The transcript of part one of Frank Abagnale on the Scaling New Heights podcast is included below. You can listen to the podcast by clicking HERE.
You will find the entire library of podcasts by clicking HERE
Thank you for tuning into this episode of the Scaling New Heights Podcast. During today's
episode, we will talk with Frank Abagnale.
Frank Abagnale is one of the world's most respected authorities on forgery, embezzlement, and secure documents. For over forty years, he has worked with, advised, and consulted with hundreds of financial institutions, corporations, and government agencies around the world. But you may know him best by the way he was portrayed by Leonardo DiCaprio in the very popular Steven Spielberg movie “Catch Me If You Can”. A Broadway musical of the same title was also created in April 2011. It opened on Broadway and won a Tony Award.
Apprehended by the French police when he was twenty-one years old, he served time in the French, Swedish, and U.S. prison systems. After five years, he was released on the condition that he would help the federal government without remuneration by teaching and assisting federal law enforcement agencies. Mr. Abagnale has now been associated with the FBI for over four decades. More than 14,000 financial institutions, corporations, and law enforcement agencies use his fraud prevention programs.
In 1998, he was selected as a distinguished member of “Pinnacle 400” by CNN Financial News - that is a select group of 400 people chosen on the basis of great accomplishment and success in their fields. In 2004, Mr. Abagnale was selected as the spokesperson for the National Association of Insurance Commissioners and the National Cybersecurity Alliance. He has also written numerous articles and books, including The Art of the Steal, Real U Guide to Identity Theft, and Stealing Your Life.
In 2014, Mr. Abagnale presented our opening keynote address at Scaling New Heights detailing out his life story in a way that brought many of our attendees to tears. Mr. Abagnale then taught a breakout session on small business fraud and embezzlement. In 2015, Frank returned to the main stage of Scaling New Heights for a conversation with me that updated our audience on small business fraud and embezzlement and then taught yet another breakout session on the topic.
Today we're going to talk about that same topic, because the landscape is ever changing and the people who want to commit this type of crime are creative in their methods. So, let's get right to the conversation with Frank.
Joe: Frank, welcome to the podcast!
Frank: Thank you. Glad to be back.
Joe: We have a lot to talk about here and I know you've got a lot to tell our listening audience. So I'm going to get right into the questions. I'm going to hit one that I know is on everybody's minds lately - it's the breaches we've been hearing about on national news that are affecting just thousands and thousands if not millions of consumers. Can you bring us up to date on those breaches and can you give us some of your insights on what's happening and the impact on us as credit card holders?
Frank: Yes. And I have to say this without exaggeration. Every single day there’s another breach. Every day we pick up the newspaper and there's a breach - whether it be a retailer, an insurance company, a law firm, an accounting firm, a doctor's office, a medical hospital. There's another breach.
The first point I always like to make is that every breach occurs because somebody in that company did something they weren’t supposed to do or failed to do something they were supposed to do. We look at all of these breaches whether it be, for example, where I live in South Carolina where someone hacked into the tax revenue office and stole 3.8 million tax returns of the citizens of South Carolina, including myself. That turned out to be an employee who took a laptop home that they shouldn’t have taken home, went online, and the hacker was able to get into the tax revenue office. All of these occur because someone is doing something they're not supposed to do. To bring this point home, every year there is Cyber Awareness Month and that’s usually the month of November.
I go out and speak to Fortune 100 companies and I go out and talk about the importance of keeping the information entrusted with them safe. One of the things I do is when I arrive at the company, I do not park in the visitor parking lot. I park in the employee parking lot and when I get out of the car, I empty both of my pockets of memory sticks that say on them “confidential” and I throw them all over the parking lot. Then at lunchtime, I go to my laptop and open it to see how many employees actually took that to see what it said. I have a tracking device on it and up comes the employees who look at it Of course, what it says is “This is a test and you failed”. Later on, I explain to them during the conference that I could have cost their company a billion dollars overnight. I could have ruined their brand.
So, the most important thing when it comes to breaches is that you have to teach your employees and your clients the importance of keeping people's information that's been entrusted with them safe - whether they are the janitor of the company or whether they're the CEO of the company. It has been my experience over and over again that even when you interrogate the best hackers in the world, they will say to you, “Look. I can't get into this bank in New York - they spend more than half a billion dollars a year on infrastructure to keep me out of their bank in software and all types of technology. I can't get past it. But they also employ 225,000 people worldwide. So all I have to do is sit and wait for one of those people to open the door.”
