ERP062 - Protecting your business against fraud

Small businesses get ripped off, much greater percentage than larger companies. because we don't have the resources to be able to put the checks and balances in place. The average fraud amount for small businesses is $125,000. Welcome to Evolve Radio, where we explore the evolution of business and technology. I'm your host, Todd Kane. Today on the podcast, I'm speaking with Stephen King with Growth Force. Stephen is the CEO of Growth Force, one of the largest providers of outsourced bookkeeping and controller services in the US. With three decades of experience in supporting businesses with their finances, Stephen has seen it all. The topic of today's conversation is an important one, fraud. Stephen and I discuss how businesses are impacted by fraud, and how to build better systems and processes in your business to ensure you're not one of the thousands of businesses every year that have money stolen from their business. This discussion spans cybersecurity, process management, human psychology, and trust. Please enjoy this useful discussion on how to protect your business from financial fraud. This discussion spans cybersecurity, process management, human psychology, and trust. Please enjoy this useful discussion on how to protect your business from financial fraud. If you haven't already, please subscribe to the podcast so you get every new episode. Also, if you wouldn't mind, please leave a rating and review in your podcast app. This helps others find the show so we can reach more of the community. Now, on with the show. And joining me on the podcast today is Stephen King. Welcome, Stephen. Thanks, Todd. Good to be here. All right. Well, I should say welcome back. You were a guest fairly recently on episode 60, where we talked about managing cash flow in a crisis. So, if uh if you've not listened to that episode, then uh absolutely go and check that one out. Today, we're going to be talking about protecting your business against fraud. And there's a couple of different angles that we'll take on this. I think to start, um I'll I'll maybe relay a little story that uh I'm sure you may have heard about or something similar in in the industry. I know um someone told me a story about a client that they had. This is an MSP that had a client and uh one of their owners was out at a conference. This is an MSP that had a client and uh one of their owners was out at a conference. And uh the controller got an email from the owner saying that he wanted to purchase a bunch of stuff for uh the uh booth that they were running at a particular conference. And and he needed the controller to wire some money to them. So, okay, fine, fair enough. So, the controller takes this without kind of any confirmation, wires the money to this uh this strange account without questioning anything. Uh then the person that on the other end of this uh tells them, oh, sorry, you know, it didn't come through. Can you try it again? So, okay, she wires uh a second uh transfer. At the end of this, they're out, I think it was $20,000. It's $10,000 per transaction. The person managed to get it pull it twice before the the controller thought to think like, hey, what's going on here? Maybe I should I should look into this. So, as you can imagine, she was in some deep, deep water, promptly fired for her mistake, which was basically giving away $20,000 to a fishing threat. Uh and this is not uncommon, I would guess in the industry. Uh so, you know, it's not just protecting the uh yourself against these types of threats, but also how do you protect your clients against this type of threat? Uh I'll turn it to you to kind of comment on uh where this sort of sits in in the fraud prevention that is becoming pretty rampant in all industries, uh but particularly relevant for the IT groups. Yeah, it really is. Um and uh you know, first, I think it might be helpful to kind of talk about how big of a problem this is. You know, not just cybercrime, but fraud in general. And, you know, the the the Society of Certified Fraud Examiners issues a biannual report to the nation on occupational theft. Sounds really boring, right? But the content is absolutely critical for anybody to know. Because small businesses get ripped off much greater percentage than larger companies. Because we don't have the resources to be able to put the checks and balances in place. The average fraud amount for small businesses is $125,000. The average. Is that a cumulative number or a single event? It's a cumulative number. It takes 18 months to uncover it. Oh, wow. And what's fascinating here is that the the statistics are really staggering. It it it actually it's it's 14 to 18 months before it gets detected. And that most of the time the fraud happens with somebody who is a first-time offender. There there's not professional thieves. So, the cybercrime is professional thieves. Yeah. But the run of the mill uh billing uh bill payment uh check kiting, all that kind of stuff that we'll talk about after the cybercrime is because there was an office manager who was trusted who, you know, didn't have the checks and balances in place. And this is particularly bad for small businesses because we don't have the resources to recover $140 to $180,000. And religious organizations are just as vulnerable. And they think, well, you know, we've got core values. We've got a value system that will prevent fraud. And reality