people in background

Forensic Fundamentals

Highlighting fraud, cybercrime and forensic accounting issues from the fundamentals to advanced.
Jim Gee
Jim Gee, Partner, National Head of Forensic Services
Our regular updates will cover the basics through to advanced insights into cybercrime, fraud, bribery and corruption and forensic accounting issues impacting both individuals and businesses today. 

We will also share a number of real life case studies highlighting common problems so you are better placed to protect yourself and organisation.

Click below to find out more on the topics you may need insight on. 

This week's fundamental topic

Friday 5 March 2021
Phishing attacks: what you need to know

In 2019, 88% of organisations globally, experienced a phishing attempt. Phishing is continuously used by cybercriminals as it accounts for 90% of successful cyberattacks. Over recent years, phishing attacks have become much more sophisticated, with adaptations of the traditional form of email phishing being created.

So what is phishing, and why is it more successful than other forms of cybercrime?

Phishing is an attack vector, consisting of tailored, malicious emails sent to individuals that appear to be from a trusted sender. Attackers will often ‘spoof’ their emails, in order to make it look like it has been sent from a reputable individual or company. Spoofing emails consists of falsifying company information from an official company website to ensure the email looks believable. The content of the emails will usually contain either a malicious attachment, or a malicious link to a website. 

Why should organisations be concerned?

Regardless of how aware an organisation may be in terms of cybersecurity, it will only be as strong as its weakest link. If a phishing email does get through the cybersecurity measures in place, the only defence left is the employee that has received the phishing email. CybSafe carried out an analysis on data from the UK’s Information Commissioners Office (ICO), revealing that human error was the cause of 90% of cyber data breaches in 2019, with phishing being the main cause. Phishing accounted for almost half of all reports to the ICO in 2019. The research also found that there had been a significant increase in end user mistakes from the two years prior, rising from 61%, to 87% to now 90%.

Variations of phishing attacks

Below are variations of the traditional phishing attack:

Variation  Definition
Spear phishing Spear phishing is a targeted campaign, when an attacker is looking for something specific or a specific individual. A targeted attack may use employee information in attempt to seem persuasive and realistic to the recipient.
Whaling Whaling is a form of spear phishing that targets senior employees or celebrities. Attacking high profile individuals is much more worthwhile for a cybercriminal business as it provides a greater level of access to greater rewards. 
Smishing Smishing is the same concept as a phishing email, but uses text messaging services. A message will be sent to the victims’ mobile containing a malicious link or a phone number to call. 
Vishing is carried out through voice call. Social engineering is an important component to vishing as the attacker will usually instil fear in the victim in attempt to gain sensitive information over the phone. The sound of a human voice has the tendency to gain victims’ trust more so than other variations.

Tips to prevent falling victim to a phishing scam

  • Inspect URL’s by hovering over the link before clicking on it.
  • Inspect the senders’ email. Legitimate companies will have domain emails that include the company name, as opposed to using an email provider such as Gmail or Outlook, for example.
  • Inspect language and grammar used in message content. It is likely there will be spelling or other errors.
  • Call colleagues/suppliers to verify emails requesting sensitive information or urgent requests. Attackers will often put time pressure on the victim to instil panic and ensure a task is carried out promptly.
  • Remain up to date on the latest phishing trends.

If you would like more information on how Crowe can help your organisation and its employees fight against phishing scams, please contact a member of the Forensic Services team.

Did you know…

According to Google, cybercriminals have been sending over 18 million COVID-19 related emails to Gmail accounts every day since the pandemic began.

Penetration testing: the basics

Cybercrime is rapidly evolving, and businesses need to ensure they keep up with new and emerging threats. Businesses can improve their cybersecurity by performing regular penetration tests to help identify vulnerabilities in their systems. A penetration test, also known as a pen test, is a form of ethical hacking which is performed by an authorised cyber-attacker to evaluate the security of a system. 

Why is penetration testing important? 

Penetration testing is essential for identifying potential or actual vulnerabilities to malicious cyber-attacks launched across a computer network that could threaten the confidentiality, availability and integrity of the information being stored and processed. The results of the assessment help businesses to close the issues in a planned manner and improve the security of their systems. Penetration tests should be performed at least once a year to ensure any new threats that have emerged since the previous test are tackled promptly.

It is recommended that penetration testing is conducted across the entire network. However, if your business is particularly concerned about the security status of certain aspects of the network, such as the internal or external infrastructure, these can be tested independently. An internal penetration test helps identify what an insider attack could achieve, which can be perpetrated by anyone who has access to the inside of your network. 