I always remind people how important it is to make sure that you are teaching your employees how to keep that information safe, that you don't go and take laptops home, that you follow the instructions that are given to you by the chief information officer of the company or the security people of the company. That's the most important job that anybody has working in a company today, when someone trusted them with that information.
Now, when you do have a breach, the first thing they tend to do is minimize how many different pieces of information have been taken. In the case of the Office of Personnel Management, they said it was two million federal employees; it turned out to be 30 million federal employees. They said it was one million fingerprints; it turned out to be ten million fingerprints. So, whenever I hear about a breach in a company and the media says how many things were compromised, I usually multiply that number by fifteen and that's probably the true number of that breach.
When I look at all the breaches today, and I talk about them all the time, and I look at all the breaches that have occurred just in the last five or six years, whether it be Home Depot or whether it be an insurance company or whether it be Target or any of those companies, you look at all of these breaches and you add up the amount of data stolen, we well exceeded the population of the United States. It’s my personal belief that everyone in this country has already had their identity stolen, so it's more a question about making sure you protect your information and keep your information safe, realizing that somebody probably already has it. Just like when we develop software, the first thing we say is that we assume malware is already on your device. We don't know that it is, but we assume it is, so we have taken steps to make sure that malware is not going to affect whatever technology we've implemented into that device. It's the same thing - you have to assume they've already stolen your identity, so you have to take a position to make sure that you protect yourself from having your identity stolen.
The final comment I'd make about that is every one of these companies where they've had a breach, the first thing they do is offer you one year of credit monitoring service. One year is worthless. People who steal mass data warehouse that data. If I steal credit card numbers and debit card numbers, I have to get rid of that right away; it has a very short shelf life. But if I steal your name, your Social Security Number, your date of birth – you can’t change your name, you can’t change your social security number, you can’t change your date of birth. So the longer I hold it, the more valuable it is when I go to sell it. That is why we haven't even seen some of the data yet from T.J. Maxx or Target or Home Depot, because they're going to warehouse that data and eventually they will sell it off but in chunks of information. One year of credit monitoring service would be worthless. I would say that you need at least three years of credit monitoring service. I've used a credit monitoring service since 1992. I'm always aware that that information could be sold at any time now or five years from now and I like to stay ahead of it.
But we're going to see a lot more breaches. Some are reported, some are not reported. Many breaches occur against government and state agencies which don't get reported. Unfortunately, it's becoming a lot easier to do, but in most cases, once again, someone failed to do something, such as put the proper software in place, a proper firewall in place, the proper infrastructure in place to keep the hacker out or someone in that company did something they weren't supposed to do which allowed the hacker in.
Joe: Wow. So that is a lot for us to digest here. But the major takeaways are people are the biggest vulnerability in any kind of a breach.
You mention employees a lot, but in the case of the breach with Sony recently with all the information about their actors, that was a contractor, if I understand correctly. So it is employees and contractors and we have to have policies written, with signatures on them, very legally binding documents and lots of coaching, I heard you say.
Frank: That's a good point, Joe, because even in the case of Target - Target had a very good infrastructure, they had very good security, and they had a very big security team. However, Target had a vendor who monitored their refrigeration units in their 2,400 stores around the country. If a unit was failing or was going out, they sent their service people out to fix it. No one worried about that vendor, but that vendor had access to all of Target's mainframe computers and they didn't have the proper technology and infrastructure at that small vendor. So the hacker realized if I get into this vendor, the refrigeration company, that will allow me to get into Target.
So, you're right. Sometimes it’s just that vendor or that third party that gives you access.
Joe: Kind of like a Trojan horse if you will.
Joe: We talked a lot about enterprise businesses and you mention a couple of things that I think small businesses can apply, like malware software and off-the-shelf consumer products that will protect their data from attack and from spyware and things like that, but employee agreements and contractor agreements are something else small businesses can do to protect themselves from these types of breaches. If we've got accountants listening to this, and many of them fall into this category, the majority of their clients are mom and pops maybe doing up to a million in sales. Are these guys just naturally safe because they're not targeted? And if not, what should they do?
Frank: I think most of the time smaller businesses, just like my wife owns a small women's clothing store, a retail chain of stores, then that's a small business. She's not going to be the target of someone breaching, getting information from her. They’re looking to get large quantities of information.