is, you can never trust is never part of an internal control system. Trust but verify. To quote Ronald Reagan. So, so, let's we'll go right to the the cybercrime because it's so critical right now. And the FBI in this report, it says that the FBI's Internet crime complaint center reports that this is one of the fastest growing threats to small businesses. It's because they can't afford the cybersecurity software, which is where MSPs play an invaluable role. You know, I we had a client who had the exact same thing happen. Well, first, let me tell you, you know, most of your audience knows this already, but it's so important, I think it's worth going. There's basically four types of fishing scenarios, right? Fishing is an attempt to acquire a username or a password or credit card details or something other valuable by pretending to be a reliable trusted contact. Everybody knows that. Pretty broad based attack. Yeah, yeah, you're going to go find somebody and see if anybody's dumb enough to give you something that they shouldn't. Right. Spear fishing is used by cybercriminals to go after a specific company or an individual. And they and this is according to this report to the nation on occupational fraud. This is 70% of the data breaches. And what that means is that human error is to to blame for almost three quarters of all problems. And a good MSP program can really solve that. So what is spear fishing? That's the example Todd that you gave, which is and we had we've had this happen on more than one case. And I can share you what it is and then what we do about it. The first what spear fishing is is a criminal will will take the time to identify an individual that has money. And they will create an identity that looks exactly the same. But what they do is they'll create a domain in which two letters are changed. In one client, the the the they'll look for two letters that are that are hard to see, like maybe an I and an L. This one was a U and an E. So, you know, instead of it being T O B U E, it was T O B E U. And they created a domain and an email address and they sent it out. And everything about the email was exactly legit. The the signature file had the picture of the CEO. The links on the signature file went to their LinkedIn. You know, the the everything was exactly the same. And what we found out later on was that the criminals actually figured out that in this case, they were asking for a wire transfer to be sent over. They they did some um uh uh projects in the Middle East. And they regularly would be wiring money to projects in the Middle East. Because the company was public on Facebook and Twitter and announcing their new projects. The email actually said from the CEO, said, we need to wire $100,000 to this bank to start this new project. And that's not an unusual request for that company. That's what they do. We got to go, you know, we're going to start doing some work over there, so we got to put some money into a bank account in that country so that we can import the stuff that we need to import. Now, the way you prevent all fraud is through separation of duties. What does that mean? You need to make sure that you have three functions are separated. The person who approves the transaction, the person who enters the transaction, and the person who reconciles the account for that transaction. The classic example is when you're trying to pay a bill, and this is effectively paying a bill, you want to make sure that the person who's approving it, in this case, the CEO, is separated from the person who's paying the bill, a bookkeeper, and you need to separate the person who's reconciling it. The bank account should never be reconciled by the person who's paying the bills. Ever. Because that's how most fraud happens. Whenever there's an electronic request to transfer any money, what we require is a text confirmation. Why? Because texts are nothing's impossible to prevent fraud, but it's really difficult to to fake a to do a fishing scenario and a fraud with a text. So whenever we get an email requesting something from anybody, the first thing we do is we get a text. The second thing we do is, and this is really easy for any email that contains malware. Check the company name. Make sure it's really the company. The smart ones will just change one letter, so you want to be looking for that domain name and make sure the I and the E are not backwards. But most of the time, they're sloppy, and it'll just say, you know, it the the the you have to mouse over, as you know, you have to mouse over the email to see what the property is behind it. Most of the time, when you mouse over, it might say, like I just got one for my myself personally. I got one that says Direct TV. We had a problem with your payment. Please click here to update your credit card. And I knew my credit card was fine, but just because of our training we went through, I mouse took the mouse before I clicked on it, just to mouse over the company name on the from field, and it just said IP.XRZ.blah blah blah blah blah. It was not AT&T, it was not Direct TV, it was not that way. You can also mouse over the hyperlink to make sure that you can it'll reveal the actual URL. And if it doesn't say, you know, AT&T.directtv.com, then you know that you're making a thing. Now, obviously, don't click on the link, right? Because that's all they want. But that takes a minute or two to check, and that's one of the first ways to