Fraud rarely succeeds because criminals are exceptionally clever; it succeeds because organizations leave the door open. Milwaukee’s near-loss of $460,000 to vendor impersonation fraud revealed critical gaps: no secondary verification of bank account changes, missed red flags like an unusual email domain and reliance on easily forged documentation. Sikich’s Melanie Mui examines how the incident underscores broader truths about internal controls.
The city of Milwaukee was recently affected by an attempted fraud that nearly cost $460,000. Posing as a trusted construction vendor, fraudsters deceived the comptroller’s office staff into altering bank account information, diverting a large payment to a fraudulent account. The scheme was convincing, complete with a forged bank letter to support the request.
Fortunately, through swift intervention, cooperation with law enforcement and some measure of luck, the city was able to recover the funds. Many other organizations targeted by similar schemes are not as lucky, often discovering the loss only after the money is gone. This case underscores the vulnerabilities created by weak internal controls.
On the surface, it may seem like this was a complex hacking attack into the city systems. However, these bad actors were able to exploit a much simpler vulnerability: believing the current process was working.
Where systems and safeguards fell short
Fraud rarely succeeds because criminals are exceptionally clever; it succeeds because organizations leave the door open. This incident revealed several gaps in the city’s safeguards that, taken together, created an opportunity for fraud to slip through. Here are the key breakdowns:
- Reliance on forged documents: The comptroller’s office relied on a bank letter to validate account changes, but the fraudsters successfully forged the document. Without secondary verification, the fraudulent request was processed.
- Lack of secondary verification: A secondary verification step was missing. A quick phone call to a verified vendor contact or a check against previously confirmed account details could have prevented the fraud. Instead, the process relied solely on trust in submitted documents without independent confirmation.
- Missed red flags: The email was sent from an unusual domain (.us instead of .com), which was a small but telling red flag. This highlights the challenge of organizations often missing critical red flags when internal controls are not rigorously designed or consistently enforced.
- Weak internal control environment: The incident illustrates a broader issue where frauds continue to succeed due to weak internal control environments. Effective internal controls need to be validated, tested and regularly reviewed to ensure they are operating as intended.
Following the incident, the comptroller’s office implemented stronger measures, such as verifying old account information and requiring live conversations with vendors before any payment changes. However, these are reactive measures to a fraud that already occurred. Stronger proactive measures should have been in place before the money was at risk.
Criminals will always be inventing new ways to perpetrate fraud. Management must recognize that fraud is a constant threat and that trust in current processes and employees is not a risk management strategy. Organizations must take a proactive approach to fraud prevention by designing, testing and strengthening internal controls. Measures like segregation of duties, dual approvals and employee training help reduce both the likelihood and impact of fraud.
UK Corporate Crime Law Puts ‘Senior Managers’ in the Hot Seat
As Britain’s landmark economic crime law takes effect later this year, organizations face expanded liability and unclear guidance on compliance
Read moreDetailsThe importance of internal controls
Internal controls are critical because they help organizations safeguard assets by preventing theft, fraud and misuse of resources, while also ensuring the accuracy and reliability of financial reporting to maintain compliance with accounting standards. They promote operational efficiency by streamlining processes and eliminating redundancies, and they support compliance with laws, regulations and internal policies.
Strong controls also enhance risk management by identifying, monitoring and mitigating financial, operational and compliance risks. In addition, they foster accountability through segregation of duties and clearly defined responsibilities. Ultimately, effective internal controls build stakeholder confidence by demonstrating sound governance, transparency and a commitment to protecting organizational integrity.
But what do these controls actually look like in practice? Some of the most common and effective examples include:
- Segregation of duties: No single employee should have control over conflicting tasks of a financial transaction. For example, the person who approves a vendor payment should not also be the one who sets up that vendor in the system. This separation of responsibilities makes it far harder for fraud to occur undetected, as it requires collusion rather than a single bad actor.
- Dual authorization for payments: Requiring two approvals for large or unusual transactions adds a simple but powerful layer of oversight. If Milwaukee had required dual approval for vendor bank account changes, it’s likely someone would have questioned the forged bank letter or noticed the suspicious email domain.
- Vendor verification procedures: When a supplier requests a change in banking information, organizations should independently verify the request, often through a phone call to a known contact using previously established information. This step, which Milwaukee has since added, is one of the most effective defenses against payment fraud.
- Reconciliation and review: Regularly reconciling bank accounts and comparing them against the general ledger helps ensure that all transactions are legitimate and accurately recorded. Timely reconciliations can uncover fraud, errors or misappropriations before they grow into significant losses.
- Access controls: Only those who need access to financial systems or sensitive data should have it, and that access should be reviewed regularly. Limiting access not only prevents unauthorized transactions but also reduces the risk of mistakes by individuals who lack proper training or oversight.
- Training and awareness: Controls are only effective if people know how to follow them. Regular staff training on spotting red flags, such as unusual email addresses, urgent payment requests or vague documentation, equips employees to act as the first line of defense. In many fraud cases, it’s frontline staff who notice something is off.
- Continuous monitoring and testing: Finally, internal controls should not be set-and-forget. Organizations should test that their controls are actually working. This can include internal audits, data analytics to flag anomalies or fraud drills to ensure processes hold up under pressure. Without validation, even the best-designed control can give leaders a false sense of security.
Together, these measures form a safety net that helps organizations protect themselves from fraud and error. They also send a powerful message to employees, stakeholders, and the public: This organization takes its responsibility to safeguard resources seriously.
The Milwaukee case is a reminder that fraud is not just a theoretical risk, it is happening every day. Milwaukee was fortunate to recover its funds; many others are not. This case is a vivid reminder that internal controls are not just an accounting requirement, they are a strategic investment in protecting assets, building trust and ensuring long-term stability.
Melanie Mui, CIA, CFE, is director of internal audit services at Sikich, a global company specializing in technology-enabled professional services. With more than 1,900 employees, Sikich draws on a diverse portfolio of technology solutions to deliver transformative digital strategies and ranks as one of the largest CPA firms in the US. 