But again, I would want her to run her company the safest way she could run it, so I'd want to make sure that she has the most updated software, that she has an infrastructure in her system to protect her. I'd want to make sure that she knows who she's doing business with and if she's giving any information to those vendors, that she knows that those vendors are doing the same thing, and that they are vendors they can trust doing business with and that they have the proper things in place to keep that information safe.
Joe: Absolutely, absolutely. And what your wife might be vulnerable to and all small business owners might be more vulnerable to would be threats from within like I would put that in a classification of embezzlement. How would small business owners like your wife and like the clients of so many of our listeners today - how can they prevent embezzlement within their company?
Frank: Of course, the number one rule I always tell people is you have to segregate duties. You can’t have a bookkeeper who writes the check, signs the check and then in fact reconciles the bank statement, because even the most honest person unfortunately has problems in their life - sometimes there’s a divorce, sometimes they’re going to lose their home, they have a sick child, somebody has cancer or health problems, and they do things they wouldn't normally do. They do desperate things. You put them in a position to do something where they feel they can get away with it because they're the only one who looks at the books, they're the only one that knows what the balance is.
I truly and have always believed that every employer has a moral obligation to keep their employees honest. That is why we have controls and that's why we have them in place. That's why we have accountants. So if I'm somebody who says, “Well, look, here's my problem – I’m a small business, I just have a couple of employees, and I have a bookkeeper and myself”, then I would recommend that if you're going to have the bookkeeper write the checks and the bookkeeper can sign the checks, then you need to have the bank statement mailed to your home so that you open the bank statement and you get what the balance is and you look at the images of the checks that have been written off the account and any withdrawals that have been made from the account. And then if you want to bring it into your bookkeeper to make sure your bookkeeper then goes and reconciles the account, that’s fine.
It's amazing to me having done this for forty years, how many businesses I deal with - and forget small business, even medium size business, large car dealerships, huge businesses - that don't reconcile. They are reconciling six months later, eight months later, four months later. They're not even reconciling their accounts and as I remind people the law's very explicit. You have thirty days from receipt of your statement, whether it be a credit card statement or a banking account statement, to notify your bank of any discrepancy. If you come back six months later and say you found a check in your account for $5,000 you didn't write, the bank's going to say, “Where have you been? You can't come back now and ask me to make good on this forged check or this altered check.”
It is very important to make sure you are reconciling at least every thirty days on your account, that you are segregating those duties, and that you do have controls in place. So that if Helen or John is ever in a situation where they feel they need to maybe steal some money, people who embezzle money always think in their mind they're going to put the money back and I'm just temporarily borrowing the money, that they sit there and say, “Well, I couldn't possibly do that because in order for me to do this, I have to have Barbara over there sign off on this or I have to have John go ahead and approve this. I’d have to bring in two or three people in collusion for me to get away with it.” That's why we have controls and I believe that companies have a moral obligation to keep their employees honest. We don't put temptations in front of people. That's why we have controls.
Joe: You know, I really like what you said about that - that's the standard line, “I was going to pay it back”. You did some bookends there. You started with a desperate life situation and then the honest intention, however misconceived it is and impossible it would be, “you know, I really believed in time, I was going to pay it back.” I think the biggest vulnerability is we get to know people that work for us, they work for us for a very long time, and the business owner’s response to this kind of embezzlement is always, “I never thought so and so was capable of that.” Well, maybe it wasn't within their character, but people act outside of their character in desperate situations, especially if they think that they can rationalize a layer of integrity to it, “The money will go back in and nobody will be hurt.” Then the reality is, they can never pay it back; they could always have never paid it back, but they just didn't realize that; they were blinded by their circumstances.
Frank: That's really right. In in my entire career and all the embezzlements, and there are many of them that I've been involved in looking at, I have never found someone say to me, “Yes, I hired this person six months ago and then I found out they were stealing all this money from me.” 99.9% of the time the response is, “Well you know this person worked for me for ten years. I trusted them like my daughter. They went on vacation with me and my family to Disney World. I treated them like a child - my own child.” Those are the ones; it's almost never the brand new employees. That's why you have to be careful. It doesn't matter who the individual is, you have to just put things in place so those things are not tempted and those things don't occur.