solve it. Yeah. Good cyber hygiene. I would say the the text uh is certainly better than email, but you can do kind of SMS hijacking. Uh I I've often suggested like if there maybe if there's a sort of a dollar clip amount, like if this is a transaction over say $5,000 or $10,000, whatever sort of a relevant amount of money in your business, that there should be a voice conversation to validate this, right? Especially if you get an email that's like in the the the case that I said where, hey, can you wire some money for expenses on this business trip? Uh like just pick up the phone to call the person to verify, hey, did you send this? Like and they say, yeah, yeah, that was me, then great. Okay, then send the money, right? But I think that escalation of a secondary method of communication is really important. Yeah, I like that a lot. You know, the the next big besides uh fishing, right? Spear fishing, um whale fishing, you know, which is going after one individual, right? That's a form of spear fishing where you're going after a high-level manager or CEO and, you know, that's kind of the example I just gave you. The next big threat here is ACH fraud. Stealing money through your what they call the automated clearing house, you know, which is how you transfer money between banks. And the challenge here, according to the FBI, the losses from ACH fraud were over a billion dollars worldwide. And that number is expected to rise. Why? Because only two pieces of information are needed to do ACH fraud. You need a bank routing number and a checking number, checking account number. And so if you have if they use a spear fishing email to do a key log on software on the victim's computer, you can steal those credentials. And so it's important to understand the process for trying to get that money back. Now, in a consumer bank account, you have 60 days to go to the bank and and challenge an unauthorized transaction. But in a business bank account, you only have 24 hours. Oh, wow. Yes, most business owners don't understand that. And what happened is after September 11th, when the planes were grounded, the Federal Reserve realized, oh, we've got a problem with our banking system. We're physically, we are physically flying canceled checks from the Federal Reserve Bank of New York to the Federal Reserve Bank of Dallas, and then we're driving those checks to the to the bank check processing department so that we can debit and credit the bank accounts, which is why it used to take, you know, two, three days for a check to clear. And Alan Greenspan was the Treasury Secretary at the time, Federal Reserve chair at the time, and he said, this is ridiculous. So they created banking for the 21st century, which basically meant you no longer need a piece of paper to deposit check. Which is why you can now make deposits from a phone, right? That's all great, but what they also included in that banking for the 21st century legislation is the banks are no longer liable for checking the signature on a signature card because that was, you know, antiquated from the 40s and the 50s and the 60s when every check went through a teller. because that was, you know, antiquated from the 40s and the 50s and the 60s when every check went through a teller. And they changed the rules for the bank account holders. So, you have 24 hours to alert the bank, otherwise you're they're not liable for any unauthorized transactions. And so what we recommend here is you should have your bank account set up to download your transactions into your accounting system. And we do outsourced bookkeeping, accounting, and controller services for companies that use QuickBooks, Zero, or Net suite. And those three systems, especially QuickBooks, which has 88% of the market, you can automate the process to download your banking transactions. QuickBooks online will actually do it every night while you're sleeping. So that when you wake up in the morning, you can look, just log into your QuickBooks online account and see on an iPad or your iPhone or your computer, did anything happen that we don't know about? And what you're specifically looking for is the ACH. That's a big, big risk. Now, you can do a lot with the banks. The banks will have protection services that will allow you to make sure that, for example, you know, we're an Insperity client, right? They do our outsourced HR and our human capital strategy or health insurance and all that. They're the only company that our bank is allowed to do an ACH for. So you can go to the banks and say, ACHs are not allowed, except for this one company. And you also have things called positive pay, which is you can go in there and say and enter, these are all the payments that I've made. And unless if a payment comes through that's not what you enter, it will reject it. Or it'll tell you, hey, here's a payment that you didn't authorize. So if you're worried about that, your bank, the big money center banks all have great services that allow you to be able to help reduce that risk. With the ACHs, there no like to me it always is I always assumed if you're setting up an ACH that the the the validation of someone be able being able to withdraw money from there requires some type of secondary approval mechanism. It's not that they if they know your bank account, they can start withdrawing money, right? So there there has to be that elemental protection of no one can just start randomly withdrawing money from