Perimeter systems 

External penetration testing helps identify vulnerabilities in the internet-facing infrastructure of your business’s network, also known as the perimeter systems. These systems are directly reachable from the Internet, and are often the part of your network that is most regularly attacked by external hackers. In addition to internal and external tests, penetration testing can be performed on web applications to identify security vulnerabilities resulting from the design or coding of your business’s browser-based application.

How can Crowe help?

Crowe offer a range of penetration testing services to help businesses protect themselves against cybercrime. Get in touch with Eoghan Daly, Director of Forensic Services to see how we can help protect your business in 2021.

Introduction to domain spoofing 

According to the FBI, domain spoofing scams have cost over $26 billion (approx. £19 billion) in the last six years. 

What is domain spoofing?

Domain spoofing is when a cybercriminal impersonates a company or one of its employees by creating a website link or email address similar to that of the legitimate company domain. The website or email will be altered slightly by changing only a few characters, so that the link or email will still read and appear to be the same as the original. Visuals and information from company websites are used to ensure the illegitimate domain is convincing. The content of a spoofed website or email, will use company branding and formatting, enticing its victims to follow instructions presented to them.

Email spoofing

Email spoofing deceives the email recipient by posing as a trusted source. Email spoofing is commonly used in phishing and spam campaigns as recipients is unlikely to open emails from unknown senders. 

Website spoofing

Website spoofing is when a fake website is created, impersonating a legitimate website. Website spoofing can be an increasingly sophisticated attack as the spoofed website will capture sensitive information, such as login details or even banking credentials. 

How can Crowe help?

Crowe offer a service that checks whether an organisation’s emails can be spoofed and whether spoofed emails can be received by the organisation. We also offer a service that monitors the web for spoofed websites, and can help to have spoofed websites removed. Contact Eoghan Daly, Director of Forensic Services, for more information or visit our cybercrime services page

Top cyber threats for businesses to look out for in 2021

As we move into 2021 businesses must prepare themselves for the cyber threats that will likely impact them in the coming year. Perhaps unsurprisingly, throughout 2020 there were significant cyber threats that arose as a result of COVID-19, which are likely to continue throughout 2021. From traditional phishing scams that incorporated COVID-19 themes to the steady increase of ransomware attacks, cybercrime is going to be a major threat to businesses this year. 

Increase in frequency and cost of ransomware attacks

Ransomware is a type of malware which encrypts the user’s data and holds it for ransom in exchange for money. Ransomware is a growing area of concern for many businesses, as it can be executed relatively easily and cheaply, while also possessing the potential to cause significant damage to a company’s reputation and finances. A 2020 cyber security report found a global surge in ransomware attacks, with an increase of 50% in the daily average of attacks in Q3 2020. The report also found ransomware attacks in the UK increased by 80% in Q3 compared to Q1 of 2020. 

It is not just the frequency of attacks that has increased, but also the cost of the average pay out for each attack. A security threat report into average ransomware pay outs in 2020 saw a large increase quarter-upon-quarter from Q4 2019 to Q3 in 2020. In Q4 2019, the average ransom pay out in Q3 2019 was $84,116 which increased significantly to $233,817 by Q3 2020, with an increase of 21% in the last quarter. 

The rising trend in frequency of attacks and pay-out costs is likely to continue throughout 2021 due to the ‘small effort big reward’ of conducting ransomware attacks. Our Dark Web report found that various criminal services are available for purchase on the Dark Web for the purpose of attacking businesses, which can include ransomware ‘packs’. In some cases, the cybercriminals even offer customer support on how the victim can pay the hacker to receive their encrypted items back. 

Increase in COVID phishing scams

In April, Google reported that almost a fifth of all phishing emails they blocked every day was related to scam emails that concerned coronavirus. The scams often impersonated authorities, such as the World Health Organisation (WHO), in an attempt to deceive the victim into downloading malware, or inputting their credentials which can be used for criminal purposes. Due to the further disruption that COVID-19 is likely to cause throughout 2021, along with the production of several vaccines, cybercriminals will undoubtedly look to exploit this disruption to commit crime using phishing scams. 

Remote workers will be targeted

A majority of businesses have relied heavily on remote working throughout the pandemic, which is likely to continue particularly through Q1 of 2021. As a consequence, the focus of cybercriminals is likely to shift toward targeting insecure home networks and poorly protected VPN networks. Many individuals who rely upon their home network have never changed their Wi-Fi password, or have created their own passwords, which can be cracked relatively easily by cybercriminals. Some individual’s may also believe that even if their network is compromised, they will be protected by their VPN, however some VPNs are more resilient than others, so it is essential thorough research is conducted into the best service for your business. For example, in July 2019 80% of the top 20 free VPN apps in Apple’s App Store shared user data with third parties, despite Apple’s effort to clamp down on data-sharing apps. 