Joe: OK. You mentioned checks specifically as one example of embezzlement and that would be more if I give somebody too much power- they sign and they reconcile. But what if I don't give them signing authority, but they commit payment fraud? I’m going to ask you first - are you still seeing payment fraud as an issue and is it a problem that is now kind of gone away with online banking and out-sourced accounts payable services and all of these non-check transactions? Is the problem solved?
Frank: No, I don't I don't think it is solved at all. People are always going to find a way. I come back to my wife who sits on a board in Charleston, South Carolina of a ministry that basically provides shelter for homeless veterans. They had a CFO, a woman who has been convicted and sent to prison, and this is public information, but she basically embezzled $600,000 from this ministry. She was the CFO, but she didn't have signing authorization. But she would simply take checks and make them out to vendors of the ministry, like office supply stores and transportation companies, and she would then forge the bookkeeper’s signature and then take those checks, even though they were made out to a vendor, she deposited them at an ATM at her bank. She did this for about two or three years without being caught until she got greedy and she sent in a whole bunch of checks, ten or twelve checks, through the ATM machine, and some alert employee at the bank realized, “Well these checks aren't made out to this individual or the ministry. They're made out to office supply stores, transportation companies.” And that's where the suspicions started. In the end, they found out she was doing that.
So, sometimes, it's just because somebody is not checking and they're having auditors come in, but they're not really looking at the things they should be looking at.
Joe: What if that same person had, because that was really playing close to the edge – eventually, someone like that’s going to get caught, what if somebody forges a signature. Is the small business just as liable?
Frank: Oh, yes, absolutely. The same way if they alter the payee. If your company issues a check to say A&R Trucking Company. I steal the check or I take the check and alter that payee to Frank Abagnale and I go to my bank and deposit it. Of course it clears, because you have money in the account, but then later A&R Trucking calls and says, “Where's my money?” and you say, “I paid you.” and they say, “Well, we never got the check.” So you go back to research it, to fax them a copy and you see it's made out to Frank Abagnale. That’s an altered payee, so that's a liability of the issuer of the check. So you still owe the trucking company the money, but the altered payee is going to leave you liable.
You know when you bring up check forgery, that's very interesting to someone like me. I really thought having taught this at the FBI Academy for so many years that eventually checks would go away and I wouldn't be talking about check forgery. But that's not the case. We still get about 39 billion checks a year, 75% of payments made from one company to another company are still made by check, and though we've seen a reduction in personal checks, very slight – 10% over the last ten years, well we have only seen a 2% percent reduction in business checks from one company to another company. So check forgery is absolutely with us. The latest stats we have are from way back in 2010, because they only do them about every ten years, but back then it was it was in excess of 20 billion dollars a year. It's gone up way higher than that.
But this is the interesting thing. The people who are forging checks today, passing bad checks, altering checks, stealing checks out of mailboxes, are not the forgers of 20-30 years ago. They're not the guy whose sole job is to alter checks and forge checks and counterfeit checks. Where this is all turned over now is to gangs. About 80% of all this we're seeing are street gangs who normally would be selling drugs, violent gangs who have been committing violent acts. Gang names that you would be familiar with in New York and Los Angeles that were more of gangs who committed violent crimes and crimes of forgery and stealing have come to realize that check forgery is a very simple crime and there's a very lot of a lot of money to be made doing it.
Now, when we get all these arrests over the last two or three years, they're mainly involving street gangs who are passing these checks, forging these checks and altering these checks. By no means has check forgery gone away. And when I talk to small businesses, the point I always make to them is this. If you are a major airline in the United States and someone forges your check for $250,000, you have Errors & Omissions insurance, so you will ultimately end up at your insurance company and they’ll repay you $200,000, minus the $50,000 deductible. Then, you'll probably take a tax write off of $25,000 of that, but then the other $25,000 you’ll put back in your operating budget and you go on about your business.
But if you own a small business and someone forges your check for $90,000 and the bank is not going to make good on it because of maybe some negligence on your part. You’re done, you're out of business, you're through. So the smaller you are, the more you have to lose. That's why I tell small businesses you have to pay a lot more attention to this than a Fortune 500 company does, because you can't afford to take those kind of losses.
Joe: That’s a really good point. Especially debit cards, and I'm going to get your opinion on debit cards in just a minute, but just in general with checks. To protect our business, we have savings accounts that do not have check stock attached to them and that are completely within my control solely as the owner of the company. That is where the large amounts of money, our capital, lives and then we move over just what we need for the daily operations of the company into the checking account. So if somebody did write a check for $90,000 or $100,000 at any given time, it would probably bounce and there's a form of protection. And that's something I recommend to my clients.
