Most owners of small and mid-sized businesses are convinced they know their employees well and fully control the money flows. The reality is different — and theft in a small business is far more common than owners assume. According to the Association of Certified Fraud Examiners (ACFE, the "Report to the Nations 2024"), mid-sized companies lose roughly 5% of their annual revenue to internal fraud. For a small business, that often means $200,000–$500,000 in losses from a single incident — an amount equal to the company's annual profit.
The worst part is not that fraud exists. The worst part is that a scheme runs for 14 months on average before the owner notices it. In that time, an employee can steal a sum equal to the annual turnover of an entire department. And by the time the manager finally spots the "hole in the budget," the culprit has either already quit or has managed to destroy the evidence.
In a small business, the situation is especially tricky. There is no internal audit function, no security department, no compliance manager. The owner trusts key people — the accountant, the head of procurement, the warehouse manager — and often has neither the time nor the tools to check their actions. It is precisely on this trust that every scheme we are about to discuss is built.
In this article we break down the 8 most common theft schemes through which a small business quietly loses millions without noticing for years. For each scheme you will learn how it works, which signals should alarm the owner, and what to do to prevent it. We will also look at why traditional control methods — audits, KPIs, video surveillance — often fail to detect corporate fraud, and how to build a system that protects a small business from internal losses.
Fact: 42% of corporate fraud cases are discovered by accident — through a complaint, a conflict between employees, or after the culprit is fired. Only 16% come to light thanks to internal audit. That means a traditional audit catches fewer than one scheme out of six.
This is the most common scheme in small business — and one of the hardest to detect. The idea is simple: the employee responsible for purchasing (a manager, head of supply, or director) receives a personal reward from a supplier in exchange for the company buying specifically from them rather than from competitors.
The supplier offers the manager 5–15% of the contract value as a "loyalty bonus." In return, the manager ensures that this supplier is chosen in the tender, that prices are inflated relative to the market, and that better or cheaper alternatives are ignored. The money is handed over in cash, transferred to relatives' cards, or "compensated" with gifts — vacation packages, electronics, an apartment renovation.
In large companies the kickback is 3–7% of the total. In small business, where controls are weaker, it runs as high as 15–20%. If your company buys raw materials for UAH 5 million a year, the real overpayment through kickbacks can reach UAH 750,000–1,000,000 annually.
Introduce a two-signature principle for contracts above a certain amount. Regularly (once every six months) run an independent price review across three to five suppliers on the market. Rotate buyers — someone who has managed a single supplier for more than 18 months without a check is in the risk zone. Implement a written conflict-of-interest policy and require all employees with procurement access to sign declarations.
The second most common scheme is creating a fictitious company through which "purchases" pass — purchases that either never actually happen or run through an intermediary padding the markup. In most cases this company belongs to a relative or a trusted associate of the employee running the scheme.
An accountant, finance director, or head of procurement registers a sole proprietorship or LLC in the name of their spouse, mother-in-law, brother, or godfather. This company "provides services" to your firm: consulting, IT support, marketing, logistics, equipment rental. The services are either never delivered at all (fictitious paperwork), or delivered at inflated prices, or actually performed by a staff member of your own company during working hours — but paid for separately.
A classic example: an LLC called "Progres-Consult" "provides consulting services" to your company for UAH 80,000 a month. The contract contains generic phrases about a "strategic audit." There are no real reports. The LLC's owner is your finance director's cousin. Over a year the scheme drains UAH 960,000.
Before signing any new contract, vet the counterparty: registration date, director, beneficial owners, any court cases. There are public services that, for UAH 50–100, will show the connections between companies and individuals. Require all employees with signing authority to declare their close relatives. Once a year, check whether any supplier surnames overlap with the surnames of your team.
Handy tool: Once a quarter, export the list of all suppliers over the past 12 months and sort by payment volume. Review the top 20: are there any newly created companies, sole proprietors with a single service, counterparties with no website? That is 30 minutes of work that can save you millions.
Skimming is when part of the revenue never enters the company's official books at all. The money is collected from the customer but never recorded — it stays in the employee's pocket. This scheme is most common in retail, services, restaurants, and auto repair shops — anywhere there is cash payment or direct contact with the customer.
The classic version: a cashier rings up a receipt for less than the customer paid and keeps the difference. A more refined version: the salesperson agrees with the customer on a discount "without a receipt" — the customer pays less in cash, the salesperson pockets all of it without ringing up the sale at all. In services: a technician takes an order "off the books," does the work using the employer's materials, and keeps the fee.
