier, on the backs of all the compliant taxpayers.

My response has always been the same.

1) Internal controls and accounting procedures should be objective, not subjective, and should look at the positions and opportunities rather than the individuals who fill those positions.  What does each position entail, what are their duties and responsibilities, and what opportunities exist within each position are key elements to the assessment?  Who presently fills each position, how long have they worked there, and attributes about them as a person and their background are not part of the evaluation (unless we are also measuring competence, capacity, efficiencies and/or other separate objectives simultaneous to assessing the strength of the internal controls).

2) Organizations do rely upon trust.  And they should.  Not the “trust that an employees will not steal”, but rather “trust the employees will consistently adhere to the established controls, policies and procedures” every time.  Internal controls always include measures to ensure that happens (compliance).  ”Trust, but Verify” – in the words of the late Ronald Reagan.

3) The individual often described as the most honest, loyal, dedicated, trustworthy person ironically is almost always the very same person who has embezzled funds, lots of funds, over a long time, operating below the radar screen of suspicions, because they were perceived as honest, loyal, dedicated, trustworthy… and therefore provided too much latitude and opportunity.

Employers expect to “trust” their employees.  For example, employers trust that:

- their employees will devote all their efforts towards their employer;

- their employees will honor and adhere to all policies and procedures of the organization, regardless of whether they are satisfied with their employment and current situation, or not;

- their employees will keep all information learned through their employment confidential, only to be used within the contexts of their employment (and not steal or share customer or client lists, vendor profiles and histories, employee listings, competitive bidding information, pricing and price lists, trade secrets and other confidential and proprietary information)

- their employees will do what they are supposed to do, all the time, and not just when someone is watching over them

But one area that employers should not “trust” their employees is with internal controls over the financial aspects of the organization.  Measures are always needed to safeguard assets, segregate duties, create checks and balances, identify procedures to prevent things from happening, and implement procedures to detect things early on when they do happen (prevent what can be prevented, and detect everything else as early as possible).

Life has been great with my ATM card.  I still worry about losing my wallet (and everything in it), but I loose less sleep about someone accessing my bank account and draining the limited funds I survive on.

Well, you just have to love banks.  I went to have my ATM card replaced, mainly because the magnetic strip on the back was getting worn.  The teller stated she wanted to remind me that my ATM card could be used anywhere a card can be swiped and a pin code has to be entered.  The ATM card can also be used to receive cash back on transactions.

I told the teller that was not what I wanted to hear.  I wanted her to tell me the card could only be used at an ATM.  But now I know it can be used elsewhere.  The teller stated a plain ATM card no longer exists.

As newer technology has become available, more information has shifted into the digital world, including video, audio or image recordings.  What started out through basic copying has moved into electronic scanning, imaging and duplication, with near perfect results.  Technology available on most of today’s computers also allows for editing, and what was once reserved for highly trained and specialized experts has become commonplace and available through every home computer user.  For example, video can be captured through a cellular device, such as an iPhone, imported to a PC or Mac, edited, altered, added, deleted, combined and modified through iMovie, and saved as a final product.  Most of these often end up on YouTube to be shared.  Done carefully, only a trained eye may be able to tell the video was altered from the original footage.  Same holds true with songs and other audio files.

As we all know photographs too have all gone digital, and while traditional “film” cameras do still exist, it is becoming  harder and harder to find film to even purchase and develop.    Software such as Adobe Photoshop can be easily used to import, alter and change a picture, adding and/or deleting to the original captured image.  The end result is a digital photo that can be sent across most every digital medium that exists.

How are these “digital” solutions impacting the field of forensics?  Two quick links.

First, when any electronic evidence including video, audio or photographic information is provided, it now more than ever has to be independently and objectively authenticated before any reliance can be placed on the evidence.  No longer is it simply a matter of preserving the original in its original form and format.  One now needs to preserve the files or images provided, as well as search not only for evidence of the files being altered, but also for the original unaltered versions of the same information if they still exist.  Evidence of who and when any alterations were made should also be sought.

Below is a link (URL) to a recent article regarding electronic (digital ) pictures for use in a legal proceeding (criminal case or lawsuit):

http://www.ctlawtribune.com/PubArticleFriendlyCT.jsp?id=1202556915031&slreturn=1

The second link to forensics has to do with two recent cases of employee embezzlement.  In both cases what appeared to be original, full color versions of monthly bank statements were found within the financial files of the victim organizations.  In both cases, individuals internal and external to the organization used and relied upon these bank statements in the files.

Upon closer inspection after other indica of employee embezzlement became apparent, the bank statements were found to be altered, full color scanned images of the organization’s monthly bank statements.  In one case the canceled check images were cut and pasted into position from other statements, concealing the fraudulent canceled check images.  Even closer inspection of each statement revealed clues the statements were not only scanned color copies, but were also altered prior to reprinting in color.  Hole punches and folds/creases found in the original documents were scanned and captured in the copies, providing further discoverable evidence the statements were not originals.

Knowing how easy it is for someone to alter and reprint real looking documents, organizations and individuals alike need to recognize how easy it is for someone to create and present original looking documents.  While everyone will not aspire to become an expert document examiner, we all need to develop a sixth sense when reviewing documents, to question the authenticity of documents as part of important transactions and decisions, and ensure that we don’t place blind reliance (“trust”) on information that could have been created simply to fool us.  When in doubt, take the extra time necessary to ensure the authenticity of the documents you are relying.  In the world of forensics, we are!

Attached is an interesting link (URL) to a page relating to detecting altered documents through Forensic Document Examination Services, Inc.:

http://www.fdeservices.com/Detection.htm

Embezzlement is a form of larceny, with some unique characteristics.  Embezzlement involves an individual using (and exploiting) a position of trust and opportunity, committing theft acts over time, with or without intention of returning what was stolen, and the activity is concealed (covered up) so as to avoid detection, allowing the suspect to continue perpetrating future theft acts.

Stealing the end of day deposit rather than taking it to the bank to be deposited into an organization’s bank account would be larceny.

Stealing (skimming) $100 from each day’s deposit, and altering the bank deposit slip to reflect the reduced amount to be deposited,  would be along the lines of an embezzlement.

In this recent article, it appeared the driver of an ice cream truck stole the truck’s contents.  One event, discovered all at once, and not well concealed.  Larceny, not embezzlement.

Had the driver skimmed cash or ice cream from the truck and deposits, and concealed the short (theft) by altering his records, that would have been an embezzlement.

Here’s the article:

 Ice Cream Truck Embezzlement