your account without some type of authorization. Depends, depends on what how your security is set up. So like, for example, Chase Bank, which is what we use, you have the ability to go in there and say, okay, up to $5,000, James can do it. Um and over $5,000, only I can do it. And if they're logging in with my credentials, I can do and you can do it. Oh, I see, this is more of an internal threat. It's not like some independent party outside of the company can just randomly start withdrawing. Fishing. This is all part of the fishing. Yeah, yeah, this is the fishing. That makes sense. Yeah, yeah, I'm so I'm glad you clarified that. Yeah, this is this is when they get your username and password, you're screwed. Right. Yeah, okay, that makes sense. So you got to you got to you got to prevent it on the back end. Yeah. You got to you got 24 hours. You when you get that download from the bank, you got to make sure you're checking it every day. Have your bookkeeper do that. So a couple of things like uh off the top, you you noted like people don't tend to find this stuff out until 12 to 18 months later. And I think that's largely because like they don't really look at their books in detail until they're doing tax time and they they they have to kind of true everything up and they're like, wait a minute, like where did this $30,000 disappear to? Uh and then the the the the other part is not doing kind of daily or at least kind of uh weekly reconciliation and waiting till the end of the month to reconcile the accounts. And I know some of the older accounting programs like you you you and the older processes, people wouldn't do that on a daily basis. And I I find that that's uh it just makes things a hell of a lot easier. Like it's much easier to kind of verify and approve two to three transactions today rather than sitting down for an entire day at the end of the month to go through the record log, right? Yeah, exactly. And in particular, I think this is why QuickBooks online and the online the zeros of the world are getting so popular is it's so easy. You're a stop light, you pull up your phone, you click on the icon, your face ID logs you in, and you can see with one click of a button what's gone through your bank account. And, you know, it used to be that people were looking at that because they were worried only if they were worried about, did I have enough cash to pay the bills? Right. You know, so a lot of business owners did that because of cash flow problems. What what we advise here is, you know, of course you need to do that if you have cash flow problems, right? And cash flow problems, by the way, are as we talked about in the last podcast, are almost always caused by not pricing right, right? But that's a that's the other the other podcast, episode 60, I think you said. The the um the nice part is when you're now looking at it inside QuickBooks online, you're able to see your whole financial position. the nice part is when you're now looking at it inside QuickBooks online, you're able to see your whole financial position. You're able to see your your income, your billings, you can see your receivables, you can see, you know, not just the cash balance. You can see trends, how am I doing this month versus last month? So, it's not just to help you find fraud, it's to help you put your fingers, as you say, looking at it every day or every couple of days, at least once a week allows you to keep your fingers on the financial pulse of your business. So, and that's a good segue. I wanted to talk as well about um how people can kind of protect themselves even if they're the ones that are not managing the books. I wanted to talk as well about um how people can kind of protect themselves even if they're the ones that are not managing the books. And as I'm sure you you see because, you know, you're the you're the party that people will outsource a lot of these functions to. But I I see in a lot of small businesses, especially MSPs, that financial function, especially the bookkeeping, is one of the first things that people outsource because it's laborious, like it's detail-oriented, and people kind of running around trying to fight fires in IT. It's the last thing that they want to do at the end of the day. So it's it's a great thing to outsource, but uh how do you do that in a way that is safe, right? A lot of these organizations are often outsourcing to um an office admin, maybe it's a a spouse, or just a contractor, contractor bookkeeper that they found uh online or or they know through somebody else. So they may not have the sophistication of dealing with a an entity where they're going to be a little better protected. Uh how can people build systems in their business so that they can see what's going on and feel a level of comfort that things are are are transacting the way that they should, but not have to live in the books all day every day. Yeah, because I don't look at my books every day or even every week. I'm the CEO, right? You don't want to spend your time on that. Right. So how do you that's a great question. So, and this is what we do, right? We're an outsourced accounting department. So, the key thing here is you need to have separation of duties. If you're just taking a job that was currently done by one person inside your company, and now you're giving it to one person outside your company, you have not improved your risk of fraud. Meaning, if your spouse, as you