A separate category is "virtual discounts." The employee processes a sale in the system with a 30% discount, actually sells at full price, and pockets the difference. Or processes a return for a "dissatisfied customer" (who doesn't exist) and keeps the refunded cash.
Install cameras with a direct view of the register and make the use of fiscal recorders mandatory. Once a month, reconcile the average check and revenue across shifts. Run a "mystery shopper" 2–4 times a quarter. Create an anonymous channel for customer complaints (a Telegram bot, a form on the website). Limit the right to void receipts — any void above a certain amount should require a manager's approval.
Expense fraud is when an employee submits expenses that never happened for reimbursement, or inflates real ones. It looks like small change: what's a few thousand hryvnias a month, really? But across a company of 30 employees, this kind of fraud easily drains UAH 300,000–500,000 a year.
The classic versions: submitting the same fuel receipt twice (once to your company and once to personal taxes), fake taxi receipts from a "convenient" service, inflated travel expenses, personal spending disguised as business. In the modern era, fake electronic receipts from online generators have been added — for UAH 50 you can buy a template that will produce any receipt for any amount you set.
A separate story is "phantom" business trips. The employee "travels" to a conference in Odesa, claims reimbursement for fuel, hotel, and meals — while in reality sitting at home the entire time. Or takes a weekend away with the family at the company's expense under the guise of a business meeting.
Set clear limits by expense type and require originals (or high-quality scans) of source documents. Use corporate cards instead of cash reimbursement — this automatically brings transparency. Once a quarter, run a spot check on the reports of 5–10% of employees. Pay special attention to the top 3 by expense volume: that is the maximum-risk group.
This is one of the slyest schemes, because it looks like an "ordinary accounting mistake." The same invoice is processed through accounting twice, and the funds go to the same supplier account. If it is an accident, the supplier honestly returns the overpayment. If it is a scheme, the money comes back — but no longer to the company's account, rather to the personal card of the employee who set it up.
An accountant or finance manager creates a duplicate payment order based on a real invoice. The money goes to the supplier. A week later the accountant writes to the supplier: "Oops, we mistakenly transferred twice — please return it to this account here." The supplier returns it — but to the employee's card, not the company's. When the owner checks the statement, they see only the outgoing payment — a transfer that appears to have "gone missing" at some later stage.
An alternative version: payment for one real invoice, but made as two separate payments on the same day. In the ledger it looks like two different payments to two different suppliers — especially if the names are similar or the details differ slightly (one in all caps, the other in mixed case).
Separate the functions: one person creates the payment order, another approves and sends it. Introduce mandatory reconciliation with suppliers once a quarter — even an automated email request asking them to "please confirm there is no debt or overpayment on our side." Set up notifications in your bank about duplicate payments (most banks offer this option). Once every six months, run a spot audit — take 20 of the month's payments and check the original contracts and acts.
If your business involves physical goods — a warehouse, a store, production — this scheme is running at your company with a probability of over 70%. The only question is how actively and how much is being taken.
The simplest version: a warehouse worker, a courier, or a driver simply carries goods out. In the reports it is written off as "breakage," "natural loss," or "shortage found during recount." If every month you're told that "2% of the goods vanished — that's normal for our industry," do the math: 2% of an annual turnover of UAH 10 million is UAH 200,000 in theft.
A more organized version: collusion between a warehouse keeper and a driver. A vehicle leaves the warehouse with 100 units of goods listed on the waybill. But in reality 110 are loaded. The 10 "extra" units are sold along the way for cash, and the money is split in half. To cover it up, the warehouse keeper adjusts the leftovers in the system — or processes a "technical write-off."
A third version — collusion with customers. The manager ships the customer 100 units, writes a waybill for 80, and collects payment for 90 in cash. The 10 units are a "gift" to the customer for loyalty to that particular manager. All three are happy. The loss is 100% of the margin on 10 units, plus 10% on the 80 that went through "officially."
Introduce regular recounts (monthly — full; weekly — spot-checks on top positions). Cameras in the warehouse and at the gates that record and store footage for at least 30 days. A two-step release system: one person picks the order, another checks and releases it. GPS trackers on company vehicles. No exits from the warehouse without a waybill, not even "for 5 minutes" to grab a test sample.
In businesses where employees are allowed to grant discounts to customers or process returns, this scheme runs quietly and effectively. For a small shop or service, it can drain 5–10% of the margin.