What can I do to protect myself and my business?

As cybercrime continues to evolve it is essential businesses stay vigilant to the threats. Businesses should provide regular staff training and in particular performing mock phishing tests. It is likely that a majority of the cyber threats next year will be perpetrated through phishing scams, so businesses and employees alike need to ensure they are properly educated and aware of the threats. Business also need to ensure that research has been conducted into their VPN provider to ensure they are adequately protected.

Threat intelligence: Protect your business from emerging threats   

To help protect your business from emerging threats we are offering a weekly threat intelligence report which you can subscribe to on a monthly or annual basis.

The weekly report highlights four areas which may be impacting your business:

  1. physical and business threats
  2. financial crime
  3. cyber threats
  4. technical matters.

Find out more on how our Threat Intelligence service can help you protect your business in 2021.

If you need further information please get in contact with a member of our Forensic Services team.

Want to hear more about the big cyber issues impacting businesses in 2021 and what you can do to protect yourself?

Register now for our free webinar on Wednesday 20 January 2021

Cyber-attacks on large companies are rising

An INTERPOL assessment of the impact of COVID-19 on cybercrime has revealed a significant shift from cyber-attacks on small businesses to major corporations, governments and critical infrastructure. 

High profile cases in 2020

Throughout 2020, there have been several high profile cyber-attacks that have targeted large businesses. In June, car manufacturer Honda suffered a ransomware attack, which affected its operations. The virus spread across multiple plants and various countries, including the UK, North America, Italy, Japan and Turkey. Ransomware is a type of malware that encrypts a user’s data, which results in the cybercriminal requesting a payment from the user to release the data. There have also been other high-profile hacks involving Garmin and Canon, who experienced disruption to their services and theft of data, respectively. Government services are also being targeted, with thousands of Canadian government user accounts hacked as a result of a ‘credential stuffing’ attack in August. ‘Credential stuffing’ is when a criminal uses stolen account credentials to gain unauthorised access to user accounts through large-scale automated login requests. 

Why has the focus changed?

COVID-19 has changed the way many organisations operate, both in the public and private sector. This more remote way of working presents opportunities for cybercriminals to commit crime. For example, as businesses and government bodies have encouraged more remote working, cybercriminals are able to exploit insecure remote networks and systems which have been put in place to support staff working from home. 

This increase in consumer dependence on online services, and the possibility for criminals to commit crime from their own home, has resulted in criminals changing from more ‘traditional’ methods of crime, such as burglary, to cybercrime. Also, the increase in vulnerabilities and the financial reward of targeting larger organisations means there has been a shift in focus from smaller businesses to bigger targets.

Although the primary focus of cybercriminals is currently on major corporations, governments and critical infrastructure, smaller businesses are still vulnerable to many forms of cybercrime and should remain vigilant to cyber-threats. As reported in the Verizon Business 2020 Data Breach Investigations Report, small businesses accounted for almost a third of data breaches in 2020. Despite the current focus on bigger targets, cybercriminals clearly remain a threat to smaller enterprises. 

If you would like information on how to protect your business against cybercrime, please get in contact with a member of the Forensics team. 

The Dark Web: understand the Dark Web, understand the threat

The threat of the Dark Web is real, and it is growing.

A recent study carried out by Dr. Mike McGuire at the University of Surrey revealed that there has been a 20% increase since 2016 in the number of dark net listings that have the potential to directly harm an enterprise, with 4 in 10 dark net vendors selling targeted hacking services aimed at Fortune 500 and FTSE 100 businesses. 

What is it and how does it work?

The Dark Web is a component of the internet that cannot be reached through search engines, as it exists on an overlay of proxy servers. Proxy servers are a gateway between a user and the internet, and act as an intermediary directing online traffic to the requested address. These servers also allow the IP address of a user to remain unidentifiable and untraceable when accessing websites. An IP address is a digital address for your device, however it is subject to change depending on your location. To access the Dark Web, a specific piece of software called Tor is required, which conceals the users IP address and allows access to webpages which cannot be accessed through regular browsers, such as Google Chrome. 

Why is the Dark Web a threat?

The Dark Web has become a marketplace for illegal goods and confidential information. Crowe’s Dark Web: Bad for Business report, in collaboration with the University of Portsmouth, found tools and services designed to defraud or perpetuate cybercrime against 21 of the top 50 UK brands (as identified in the 2017 brand directory league table). The research team found template bank statements, utility bills and passports; bank account numbers and sort codes; advice on phishing and fraud packs containing guidance on how to carry out various forms of fraud. 