mentioned, or your your your trusted office manager was paying the bills, entering the bills, reconciling the bank account, and you're like, okay, I need to have another set of eyes looking at this, and you give it to your CPA, and the CPA assigns a bookkeeper to pay the bills, enter the bills, and reconcile the bank account. All you've done is shift the risk of one person having the keys to the kingdom from being in your office to being outside of your office. And that's why it failed. You need to have separation of duties. And, you know, we offer a three-person team because there's three functions, the the entry, the reconciliation, and the approval. And you go through each of the different of the six functions that every business has. Payroll, billing, collections, bill payment, expense management, and inventory. Those are the those are the six big functions, right? Most MSPs don't have inventory, so let's just say do the five. Payroll is the number one because this is the area of the biggest risk. Why? Because it's your biggest expense. Yeah. In our MSP clients, it's 70% of their expenses, it's payroll. Yeah. Transaction size too, I would imagine, right? Like it's tough to see the noise inside there, right? And and we have a we have a uh a CEO's guide to reducing fraud ebook, and I actually go through how do business owners get ripped off, and then what can you do to prevent it? Payroll warrants special consideration because as you say, the size of the dollar amounts are so big. Here's a here's and and if you're a bookkeeper listening to this, now you should turn off because I'm going to share a secret that I don't want I only want the business owners to know. But one of the things that was, you know, I've been doing this for 35 years. I was a manager of accounting system design and Ernst & Young, and I specialized in internal control system. And one of the things I saw was a bookkeeper padded the federal tax deposit with an extra 10 grand. You know, the federal tax deposit is the amount of money you withhold from all your employees and and the employer share of the taxes. All lumped into one big sum, and it's not a percentage, like, you know, it's not social security, you know, is going to be 7.65%. Well, this is dependent upon are your employees married or are they single? Do they have zero dependents or 99? That's how much money comes out of their paycheck. And you put that all to a lump sum and you give it to the IRS, depending on how big you are, it might be every month, every two weeks, or every three days. Well, these guys were doing it every twice a month, they had to make federal tax payments. And what she did was she added five grand a payment, $10,000 a month. Then, at the end of the year, she changed her W2 to credit all that withholdings to her social security number, and she claimed $120,000 tax refund. You'll never see it. The net check doesn't change, the gross payroll doesn't change. You know, the federal tax deposit, this was an MSP that had about 25 people. You know, the federal tax deposit went from $85,000 to $90,000. You don't you don't even know how to decide whether or not that number is right. You're trusting the CPA is filing the taxes that they're going to see it, but because she had she was the the person who was approving the payroll, she was entering the payroll, and then she was reconciling the payroll accounts, she could go in and plug her personal withholding, and nobody would catch it. she was the the person who was approving the payroll, she was entering the payroll, and then she was reconciling the payroll accounts, she could go in and plug her personal withholding, and nobody would catch it. So what you need to do is the person who's processing the payroll should never set up a new employee, should not be the one who's doing the payroll tax return, and should not be the person who's reconciling the bank account. And so to answer your question, Todd, you should use an out if you're going to outsource your accounting, you want to make sure that not only are you not having everything done by one person, but they're not having all that done by one person. The other key thing here is that um who opens the mail is an important check and balance. Meaning, I had a another IT company in New York who uh this was in the 90s, who came uh called my cell, somebody I met at a networking, he's like, hey, I got your card. I have the IRS at my door. They want to put a padlock on my office door, and I need help. And this was in Manhattan, they were three blocks away. I walked out of my office down 6th Avenue, over to 23rd Street, and I went to their office, and there was the IRS. I was like, hi, I'm I'm I'm a CPA, and what's going on here? It's like, we we haven't got the payroll tax deposit. I was like, did you pay the payroll tax deposit? He was like, of course I paid the payroll tax deposit. What happened was, someone was supposed to pay the payroll tax deposit, right? She in the QuickBooks system, it looked like the payroll tax deposits were all paid, but what she did was she made the checks payable to herself, and then because she's reconciling the bank account, she could cover her tracks and and code it correctly and change the pay in QuickBooks to say internal revenue service, but they never got their money. Right. But because she was opening the mail, what happens is the IRS doesn't just show up at your door. She was she was shredding them. Right. And