The first version: the "fake discount." The salesperson grants the customer a 30% discount in the system, but the customer actually pays full price. The difference goes into the salesperson's pocket. This works on quick cash sales, where the customer doesn't scrutinize the details of the receipt.
The second version: the "phantom return." The salesperson processes a return for a "dissatisfied customer" who never existed. The money is "refunded" from the register — but this customer never came in. The cash ends up in the salesperson's pocket. The scheme is especially risky when returns are processed in cash without the customer's signature and without a photo of the returned item.
The third version: the "family discount." The employee systematically grants corporate discounts to relatives or friends without any authority to do so. Or applies a "loyal customer" discount to random buyers in exchange for a bribe.
Limit discount authority — any discount above 10% should require a manager's approval. Any cash return should require a photo of the item, the customer's signature, and a contact phone number for verification. Once a month, analyze the discount and return report for each employee — a deviation of more than 50% from the average requires an explanation.
Important: The biggest mistake small business owners make is focusing on "big" threats (hackers, raiders, competitors) while completely ignoring internal ones. The statistics are merciless: 80% of real business losses are not external attacks but schemes run by the company's own employees.
The eighth scheme is the most destructive in the long run. This is when your key employee (a salesperson, a business-development manager, a technical specialist) quietly builds their own business operating in the very same niche — and uses your infrastructure, your customer base, and your working hours to grow their own company.
The classic story: the head of the sales department registers a sole proprietorship in the spouse's name in the same line of business as your company. Gradually he starts "losing" good customers — those customers move to a competitor (his own sole proprietorship). Meanwhile he uses your CRM, your scripts, and your working hours to call customers on behalf of his own firm.
A more complex version: a technical specialist takes side gigs from your own clients. You do a project, and he tips off the client: "officially you'll pay 100,000 — but I'll do the same thing for 50,000 in my spare time." The client saves money, the specialist earns extra, and your business loses the order. In services (IT, design, marketing, legal), this scheme is an epidemic.
The biggest damage comes from salespeople who, right before quitting, "leak" the customer base to a new employer or to their own business. In an industry with a long sales cycle, the loss can reach a department's annual revenue.
Include a non-competition clause in the employment contract (NDA + non-compete) — it is not an iron-clad guarantee, but it creates a legal basis for claims. Regularly monitor the state registers — check whether companies registered in the names of key employees' relatives are appearing. Analyze the dynamics of the customer base for each manager: a sharp drop in active customers is a red flag. Introduce the "two contacts" principle — for every key customer, at least two of your managers should have a contact.
Small business owners are often astonished: "How could this happen? We had an audit! We have video surveillance! We have KPIs in place!" The problem is that traditional control tools are designed for one thing, while the real schemes of corporate security work in an entirely different way.
A standard accounting audit checks the formal compliance of documents — the presence of signatures, the correctness of entries, conformity with regulations. The auditor does not check whether the service was actually delivered, whether the price matches the market, or whether the counterparty is "one of their own." The auditor sees the document — formally everything is correct. And the fact that this document is part of a scheme, they will not uncover, because they have neither the mandate nor the methodology for such analysis. ACFE research shows that only 16% of fraud cases are caught through external or internal audit.
KPIs measure the result, not the way it was achieved. If a sales manager hits the plan, the KPI is green. But the fact that he is hitting it by selling expensively to a relative-competitor and cutting the margin through your business — the KPI won't show that. What's more, KPIs often provoke schemes: if an employee knows they'll get a bonus for a certain metric and has a way to "game" that metric through fraud, the temptation is very strong.
Video surveillance only helps detect direct theft — physically carrying goods out. It will not show:
And the overwhelming majority of modern schemes are informational, not physical. They take place in electronic systems, chats, and negotiations. Cameras won't see them.
In a small business there is usually no security service at all. And if there is, it is often a former law-enforcement officer who is effective at physical security (access control, guarding, incident investigation) but has no methodology for detecting financial schemes. Detecting corporate fraud requires behavioral analysis, data analysis, and loyalty checks — that is a different professional field.
Suppose you've noticed the signals — and you suspect that someone in the company is "not who they seem." What do you do? Here is the sequence of steps from the internal-investigation methodology used by professional investigators and compliance officers.
The worst mistake is to walk up to the suspect and say: "I know you're stealing." That guarantees the scheme will be "wound down," the evidence destroyed, the money withdrawn, and you'll be left with no way to either prove anything or recover the losses. The first step is the silent gathering of data. Export the reports, statements, and correspondence for the past 6–12 months. Do it quietly, without the suspect's involvement.
