Skip to Content

Help Wanted

Articles Grant Wahlstrom, CIA, CPA, CFE Feb 06, 2023

Amara Nickels was a rising star in the customer care department of Orion Wireless. The company sells nationwide wireless service to residential and small business customers through long-term contracts. She had recently been promoted to manage a team of customer service phone representatives. 

Orion prides itself on its customer service and strives to connect a customer to a live representative in less than a minute. For that reason, customer care employees have wide-ranging access to customer data, including the ability to change customers’ information. In addition, representatives can initiate the process of issuing customer refunds and can change contact numbers and home addresses.

That ability to alter data was a concern for Margaret Rach, the director of internal audit. Rach had been tasked with implementing a proactive fraud data analytics program to detect fraud, waste, and abuse. Lately, she had noticed that Orion was issuing an increasing number of customer refunds.

Following up on this observation, Rach developed a data analytics routine to look at customer refunds. One of the tests she ran tracked the volume and amount of refunds sent to a single customer address. The results surprised her — a single customer had received 10 refunds totaling $120,000.

Rach asked David Ferry, director of finance, for help determining why one customer would be issued multiple large refunds. After reviewing the customer account in question, they noticed the billing address was a post office box number. Even more confusing, 10 separate customers were using the same P.O. box number as their billing address.

A review of the customer accounts sharing the same P.O. box number revealed that all of the customers had recently discontinued their service and requested a refund for any overpayments they had made. In each case, the data showed that the customer had requested an address change for receiving the refund check.

Suspicious that a customer care representative may have been giving excessive refunds to friends or family members, Rach examined which representatives had changed the billing addresses on the customers’ accounts and had initiated the refund process. She soon discovered that Nickels had changed all 10 of the customer accounts.

The refund amounts were significant. The monthly fee for a family wireless plan was $100, and refunds of tens of thousands of dollars would represent the entire term of the customer’s history with the company.

A review of the customer accounts revealed that representatives could issue a refund from the day the customer contract was active. For example, if a customer had a monthly wireless plan for $100 a month and had been a customer for 10 years the customer would have paid Orion $12,000. The control gap allowed a customer care representative to initiate a refund for all $12,000 of payments made to Orion Wireless.

Orion pays most employees via direct deposit to a bank account. When Rach inspected canceled refund checks, she discovered that someone had signed the customers’ names to the checks and deposited them into the same bank account.

She compared the P.O. box number used for all 10 customer accounts to Orion’s payroll database to determine if any employee shared the bank account number that the refund checks were deposited into. She discovered that Nickels’ direct deposits were sent to the same bank account.

Rach took her concern to Stephan Werth, director of corporate security. When Werth ran a criminal background check on Nickels, it revealed that she had an extensive criminal history, including identity theft.

Rach and Werth knew they needed to speak with Nickels. During their interview, Nickels admitted to changing the billing addresses on customer accounts and issuing refunds to those customers. Nickels said she would issue the refund starting from the day after the contract was signed, effectively refunding the customer’s entire payment history.

Now that Rach knew how Nickels had committed the fraud, she wanted to know why a background check had not detected Nickels’ criminal past before she was hired. She decided to talk with Harry Reuss, vice president of human resources. Reuss told her that because the company was growing fast and the labor market was so tight, it had to streamline the onboarding process and stop background checks on prospective employees.

Following their discussion, Reuss agreed to run criminal background checks on all current Orion employees, and the results were disturbing. One extreme example was an employee who the company thought was out on medical leave, but was actually serving a short prison sentence. As a result of the investigation and subsequent criminal background checks, Reuss reinstated criminal background checks on all prospective employees before they were offered a position with Orion.

The Nickels investigation also led to changes to the refund process. Orion established controls that limited the refund amount a representative could initiate to $150. Any refund that exceeded $150 would need to be reviewed and approved by a member of the finance team. Moreover, the finance department adopted Rach’s data analytics routines to search for potential fraud, waste, and abuse.

Orion fired Nickels and reported the incident to law enforcement, sharing all its supporting documentation as evidence. She faces charges that may result in up to 10 years in prison.

Lessons Learned

Organizations should run criminal background checks on all potential employees before they offer candidates a position. They should also periodically conduct background checks on all existing employees — including senior leaders.

Organizations should institute appropriate separation of duties. In this case, the employee’s ability to initiate a refund without review facilitated the fraud scheme.

All organizations should implement proactive fraud data analytics to detect and prevent occupational fraud, waste, and abuse.

Exception reports should be created and reviewed periodically to identify unusual patterns. For refunds, an exception report identifying who was requesting refunds exceeding a certain dollar threshold or where the refunds were being sent should have identified the Nickels scheme in its infancy.

Refunds should only be issuable to the original method of payment. For example, if the customer is making payments via credit card, the refund should be returned to the credit card. This practice deters money laundering schemes.

Grant Wahlstrom, CIA, CPA, CFE

Grant Wahlstrom is the senior manager of fraud, forensics, and investigations at ADT in Boca Raton, Fla.