what happens is those notices will get will increasingly more strident, and they'll have red letters on them. Inside the letter will be, you must pay attention to this. It'll be bolded. Then, if you the next one will be, if you don't, you know, your account can get closed in red. And then the the last one is going to have red letters on the outside of the envelope. Make sure that whoever's opening the mail is not the person who's paying the bills, reconciling the bank account. Don't let your office manager do it. That's that's probably maybe this is too basic a point, but that that sort of that story kind of definitely triggered something for me is that um you see a lot of fishing attempts around uh sort of bill collection and uh especially kind of federal collection, uh CRA, which is the IRS in Canada or the IRS in the US. you see a lot of fishing attempts around uh sort of bill collection and uh especially kind of federal collection, uh CRA, which is the IRS in Canada or the IRS in the US. They will never contact you by email or or by certainly by text message, right? Like they have to go through federal mail in order to contact you. So you see a lot of those those emails of, hey, you know, you owe money to to the IRS or the CRA, you need to pay now. Like that all of that stuff is is garbage, right? But if it comes in in the in physical mail in an envelope, you absolutely have to pay attention. Yeah, and most people don't think about who opens the mail. It doesn't really matter, right? Yes, it does matter. Yeah. So, one thing I would ask is like, I don't know, like maybe this is the sort of the the mind of the criminal and they don't tend to think about this too far. And like you said, like a lot of this is not sophisticated crime. It's crimes of opportunity and people that maybe have a gambling problem or they just see an opportunity to kind of grab some cash. But I don't understand how they think they would ultimately get away with this, right? Because this stuff comes out in the wash eventually, and like if it's 18 months and maybe they quit at nine months after collecting a bunch of money and hopefully they've disappeared by then. But it's not like you're going to take enough money to disappear forever. So I don't understand how like there's there's some level of due diligence that has to happen and I feel like this stuff can't be hidden forever as long as you have someone competent who is doing kind of your annual uh tax filing and and combing your books, right? Yeah, no, I would not I would I would say that's not not at all a safe assumption. You got to remember that the, you know, I've been a CPA for 36 years and our and I'm, you know, on the Houston CPA Society board for over a decade. And so I don't, you know, want to say this anyway as a negative against the accounting industry, but every time they change the tax law, that's a full employment rule uh uh law for our CPAs. And there are not enough young CPAs coming out of college to replace the ones who are retiring and and dying. And so every CPA is slammed. Every single one across the country. And we just as an industry, now this is not growth force. We do management accounting, right? We we don't do your taxes because it's just compliance and to me it's more commoditized than we want to be. But you can't rely on the CPA when they do the tax return to comb your book. First of all, most people are not willing to pay $10,000 for the CPA to go look at a year's worth of data. That's a good point. It's like, you know, get me a cheap tax return. Oh, you're you can do it for three grand and the last guy was charging me five. Great. I just saved two grand. So as long as everything balances out, no one's the wise. Every month. Every month you got to have yeah, if at the end of the year, what the CPA's job is to prepare the tax return based on the information you provided them. It's not to audit the books. That costs a lot of money to audit the books. Ah, yeah. What you need to do is every single month, you need to make sure that you are reviewing those financial statements and somebody is reconciling every single balance sheet account. Most business owners don't pay attention to the balance sheet, but the dirt is always in the balance sheet. That's where you find out whether or not the tax liabilities are set up right or whatever. But you mentioned something interesting, Todd. There are some key behaviors that you should look for as warning signs. The human factor in fraud is really important. Especially, you know, what happens is desperate times create desperate people. And what you want to look for is people who are experiencing financial difficulty. Their spouse lost their job. Their their family member is now living with them because they're going through severe sickness. Health insurance bills will completely change someone's behaviors. And you see people say, look, I didn't have a choice. I needed to take $5,000 from the company account because I had to pay MD Anderson for my father's cancer treatment. And if they're going to fire me, fine, but I got to keep my father alive. You can also look at, do you see people who have control issues? Whenever I see a bookkeeper who says, I'm going to do the payroll. We don't we don't need to pay ADP or paychecks or Insperity. That's a red flag. It's cheaper for for me to use a payroll service to process the payroll than it is for me to use my own bookkeepers. Why? Because they