The true size of the Dark Web is unknown, but it is thought to form around 5% of the deep web. All content that cannot be found through a search engine is classified as the deep web, which forms part of the World Wide Web. The Dark Web has given way for a plethora of fraud, corruption and cybercrime to occur effecting both organisations and individuals. 

Policing criminal activity on the Dark Web is a particularly difficult challenge as a result of Tor’s complex data encryption, anonymity and hidden services/applications. The Dark Web has become a method favoured by criminals to target organisations, so it is vital that businesses understand the Dark Web, and the threat it poses. 

Crowe offers a low-cost subscription services for organisations interested in monitoring the Dark Web for emerging threats. It can be deployed quickly and provides a regular report of any discussions relevant to the organisation. For more information on how Crowe can help your organisation, please contact Jim Gee.

What is cybercrime?

How big an issue is it?

There is an epidemic of fraud and cybercrime in the UK, growing to represent almost half of all crime in the UK (45%). Cybercriminals target all demographics of individuals and sizes and types of businesses if they can see a weakness which can be exploited.

What constitutes cybercrime?

Cybercrime can be considered an umbrella term for all illegal activity that has used technology to perpetrate a crime. It is transnational, meaning that the borderless realm of the online world can reach and effect all those with an online presence. As technology continues to evolve and adapt, the nature of cybercrime coincides with this notion. Cybercrime continues to rise in scale and complexity affecting essential services, businesses and private individuals alike. 

What are the damages?

Failure to prevent a cyberattack goes beyond physical or digital damage, having the ability to inflict long term repercussions. Businesses in particular can suffer from reputational damage including the loss of customers or clients, loss of sales and a reduction in profits. Subsequently, economic damage is incurred from the attack itself in some instances, the disruption of production lines, and costs that have arisen from the need to resolve and investigate the issue at hand. For example, Honda recently experienced what was believed to be a ransomware attack effecting the company’s ability to access its computer servers and internal systems and hindered its production line in multiple countries.

Prepare for threats

It is essential that businesses ensure that the necessary processes and security measures are in place to protect company and client/customer information, going beyond the companies own measures and assessing any third parties involved in the management and storage of data. If a company is failing to actively take care of sensitive information it may be subject to regulatory sanctions and/or large fines. 

It is essential to remember that no business is exempt from cyber-attacks, and all companies must be prepared for any potential threats. 

Further information on tackling cybercrime can be found here.

Complete our Cybercrime Vulnerability Scorecard for a quick and free assessment of your cyber vulnerabilities.

Threat Intelligence report thumbnail
Our Threat Intelligence reports

Threat Intelligence

Protect your business from emerging threats

In order to help protect your business from threats, Crowe are offering a weekly Threat Intelligence report which can be bought on a monthly or annual basis. 

We are offering affordable subscription prices and are happy to issue you a previous edition of our report as an example of what you would receive when subscribed. 

Due diligence: Background checks in business

Due diligence is the first step in preventing fraud or corruption when entering commercial engagements, such as dealing with third-party suppliers or during a merger and acquisition transaction. A blog from the Foreign Corrupt Practices Act (FCPA) stated that around 90% of all enforcement actions involved third party intermediaries, yet over 50% of procurement professionals stated that they do not believe that their existing suppliers had been vetted properly.

What is due diligence?

Due diligence is part of compliance procedures, used when a business is looking to work with any external company. Due diligence goes beyond a “tick box” method – it consists of data collection and analysis. In any commercial relationship, a detailed due diligence process will avoid unnecessary risks and will provide the grounds to make informed decisions.

This can be done through the following:

  • Assessing an organisations financial position;
  • Background checks on the individual’s involved; and,
  • Identifying cyber risks and vulnerabilities. 

Why is due diligence important?

Regardless of whether you are a large organisation or an individual, it is your company’s responsibility to ensure your company as well as its suppliers follow regulatory requirements, such as the UK Bribery Act. Due diligence is especially important if your company carries out business globally, as some countries will have anti-corruption laws in place but do not have the means to enforce them. Therefore, having a knowledge on what your suppliers (and where possible your suppliers’ suppliers) activity is vital.

Failure to carry out adequate due diligence can impact your business by resulting in:

  • Contracts that are prone to collapse
  • Reduced asset value and returns
  • Negative media attention
  • Financial penalties 
  • Trade restrictions
  • Loss of trust from shareholders

Investing in adequate due diligence prior to third party engagements will prevent more significant losses from occurring in the future. Crowe offer Corporate Intelligence services that carry out financial, integrity and cyber due diligence to overcome the possibility of carrying out business with untrustworthy entities. 

If you would like more information on how Crowe can help your organisation, please contact a member of the Forensic Services team.

