Ask a leader how they'd stop fraud and most reach for the wrong picture: a hooded stranger, a clever hack, something happening to other companies. The uncomfortable truth from decades of casework is that the typical fraudster is a trusted insider, and the typical fraud is dull, a duplicated invoice, a refund that loops back to a personal account, a vendor who doesn't exist. Prevention isn't about outsmarting genius. It's about removing the quiet opportunities that ordinary people, under the right pressure, talk themselves into taking.

The quick version

  • Fraud is using deception for unfair gain; abuse is bending a legitimate system past its intent, gaming a refund policy, a promo code, a free trial. They overlap, and you defend against both the same way.
  • Fraud needs three things at once, pressure, opportunity, and rationalisation (the "fraud triangle"). You can rarely change someone's pressure or their excuses, but you control the opportunity.
  • The cost is real but easy to under-feel: the ACFE estimates organisations lose around 5% of revenue to occupational fraud each year, and the schemes run a long time before anyone notices.
  • Most fraud is caught by a tip, not by an auditor, so a working way for people to report concerns is one of your highest-return controls.

The idea in depth: why ordinary people commit fraud

The most durable explanation of fraud is also one of the oldest. In 1953 the criminologist Donald Cressey, having interviewed around 130 convicted embezzlers, he called them "trust violators", published Other People's Money, and from it came what we now call the fraud triangle. Three conditions, he argued, have to be present together: a non-shareable financial pressure (debt, a habit, a target they can't hit honestly); a perceived opportunity to act and not get caught; and a rationalisation that squares the act with the person's self-image ("I'm only borrowing it," "they underpay me anyway"). Remove any one leg and, in Cressey's account, the fraud doesn't happen (see this summary from the Association of Certified Fraud Examiners).

flowchart TB
  P(["Pressure
debt, addiction, an
impossible target"]) --> F(["Fraud
occurs only when
all three meet"])
  O(["Opportunity
a gap, weak controls,
no one watching"]) --> F
  R(["Rationalisation
'just borrowing it',
'they owe me'"]) --> F
  O -.->|"the leg YOU control"| F
Cressey's fraud triangle, pressure and rationalisation live inside a person; opportunity is the one you can design out. Leaders Loop

That last point is the whole game for a leader. You can't audit someone's mortgage stress, and you can't argue them out of their excuses. But you own the opportunity. So the move is to treat every control question as "where could a trusted person act alone and unobserved?" Segregate duties so the person who approves a payment isn't the person who sets up the payee. Require a second signature above a threshold. Force vendor-bank-detail changes through a verification step. None of this assumes your people are dishonest, it assumes that if you leave a door open long enough, someone under enough pressure will eventually walk through it.

An honest limitation. The fraud triangle is a lens, not a law. It was built from interviews with people already caught and convicted, which is a skewed sample, and later scholars have proposed extensions, adding capability (the "fraud diamond") or splitting out arrogance and competence (the "fraud pentagon"). It also explains opportunistic insider fraud far better than organised external fraud rings or pure system abuse, where there's no rationalising conscience to engage at all. Use it to find your open doors; don't mistake it for a complete theory of every bad actor.

What it costs, and why you find out so late

Fraud's worst trick is being invisible until it's expensive. The Association of Certified Fraud Examiners' 2024 Report to the Nations, built from 1,921 real cases across 138 countries, with losses over US$3.1 billion, estimates the typical organisation loses around 5% of revenue to occupational fraud every year, at a median US$145,000 per case. The ACFE calls 5% a conservative figure, precisely because so much fraud is never detected or counted. Treat the exact percentage as a direction of travel, not a forecast, but let the order of magnitude sharpen how seriously you fund prevention.

The detection numbers are where the strategy hides. In the same study, the single most common way fraud comes to light is a tip, about 43% of cases, far more than internal audit, management review, or external audit. And tips overwhelmingly come from employees. So the move is deceptively cheap: give people a real, ideally anonymous, channel to raise a concern, tell them it exists, and make sure raising one is safe. A reporting hotline is not a compliance ornament; on the evidence it is your highest-yield detective control. The organisations that catch fraud early are usually the ones whose staff felt able to speak.

Fraud is caught more often by a colleague who says something than by an auditor who finds something.

Prevention vs detection: build both walls

Good fraud control isn't one wall, it's two, and they do different jobs. The COSO Fraud Risk Management Guide, the framework most internal-audit functions anchor to, splits controls into preventive (designed to stop fraud happening: segregation of duties, approval limits, access restrictions, vendor verification) and detective (designed to surface it fast when prevention fails: reconciliations, exception reports, data-analytics monitoring, the tip line). Crucially, the guide frames all of this as serving deterrence: the goal isn't only to block and catch, it's to make would-be fraudsters believe they'll be caught, which shrinks the perceived opportunity before anyone acts.