make the profit on the tax cash flow. And they've automated all those checks and processes and and all the answering of the questions that the employees have when they want to change their withholdings. So if a business owner's bookkeeper is like saying, I need to do the payroll. I need to reconcile the bank account and they have control issues, that's a red flag. And if and then of course, if you have somebody who's living beyond their means and all of a sudden it's like, how did you get a Tesla? Yeah. So, so coming back to the separation of duties, you know, if you you really want to look at um how many people have you got in your back office? And we work only with small businesses and nonprofits. So, you'll see that typically, you know, there might just be one trusted person, that long-term office manager who does everything. That's the biggest risk you've got. So, because they're going to be opening the mail, they're going to be reconciling the bank account, they're going to do with petty cash and approve invoices and all the stuff. You've got to make sure that you've got at least the person who's writing the checks not reconciling the bank account. And the, you know, if you have a three per a two-person team including including the owner, right? Because the owner should do certain things. One of the things is that you have to do is you have to look at your bank statements. You know, I'm we got 65 people. I still look at our bank statements once a month. Yeah. I just want to make sure that or somebody needs to be looking at the bank statements who's not related to the transactions. Which doesn't really take that long and is worth the investment of the time just on the off chance, like the 1% chance that you'd be like, wait a minute, what is that? Right. What yeah, and and and, you know, what's really nice is that you can just have the bank just add you your email address and just email you, you know, that your bank statements are available. I just got mine from Chase yesterday. Your your bank statements are now available on the fifth of the month, the the second business day of the month. But you want to make sure that you are just separating out, you know, like for example, you talked about collections, right? Collections is a big one because, you know, I got lots of stories of people who got ripped off from that trusted person. You want to make sure that whoever is physically receiving the payment is not the person who's recording the payment, is not the person who's doing the billing. Because I had a I had a wasn't an IT company, it was a masonry company who had uh uh trucks lining up to come and get pallets of concrete and or as we say down here in Texas, cement. They had one of the truck drivers came back to return some of the uh the sheet rock that they bought. And the owner called me up and said, hey, Steve, something's broken in QuickBooks. They're trying to return an order that they didn't make. I was like, okay. So, first off, inside QuickBooks, you need to make sure that you have separated out the admin account, nobody should be using. Only that's only used if you have to change the chart of accounts or if you have to change security rights. Your office manager can be the admin, but it's just not a good idea to only have them as the admin. You you need to make sure no transactions are under the admin because then QuickBooks has a really great audit trail. People think QuickBooks is not a real general ledger, double entry accounting system. They're wrong. There's a debit and a credit and you can't make any changes without it being any transactional changes without it being captured on the audit trail. But if everybody's logged in as the admin, then you don't know who did it. Yeah, this is that's a really good point. I feel like IT people should understand this, but based on my practical kind of goings about, I feel like this is a this is a common error that a lot of organizations are making because in IT, you don't give everyone access to the same admin account for the exact same reason. If something goes wrong, you don't know who did it and you can't you can't sort of trace that down. Similarly with the books, if if everyone's admin, then who did this? I don't know. Well, maybe it was you, right? Exactly. So, so, so, but what's really interesting about collections, you know, payroll is the number one biggest one, but then collections is the second. And the person, you have to separate the person physically receiving the checks from the person who's recording the payments, creating the invoices, and here's the key, creating any credit memos or the ability to delete an invoice. Because what happens is, what happened was, and I've seen this in medical practices more than once, when somebody shows up to pay cash, the person who receives the cash, if they have the ability to delete an invoice, well, they'll put the cash in their pocket, they'll print out a credit memo, or they'll just delete the invoice, and you'll never see it. And what happened was when that person came to return the sheet rock, the invoice was gone. We were to look at the audit trail and see, oh no, the invoice wasn't gone, it was deleted. Well, this is uh this has been really useful. I think um we'll look to wrap up here, Stephen. Um I I think uh uh my key takeaways I think would be uh really ensuring that you're protecting yourself against fishing, uh because that's going to be a a huge risk.