Introduction to corruption and bribery

Corruption is a form of dishonest behaviour carried out by an individual in a position of authority that abuses their power for illicit gain. Bribery is one of the most common types of corruption. Bribery is the act of providing someone with money, services or even valuable items in return of a favour. Acts of bribery are typically disguised as donations, inflated prices, expenses, commissions or ‘facilitation’ fees. Bribery is difficult to spot and can often go unobserved by organisations and law enforcement. 

Bribery has a negative impact on the businesses involved and other stakeholders. It can result in individuals involved becoming vulnerable to blackmail and extortion, and also leave an organisation vulnerable to local and international anti-bribery legislation. Bribery often compromises an organisation’s ‘social licence’ to operate, and could even result in an organisation being debarred from operating in sectors and jurisdictions. 

Bribery Act 2010

The UK Bribery Act (2010) has extra-territorial reach, meaning that foreign companies that have a presence in the UK, and UK companies that have a presence overseas can be prosecuted if there is failure to comply with the Act. The Act includes four main offences:

  1. To bribe another person;
  2. To be bribed;
  3. To bribe a foreign public official;
  4. Failure by an organisation to prevent bribery.

The Act introduced corporate liability for bribery. The legislation requires that companies implement adequate controls to prevent persons from participating in acts of bribery. If an employee of a company is found to have given or accepted a bribe, having adequate measures in place can be used as a defence by the business affected. 

What can businesses do?

Recent research found that almost a quarter of UK businesses experienced acts of bribery between 2016 and 2018. In Crowe’s experience, there are several ways an organisation can adopt a proactive approach to tackling bribery and corruption, and emphasis should be placed on risk perception and foreseeability of where and when bribery may arise. Ways to reduce the risk of corruption include, but are not limited to the following:

If you would like more information on how to protect your business from risk of corruption and bribery, please get in contact with a member of our Forensics team.

Case study - Sports sector

Forensic Accounting in Football: The Big Match

Acting on behalf of a sleeping giant of football, we were involved in a litigation case against an established European giant of football.

The case revolved around the footballing giant breaching confidentiality agreements to trigger a release clause to enable the transfer of a key player that belonged to our footballing client. As a result of the player being unavailable to our client for the remainder of their contract, the losses incurred as a consequence, needed to be quantified. The end figure forecasted, known as the quantum, was hotly contested. Before becoming involved, a strike out application had been made as to whether it was actually possible to quantify any loss. A strike out application is used when the applicant wishes to demonstrate that a case does not have reasonable grounds for bringing it in in the first place.

The case went to the Court of Appeal where concern was expressed as to how difficult it was to quantify the claim, but that this should not stop the case proceeding. The concept of a machine that had eleven working parts which were all working well was introduced - if one of those parts was removed, this would likely result in some sort of impact on the performance of that machine which could, theoretically, be measured – it was at this point we were approached when a robust approach was required to support the Club’s position.

The key question was whether the removal of that player had any impact on team performance and, if so, what was the best way of assessing quantum in that respect. We limited our period of review to 12 months. The issues of foreseeability and remoteness were addressed. Foreseeability and remoteness are the reasonable anticipation of the possible results of an action, and the causation of the loss as a result of a breach of contract or duty. These two factors, and the link with the player’s market value at various dates (as provided by another expert) was pivotal to our approach. 

Every area that our client may have incurred losses was categorised. The legal term for categorising the damages incurred is referred to as ‘heads of loss’. The heads of loss we quantified included:

  • Loss of match day attendance (analysis of season ticket sales; match day sales);
  • Loss of add on sales both match day and non-match day;
  • Impact on performance of the Club and potential ‘but for’ financial returns;
  • Consequential impact on revenue streams, notably tv money;
  • Salary/bonus impacts;
  • Mitigation issues, such as other player purchases.

Where relevant, the principles of the “loss of a chance” were used. For example, on the balance of probability, in how many games would the player have been fit to play, or selected, if they had not left. One key aspect of our report was to forensically analyse the season in which the player represented the Club, ahead of their enforced move. It was clear from the players’ appearances, and the team’s results, that there was a correlation between this players contribution and the success of the team, notwithstanding of course the many other factors that contribute towards a team’s performance. 

Ultimately, further to intense discussion in experts’ meetings (following forensic accounting reports disclosed by ourselves and the other side), the case was settled on the steps of the Court and a pleasingly satisfactory financial outcome for our Client.

Case study – Mining and Energy Sector

Procurement fraud in a mine

A major mining company in Africa approached Crowe in May 2018 about a suspected invoice fraud of in excess of US$300,000. Crowe’s investigation identified a corrupt network involving suppliers, procurement and human resources and the recovery of over $1,000,000 from the supplier involved. 