An internal investigation can't be run single-handedly — you need at least one person to verify your analysis. This could be an external accountant, a lawyer, or a security consultant. The inner circle should be minimal: the more people who know, the sooner the suspect finds out.
Compare: documents (contracts, acts) against the fact that the work was actually done. Payments against the movement of goods in the warehouse. Revenue against the flow of customers and the average check. Declared expenses against real trips and receipts. One document can be forged, two are harder, three adjacent ones are almost impossible. Find the discrepancies, record the dates and amounts.
Look at whether companies are registered in the name of the suspect's spouse, brother, or partner. In the state register this is public information. Check social media: standard of living, events attended, new purchases, who they communicate with. Often the scheme is visible from outside indicators: a $50,000 car on a salary of UAH 30,000 is a question that demands an answer.
The hardest stage is when the documentary evidence is circumstantial and a direct accusation could tear the team apart. In this case a small business often lacks exactly the objective tool it needs: a way to verify the honesty of key employees without leveling direct accusations. This is where modern methods of behavioral analysis come to the rescue — more on them below.
If the scheme is confirmed, assess the scale of the loss, consult a lawyer about the possibility of recovery, and think through the dismissal scenario (with minimal access to data and customers). Don't share emotions — share the results of the investigation only with those who need to know.
There is a moment in any investigation when every circumstantial signal points to a specific person — but there is not enough direct evidence. On paper, everything is "almost" in order. To accuse is to lose if you're wrong. To do nothing is to keep losing money. It is precisely in such moments that business owners start looking for an objective tool to check loyalty and honesty.
StimulTest for business is a modern online alternative to the classic polygraph, allowing you to screen an employee or candidate without physical sensors, in the format of a remote video session. The technology analyzes facial micro-expressions, voice patterns, and behavioral reactions to key questions about honesty, loyalty, and possible instances of abuse.
How StimulTest works: an individual questionnaire is prepared for your situation (kickbacks, fictitious suppliers, skimming, a parallel business — the methodology has blocks for each of the 8 schemes). The session lasts 40–90 minutes and takes place online with no need to visit an office. The result is a detailed report with conclusions for each block of questions, the probability level of the reactions, and recommendations.
For a small business this is especially valuable for three reasons. First, price — it is 2–3 times lower than a classic polygraph with an on-site visit, which is critical for companies with a limited security budget. Second, confidentiality — no one on the team will see that the employee underwent a check, since there is no need to take them to a specialized office. Third, speed — from the initial request to the result is 2–5 business days, whereas a classic check can take 2–3 weeks.
It's important to understand: StimulTest does not replace an internal investigation and is not a "truth detector" in the legal sense. It is a tool of objective verification that works together with document analysis, checking the inner circle, and monitoring behavioral signals. But precisely as the final stage — when you need to filter out suspicions and understand who you're dealing with — it is indispensable.
A logistics company from Kyiv (40 employees, annual turnover of about UAH 50 million) came to us with a situation typical for the industry: over the past 18 months the margin had dropped from 18% to 11% while order volume held steady. The owner suspected there was a leak somewhere. But an ordinary audit showed no formal violations — all the documents were in order.
The data analysis revealed three anomalies. First: one of the 12 couriers consistently had "natural losses" of customer goods at 2.8%, against a company average of 0.9%. Second: the head of logistics gave maximum discounts to three customers who, over the past year, had become the most profitable — on paper. Third: eighteen months earlier the manager's wife had registered a sole proprietorship in the same line of business.
There were suspicions. There was no direct evidence. The owner invited the head of logistics and two couriers to take an online StimulTest check as part of a "routine loyalty audit for key positions." The testing results showed significant reactions in the manager and one of the couriers to questions about receiving unofficial payments from customers and using the company's infrastructure for personal purposes. The third employee passed the test with no issues.
A further detailed investigation confirmed the scheme: the head of logistics, through his wife's sole proprietorship, was serving your company's customers "on the side" using the company's own fleet. The courier was receiving cash bonuses from customers for "expedited delivery" outside the official books. The total estimated loss was UAH 2.3 million over 18 months. Both employees were dismissed, and part of the losses was recovered through a civil suit.
It is better to prevent schemes than to uncover them after the fact. Here are 7 practical steps that will reduce the risk of internal fraud in a small business by 60–80%.