But I want to get to debit cards in just a minute, because I've heard you talk about those before, but when you were on the stage of Scaling New Heights 2015, this whole idea of counterfeit checks and check forgery came up and you said something very interesting. You said that many times, the only tool a forger needs is a piece of scotch tape. Can you tell the listening audience what you mean by that?
Frank: The reason for this is that for many years when we started printing checks on a printing machine, we used what was called a matrix printer. A matrix printer is an impact printer, so there was a ribbon loaded with ink and then a key struck that ribbon as you typed and that impact sent the ink in the ribbon into the deep fibers of the paper in the check. In order to alter that check or to forge that check ten years ago, you would have needed bleach, solvents, ink eradicators, all types of chemicals and you'd have to be very skilled at it, because if you didn't know what you were doing, it would look like you had altered the check. A good forger would take usually about a week at a time to do a letter just to get the letter off that first name of that or the whole name of the company. He didn't really pay much attention to the address but who the check was made out to.
Then, we moved to laser printers and probably a good 90% of all businesses, whether they be I.B.M. or they be my wife store, writes their checks and prints them out on a laser printer, as does many customers of QuickBooks, Intuit, and all of that. Laser printers are non-impact printers. They're a technology that is spraying toner onto the surface of the check. It's not in the paper. It's on the paper. So forgers will take Scotch Magic Brand Scotch Tape, that's called Scotch Tape Number 80 - that's that grey cloudy scotch tape - and they will simply put it over the entire Payee’s name and address or the amount of the check, rub it down real good, and then grab the corner of the tape and slowly pull it off and all of the toner will come off on the tape, because toner naturally attaches itself to Scotch Tape and Scotch Magic Brand Scotch Tape is designed to come off the paper without ripping the paper. The only thing that comes off is the toner.
Now, any one of your listeners can try this. You just go get a voided check, maybe you wrote six months ago or six minutes ago, it doesn't matter. Bring it back to your desk. Take that voided check, get a piece of that Scotch Tape and whatever you want to remove on the check - the MICR line, the dollar amount. Just put that tape over it, rub it down really good with your fingernail, then grab the corner of the tape and pull and you’ll see all of that information come off on the Scotch Tape very cleanly. You can scrape it off with the scalpel or dental pick, but most of the time they use scotch tape.
That is why is it important if you have company checks, you make sure those checks have toner anchorage on them, so laser lock, toner lock, toner anchorage. That is simply a chemical that the paper has been coated with that stays dormant on the paper until it goes in the printer and it has usually a shelf life of about ten years. When you take the stack out of the cabinet and you put it in the laser printer to print the check, it's the heat of the drum on the printer that turns the chemical on and that locks the toner to the check.
Now if you try one of these on a voided check and you say, I cleared it off, I taped it off, I tried to pull it off, I even scraped at it and it wouldn’t come off, you have toner anchorage. Your printer who's printing that check has provided that. If it comes right off, you don't have it and I highly recommend it.
I will add one other thing usually when I go out and talk about that I get an email the next day that says, “Mr. Abagnale, I heard you speak yesterday. We are a very small company and we’re a little bit old school. We still use a matrix printer. But when I got to the office, I was curious. So I got a voided check and I took the Scotch tape and it came right off. How come?” “Well, what kind of ribbon did you use? Did you use a plastic ribbon, a nylon ribbon, a carbon ribbon?” All of those are erasable ribbons. They were designed to be erasable. You could have used a number two pencil eraser and erased that amount or the payee’s name.”
So, if you're going to use a matrix printer because you're a little old fashioned and you want to print your checks on it, then I suggest you go buy yourself what's called a security ribbon. That's the inked cloth ribbon and that, when you hit it, penetrates into the paper. If you're going to use the other types of ribbons, they’re a little cheaper, but then they're not going to be permanent and they're easily altered.
Joe: All right, so that was a lot to process. The bottom line is if you're going to use toner, use a special kind of check with the chemical that will protect you. And if you use dot matrix, use the exact ribbon that you just described.
Thank you for tuning in to today’s Podcast and our conversation with Frank Abagnale. For more information about today's episode, to explore other episodes in this podcast series, or to learn more about our annual conference, visit Woodard.com.
As always we encourage you to stay tuned in, stay connected, never stop learning and Scale New Heights.