The mine is located in a remote part of Africa so, rather than send a person to site, Crowe used specialised technology to obtain forensic images of several computers and other electronic data. A forensic image is a direct copy of all the files on a storage device, such as a hard drive.  A forensic image will typically include all files saved on a machine, included deleted documents.  The technology used by Crowe significantly reduces the upfront costs of starting an investigation and enables remote and covert data collection. 

Through the analysis of almost a million files and ten interviews with past and current employees, the investigation revealed the fraud was perpetrated by one employee from the mine and several employees from a supplier. The mine was defrauded through the submission and processing of false invoices. Payments for other goods and services were also concealed, for example the costs of hiring a vehicle were concealed within catering recharges to the mine. The procurement processes were easy to exploit, with a reliance on proof of shipping information rather than proof that the goods were received. In some cases the mine was charged for goods that were never delivered or even ordered in the first place. The individuals involved also committed fraud to obtain goods for their own personal use, including vehicles and expensive food and alcohol.  

The investigation also revealed multiple vulnerabilities in the organisation’s procurement processes, and a lack of any verification on the quantity and quality of goods and services provided by suppliers. In addition to rooting out the corrupt network, the investigation findings were used by the mine to renegotiate several supplier contracts and save significant sums of money. 

Before engaging Crowe the mine had conducted its own internal investigation that quickly hit a dead-end. By applying its expertise Crowe quickly and thoroughly established the truth of what happened and help the mine to put things right. 

You should always consult with an expert before you take action. Get in touch with the Forensics team if you require further information or to discuss our services.



 View our services  
Billions lost to fraudsters through the government’s Bounce Back Loan Scheme

The National Audit Office (NAO) has estimated that the UK Government will spend more than £210 billion on its response to the COVID-19 pandemic. This money has rightly been spent on supporting organisations and individuals across the country in this time of unprecedented economic stress and the vast majority of the money has been legitimately applied for and correctly received. 

However, there is always a dishonest minority and on Wednesday 7 October 2020 the NAO published its report, ‘Investigation into the Bounce Back Loan Scheme’, which has taken a closer look at how the Bounce Back Loan Scheme (BBLS) has been distributed.

How it works

The report notes that the HM Treasury, British Business Bank (the Bank) and Department of Business, Energy and Industrial Strategy (BEIS) developed BBLS provides registered and unregistered businesses with loans of up to £50,000 or a maximum of 25% of their annual turnover. This loan should help to maintain their financial health during the pandemic. The scheme launched on Monday 4 May 2020 and will remain open until Monday 30 November 2020, with the government retaining the right to extend the Scheme. 

The loans are provided by commercial lenders (for example, banks, building societies and peer to peer lenders) directly to businesses, who are expected to repay the debt in full. Failure to do so may have a negative impact on their credit score and may affect their ability to borrow in the future. The government provides lenders a 100% guarantee against the loans (both capital and interest). This means if the borrower does not repay the loan, it will step in and repay the lender. HM Treasury data shows that as of Sunday 6 September 2020, the Scheme delivered more than 1.2 million loans to businesses, totalling £36.9 billion. BEIS and the Bank expect BBLS to have lent between £38 billion to £48 billion by Wednesday 4 November 2020, substantially more than it initially expected.

The opportunity for fraud

The government recognises that the decision to provide funds quickly leaves taxpayers exposed to a significant risk of fraud, including fraud caused by self-certification; multiple applications; lack of legitimate business; impersonation; and organised crime. 

BEIS’s 2019-20 annual report and accounts highlights likely total credit and fraud losses of between 35% and 60%, based on historic losses observed in prior programmes which most closely resemble the Scheme. Assuming the Scheme lends £43 billion, this would imply a potential cost to the government and taxpayers of £15 billion to £26 billion – an enormous sum. 

The nature of the losses are likely to be on a spectrum from high volume, low value opportunistic fraud through multiple fraudulent BBLS applications from fake companies through to high value, low volume fraud by organised crime groups. The number of companies registered each week after the government announced the scheme rose by 285% to a record 21,616 by the end of June 2020.

What can be done?

So, what is to be done? For many years, police resources focussed on fraud have diminished and it is now very hard to persuade them to take on a case of fraud. BEIS and the Bank do not have the counter fraud resources to investigate this scale of fraud. Perhaps it is time for private sector forensic and legal specialists to help tackle this threat – and to ensure that there are clear and visible consequences for the dishonest minority. The government did the right thing in supporting UK business – could specialists from UK business now support the government in identifying and investigating the fraudsters and recovering the losses?