No important action should be performed by a single person from start to finish. Whoever creates the payment order should not approve it. Whoever manages the supplier contract should not sign the acceptance acts. Whoever releases goods from the warehouse should not receive them. This is a basic axiom that is missing in 90% of small businesses — and one that delivers an immediate effect once implemented.
According to ACFE, 43% of fraud cases are discovered through tips from employees. Create a channel through which anyone on the team (or a customer or supplier) can anonymously report suspicious situations. It could be a Telegram bot, a dedicated email address, or a form on the website. Important: the reports should go not to the department head but directly to the owner or to an external security consultant.
The cheapest way to avoid problems is not to hire people with red flags in their history. Checking references from previous jobs (especially those where the person worked 1–2 years and left), checking the court-case register, screening through StimulTest for key positions (finance, procurement, sales, warehouse). That is 1–3 days and a few thousand hryvnias — and it often saves millions.
No one should be responsible for a single area for 3+ years without an external review. Once every six months — an internal review of supplier prices. Once a quarter — a report on cancellations, returns, and write-offs broken down by employee. Once a year — an update of the conflict-of-interest declaration.
All key processes should be in electronic systems with an action log (who did what, when, how they changed it). All payments — through the bank, not in cash. All contracts — in a single register. All communication with customers and suppliers — in a corporate CRM, not in personal messengers. The more transparency, the fewer opportunities for schemes.
Every employee should have access only to the information they need for their work. The accountant should not have access to the customer base. The sales manager should not see purchase prices. The warehouse keeper should not have access to financial statements. The principle of least privilege reduces the risk of abuse many times over.
Last in order, but first in importance. If the team has a culture of "everyone does it," "it's normal," "we all take a little," no control systems will help. The owner must personally demonstrate zero tolerance for abuse. Every case that comes to light should be discussed openly (within the company) with conclusions drawn. Every "for-cause" dismissal is an example for the rest. An honest culture is the cheapest and most effective "audit" there is.
For reference: ACFE research shows that companies which have implemented at least 5 of the 7 practices described lose 4 times less to internal fraud than companies without systematic controls. Individual practices (an anonymous channel, regular rotation) on their own reduce losses by 40–50%.
Yes, it's possible. According to ACFE statistics, in companies of up to 100 employees the frequency of fraud is higher, and the losses per employee are greater, than in large corporations. The paradox: the smaller the business, the higher the trust in key people, and the easier it is for schemes to go unnoticed for years.
Warning signals: unexplained dips in margin with steady turnover, regular "natural losses" of goods, customer complaints about strange situations, a sharp rise in the standard of living of key employees, key people refusing to take vacation or hand over their duties. Any one of these signals is grounds for an independent check.
Yes, it's legal — provided the employee gives voluntary consent. The employment contract or a separate agreement can provide for the possibility of undergoing security checks. Modern online formats like StimulTest fully comply with Ukraine's legislation on the protection of personal data.
A basic package of preventive measures (implementing segregation of duties, an anonymous channel, checking the top 5 employees) costs UAH 30,000–80,000 as a one-time expense. Ongoing monitoring runs UAH 5,000–15,000 a month. That is tens of times less than the average loss from a single uncovered scheme.
It depends on the amount of the loss, the strength of the evidence, and your strategy. Minor cases (up to UAH 100,000) are often resolved with a dismissal "by mutual agreement" and compensation. Large ones require legal support and may cross into criminal territory. In any case, first consult a specialist; don't make decisions in an emotional state.
A small business loses millions not to external enemies but to internal schemes that run quietly and for years. Kickbacks, fictitious suppliers, skimming, fake expense reports, duplicate payments, warehouse theft, discount abuse, and a parallel business — this is not "theory" but a statistically proven reality for every second company with a turnover above UAH 5 million a year.
The good news: all these schemes have characteristic signals and can be prevented. Segregation of duties, an anonymous reporting channel, regular monitoring of key metrics, screening candidates before hiring — that is the basic set that cuts risks several times over. And when suspicions are already there, objective verification through modern behavioral tools like the online polygraph helps complete the internal investigation with minimal risk to the team and maximum confidence in the conclusions.
The worst strategy is to hope that "this won't happen to us." According to international research, fraud in one form or another is present in 4 out of 5 small and mid-sized businesses. The question is not whether it exists, but how much it is costing your company specifically — and when you'll finally uncover it.
Suspect internal theft in your small business? Get an objective loyalty and honesty check of key employees. Certified examiner, full confidentiality, online and in person. Leave a request — we reply within 15 minutes.