flowchart LR
  A(["Assess
where could fraud
happen here?"]) --> B(["Prevent
segregation of duties,
approval limits, access"])
  B --> C(["Detect
reconciliations, exception
reports, the tip line"])
  C --> D(["Respond
investigate, recover,
fix the gap"])
  D -.->|"feeds back into"| A
A fraud-risk loop after COSO: you never finish, each case you handle tells you where to reassess. Leaders Loop

So the move is to stop spending only on the wall you can see. Many teams pour effort into prevention (more approvals, more sign-offs) and almost nothing into detection, then discover a three-year scheme by accident. Balance the two: a handful of automated exception reports (duplicate invoice numbers, payments just under a threshold, refunds to the same bank account, round-number expenses) quietly catches what prevention missed. And prevention has a cost in friction; piling on controls slows honest work, so target them where the money and the opportunity concentrate, not uniformly. This is the same continuous-improvement instinct that runs through Lean and Kaizen, find the defect, fix the process, watch for the next.

A worked example

Take a mid-sized services firm, call it Brightwell, with a small finance team. (Illustrative figures throughout; this is a teaching example, not a real case.) One accounts-payable clerk, trusted for years, both adds new vendors to the system and approves their first payment. That's the open door: one person, two duties, no second pair of eyes. Under genuine personal pressure, they create a plausible-looking supplier, "Brightwell Facilities Services", and start paying it modest, below-threshold invoices, say an illustrative £4,000 a month. Each one is small enough to avoid the second signature that kicks in at £5,000. Nobody is watching that exact gap.

Run it through the triangle. The pressure is private and unknowable to the firm; the rationalisation is the usual ("the company can afford it, I'll put it back"). But the opportunity, one person controlling both vendor setup and approval, against a fixed, learnable threshold, is entirely Brightwell's to close. The scheme runs eighteen months, an illustrative £72,000, before a new finance lead runs a simple exception report and spots a vendor whose bank details match an employee's, paid only ever just under the limit.

flowchart TD
  A(["One clerk: sets up vendors
AND approves payments"]) --> B{"Is there a
second control?"}
  B -->|"No, one door, one person"| C(["Fake vendor, payments
kept just under £5k limit"])
  C --> D(["~£72k over 18 months
before anyone notices"])
  B -->|"Yes, duties split + exception report"| E(["Setup needs a different
approver; under-threshold
pattern flags fast"])
  E --> F(["Opportunity removed;
scheme never starts"])
The same person, the same pressure, two different control designs, two very different outcomes. Leaders Loop

The fix costs almost nothing and isn't an accusation. Split vendor setup from payment approval so no single person owns both. Add one detective control, an automated flag for payments clustering just under a threshold, and a periodic match of vendor bank details against employee records. Note the order: Brightwell didn't need to read anyone's mind or tighten the screws on the whole team. It closed one door and lit one tripwire. That is what fraud prevention actually looks like on a normal week.

Frequently asked questions

What's the difference between fraud and abuse?

Fraud uses deception to take something you're not entitled to, a fake invoice, a forged signature, an identity that isn't yours. Abuse bends a legitimate system past its intended use without necessarily lying: serial-returning worn clothes, stacking promo codes, spinning up endless free trials, exploiting a generous refund policy. The line blurs, and it matters less than it seems, because the defence is the same, design the rule or control so the gap isn't there to exploit.

We trust our people. Doesn't all this control imply we don't?

It's the opposite. Controls protect honest people as much as they deter dishonest ones, a clerk who can't single-handedly move money also can't be wrongly suspected when money goes missing. The fraud triangle's lesson is that opportunity, not character, is the variable you can manage. Framing controls as "this protects all of us, including you" is both true and far easier to sustain than a culture of suspicion.

What single control gives the best return?

For most organisations, a working, trusted reporting channel. On the ACFE's evidence, tips catch more fraud than every audit and review method, and they come mostly from employees. It costs little, it surfaces schemes years earlier than they'd otherwise emerge, and it doubles as a deterrent, people behave differently when they know a colleague might quietly report what they see.

Is fraud prevention mostly a technology problem now?

Technology helps enormously with detection, anomaly detection, transaction monitoring, identity verification all scale in ways humans can't. But the highest-frequency insider frauds are defeated by process design (segregation of duties, approval limits) and culture (a safe way to speak up), not by buying a tool. Treat technology as a force-multiplier on a sound control design, not a substitute for one. This is also where it meets threat modelling: ask who would attack you, how, and where it would hurt.

How is this regulated, do I need legal advice?

Often, yes. Anti-fraud overlaps with anti-money-laundering, bribery, sanctions, whistleblower-protection and data-protection law, and the specifics vary sharply by country and sector. This explainer covers the general principles of why fraud happens and what reduces it; for what you're legally required to do, reporting obligations, hotline rules, evidence handling in an investigation, check your jurisdiction and take qualified legal advice.

Related in the Toolkit

Fraud prevention is one face of a wider security discipline: you can't close the right doors without first asking who would attack you and how (security fundamentals & threat modelling), and most insider opportunity lives in who can do what (identity & access management).

Where to go next