 The impact of ‘ghost patients’ on the NHS 

Fraud can take on many shapes and forms with far reaching impact. It costs the NHS £1.29 billion a year (with independent academic estimates actually putting this figure between £3-£5 billion) and is a good example of how it can touch everyone’s life in the UK in one way or another. That’s enough to pay for over 40,000 staff nurses or purchase 5,000 ambulances. Due to the scale and complexity of the NHS it is affected by lots of types of fraud, one of which is the phenomenon of ‘ghost patients’. Ghost patients are people registered with General Practices who do not actually use the practice because they have moved to a different neighbourhood or have died. 

NHS Digital records showed that in 2018 there were 3.6 million more patients registered with the NHS in England than there were people in England, and a 2018 investigation revealed the imbalance was the result of ‘ghost patients’. NHS General Practitioners (GPs) receive £150 a year for each patient registered with their practice, and with an average of 1,700 registered patients each the payment is a significant proportion of a GP’s income. The investigation revealed £550 million was wrongly allocated to GP’s who, either intentionally or mistakenly, kept ghost patients on their books.

Ghost patients, and the additional payments associated with them, could be the result of poor record keeping rather than intentional dishonesty. Irrespective of the cause the result is similar, less funding available for the NHS to spend on the good work to keep the public healthy and save lives.

Any organisation thinking about where it may be losing money to fraud should always consult an expert before taking action. For more information on tackling fraud and to discuss measures to strengthen your organisation’s security, please contact Eoghan Daly

Fraud investigations

A fraud investigation often reveals a lot more than was originally suspected. Where fraud does take place, it is rarely an isolated incident and so an investigation into its full extent is very important. Investigations - using various techniques - can provide the opportunity to determine who is involved and the fraudsters’ modus operandi, and to identify the process and systems weaknesses which may have allowed the fraud to take place. 

A thorough investigation is the only way to resolve a suspicion of fraud. Following the findings of an investigation, a strategy to devise a proactive approach to reduce the nature and extent of fraud can be adopted, resulting in a long term beneficial impact on businesses’ approaches, company cultures and employees’ and suppliers’ outlooks.

How is an investigation carried out?

An investigation can be carried out using a number of different techniques and these are tailored to each specific investigation. Open source information resources are a common tool to gain insight and background knowledge concerning individuals, businesses, associated persons and assets. Additional methods can include examining (with permission) emails and other data, interviewing employees, and analysing relevant documents. When the relevant data has been identified, it can then be prepared for the most appropriate form of analysis in order to draw conclusions. 

Recent COVID-19 lockdown conditions have limited some face to face aspects of fraud investigations. Nevertheless, Crowe has the capacity to undertake remote investigations using its proprietary technology to remotely image computers and interview witnesses and suspects. This is highly effective.

Where do you start?

The first stages of a fraud investigation can be the most important to get right and we recommend to always seek specialist advice if you suspect a fraud to have taken place. We have compiled a list of ‘dos and don’ts’ if you find yourself in this position.  

A thorough investigation is very important. It doesn’t have to be a lengthy process but the thoroughness is crucial. Not to resolve a suspicion of fraud can be very damaging both to the organisation concerned and to those who are suspected. There is no substitute to a professional, legally compliant investigation in order to do this.

What is an ‘Expert Determination’?

One area where we often provide expert support is in the form of Expert Determinations (ED). ED is a procedure which involves a dispute, or difference, between two parties which are submitted to one or more experts who make a determination on the matter presented to it or them. The opinion reached is then binding on the parties, unless they both agree otherwise. 

An ED can be beneficial to the disputing parties as it is less costly than going to Court, a faster process, is usually binding on the parties, and is subject to the opinion of an independent accountant who has no allegiance to either side.

The resulting opinion can take one of two forms – non-speaking or speaking. There are pros and cons associated with each. A non-speaking approach is exactly as it sounds, say a company valuation is being undertaken, the non-speaking opinion will state is that ‘the shares are worth £X’. There are no report details to be challenged and as such it is difficult to challenge the outcome, although one side will invariably be happier with the outcome than the other. 

A speaking valuation is the opposite of a non-speaking valuation and will set out in detail how the value for those shares has been reached in a format more akin to a traditional report disclosed for Court. It has the benefit of covering the issues that may have been in debate between the parties, explaining why the conclusions have been reached. A speaking valuation may also raise matters which the parties wish to challenge that could end up protracting the process (for instance if they think something is factually incorrect). The threshold for challenging a determination on its findings is high, however, as the test is normally whether there has been manifest error. 

We can be instructed either as the expert undertaking the determination or assisting one of the parties in preparing their submissions. If you would like more information on our expert witness service please contact Chris Hine on 0161 214 7567.

What does an expert witness forensic accountant do?

In simple terms, we are the numbers support service to litigious disputes, investigations or advisory work and are frequently instructed to prepare reports for Court on what can be very complex, or hotly disputed, accounting/number issues.  Sometimes our work can be conducted on an urgent basis within a day, but often the work continues over many months, or even years.  Although our clients will always want the best outcome for themselves, our responsibility as an expert witness is to the Court while if we acts as advisors we will present both the strong and weak points of a client’s case, possibly ahead of mediation or consideration of a legal claim.  Our work can take us anywhere within the UK, and across any industry, while we also take on overseas matters due to our well established Crowe Global network of over 750 offices across 130 countries.

Our work is not supported by a portfolio of clients like it might be in audit or tax service line, each year a different set of challenges and scenarios is presented to us as we seek to assist our clients in either their dispute, investigation, or analysis.  While not professing to be the ultimate experts in every field of industry, we need to be sufficiently capable of being able to quickly pick up how various businesses operate, and what are the real issues that will drive the case either at Court, mediation, or in other negotiations.  While we always want to help our clients it is also important that we maintain an independent thought process which sets out the respective merits of a case, both good and bad from our client’s perspective.    

The matters we work on are often diverse and regularly challenging, examples of the range of casework we have been instructed on include:

  • Funding fraud alleged against a middle eastern bank and property developer.
  • Major supermarket contractual disputes with suppliers.
  • Defending an alleged associate of Bernie Madoff.
  • Representing Premier League and Championship clubs in financial matters.
  • Multi-million £/$ claims for wrongful trading.
  • Valuations in partnership and shareholder disputes involving global companies.
  • Reviewing the work of other accountants in professional negligence claims.

If you would like more information on our expert witness service please contact Chris Hine.


Fraud and cybercrime
Focusing broadly on the significant fraud and cybercrime threats facing businesses today. Also discussing the measures that you can take to protect yourself and begin to fight back in 2021.
An introduction to cyber security
Covering the fundamentals of cyber security, including commonly used terms and
Diagnosing the organisa-tion’s vulnerabilities
Covering the steps you can take to diagnose its cyber vulnerabilities, addressing the identification, assessment and understanding of cyber security risks.
Strengthening resilience
Ensuring adequate cyber security requires core issues are actively managed. This sessions will describe what the core issues are and explain why they matter.
Incident response
It is not a question of if there will be a cyber incident, it is a question of when it will happen. We will cover how an organisation should prepare for an incident.
Fraud and international trade
In the current climate, fraud has become more prevalent within international trade, in this webinar Jim Gee, Partner, Head of Forensics and Counter Fraud looks at how to minimise the risk.
Cybercrime: effective protection for SMEs
Covering the best approach for managing your cybercrime protection and the five important stages to consider - Prevent, Protect, Defend, React, Recover.
COVID-19 and fraud 
What you need to do NOW, and in the current situation where face-to-face contact is difficult, and in what capacity,  Crowe can undertake investigations remotely.
COVID-19 and cybercrime
Addressing some immediate areas to think about and focus on e.g. what to look out for in the current pandemic, how to protect yourselves and your employees.
Cybercrime: fix the most common vulnerabilities
Looking at the cybercrime risks facing listed businesses and preventative measures you can put in place.
Fraud and cybercrime
Focusing broadly on the significant fraud and cybercrime threats facing businesses today. Also discussing the measures that you can take to protect yourself and begin to fight back in 2021.
An introduction to cyber security
Covering the fundamentals of cyber security, including commonly used terms and
Diagnosing the organisa-tion’s vulnerabilities
Covering the steps you can take to diagnose its cyber vulnerabilities, addressing the identification, assessment and understanding of cyber security risks.
Strengthening resilience
Ensuring adequate cyber security requires core issues are actively managed. This sessions will describe what the core issues are and explain why they matter.
Incident response
It is not a question of if there will be a cyber incident, it is a question of when it will happen. We will cover how an organisation should prepare for an incident.
Fraud and international trade
In the current climate, fraud has become more prevalent within international trade, in this webinar Jim Gee, Partner, Head of Forensics and Counter Fraud looks at how to minimise the risk.
Cybercrime: effective protection for SMEs
Covering the best approach for managing your cybercrime protection and the five important stages to consider - Prevent, Protect, Defend, React, Recover.
COVID-19 and fraud 
What you need to do NOW, and in the current situation where face-to-face contact is difficult, and in what capacity,  Crowe can undertake investigations remotely.
COVID-19 and cybercrime
Addressing some immediate areas to think about and focus on e.g. what to look out for in the current pandemic, how to protect yourselves and your employees.
Cybercrime: fix the most common vulnerabilities
Looking at the cybercrime risks facing listed businesses and preventative measures you can put in place.

Contact us

Jim Gee
Jim Gee
Partner, National Head of Forensic Services