Aug 13, 2025
6 min read
You didn't start your fitness studio to become a fraud investigator. You didn't launch your event company to police your team. You didn't build your travel agency to obsess over who has access to what.
You started your business to create something meaningful. To build experiences that matter.
And the culture you've built reflects that. You trust your team. You move fast. You give people autonomy. "We're all in this together" isn't just something you say—it's how you actually operate.
Which is exactly why talking about fraud feels... wrong.
It feels like you're questioning the very people who help you build something special. Like you're introducing suspicion into a culture that depends on trust and collaboration.
I get it. I really do.
But here's what I've learned: The ones who sustain their impact over time aren't the ones who trust more or trust less. They're the ones who've figured out that trust and structure aren't opposites—they're partners.
Because here's the uncomfortable truth: Fraud doesn't happen because your business is bad or your people are dishonest.
It happens when good people are put in situations where a moment of weakness can turn into a very expensive mistake.
And in creative, experiential service businesses—where speed and agility are actual competitive advantages—those situations show up more often than you might think.
The Thing Nobody Tells You About Fraud
Most business owners think fraud is about catching bad people doing bad things.
It's usually not.
Fraud is almost never about a criminal mastermind who joined your company with a plan to rob you blind.
It's about ordinary people who find themselves under pressure, with access they shouldn't have, telling themselves a story that makes it okay.
Maybe they're dealing with an unexpected medical bill. Maybe they're behind on rent. Maybe they're just exhausted from working 60-hour weeks and start to feel like the company owes them more than they're getting.
Then they notice something: There's a gap. A process that only they handle. An approval that never actually gets checked. A credit card statement that nobody reviews.
And they think: "I could borrow this. Just for a month. I'll pay it back before anyone notices."
Or: "I work harder than anyone here. I deserve this."
Or: "It's such a small amount. The company won't even miss it."
That's how it starts.
Not with greed. With pressure, access, and rationalization.
And if nothing in your systems catches it—if there's no second set of eyes, no separation of duties, no regular review—that "temporary" thing becomes a pattern. That pattern becomes a habit. And that habit becomes a much bigger problem.
The goal isn't to catch someone. The goal is to never create a situation where someone can get into trouble in the first place.
Why Your Business Model Creates Risk (Even Though It's Also What Makes You Great)
Creative and experiential service businesses operate differently than traditional companies. You have to.
You work with dozens or hundreds of vendors who rotate in and out for projects. Freelance instructors. Event vendors. Production partners. Graphic designers. Videographers. It's a constantly changing roster.
You move fast. Timelines are tight. Decisions get made in real time. There's no time for layers of approval or extensive paperwork.
You may have decentralized operations. Teams may manage their own budgets. Department heads may make their own spending decisions. People may wear multiple hats—creative, operational, financial—all at once.
You have a trust-based culture. You hire people who believe in the mission. You give them freedom to make things happen. That autonomy is what attracts great talent.
All of that is what makes your business vibrant, responsive, and able to create amazing experiences.
But it's also what creates financial blind spots.
When one person handles vendor selection, invoice approval, AND payment processing—that's a gap.
When credit card statements don't get reviewed because "we trust whoever uses it"—that's a gap.
When someone leaves the company but stays on payroll for another month because nobody cross-checked the list—that's a gap.
These aren't failures of character. They're failures of design.
And the fix isn't to become suspicious of everyone. It's to build systems where trust doesn't have to carry all the weight.
What Fraud Actually Looks Like
Forget the Hollywood version of fraud. No briefcases full of cash. No offshore accounts.
Fraud is often quiet. It blends in. It looks like normal business operations—until you know what to look for.
And it comes from two directions: from inside your organization, and from outside parties trying to exploit your processes.
Let's talk about both.
Internal Fraud: When It Comes From Your Own Team
These are the scenarios where someone on your team—whether intentionally or through a series of small rationalizations—crosses a line.
The Vendor Who Doesn't Exist
Someone with access to vendor setup creates a new profile. Maybe it's their own LLC. Maybe it's a completely fake business.
They submit invoices for work that never happened. They approve the invoices themselves. The money goes straight to their account.
It works because you have so many vendors coming and going that one more doesn't raise any flags. Especially if the invoice amounts are reasonable and the descriptions sound plausible.
The Expense That Wasn't Really Business
A weekend trip becomes a "business conference." A nice dinner becomes a "client meeting." A shopping spree becomes "supplies."
It starts small. Maybe it genuinely was a gray area. But when nobody's checking receipts or reviewing statements, small becomes big. And "occasional" becomes "constant."
The Employee Who's Not Actually There Anymore
Someone with payroll access forgets to remove an employee who left. Or maybe they don't forget—maybe they see the opportunity and keep that employee on the books, directing the payments to their own account.
Or they give themselves a raise. Just a small one. One that they feel like they deserve but was never actually approved.
If nobody's cross-checking payroll against who actually works there, this can go on for months.
The Hours That Didn't Actually Happen
In many service-based businesses, time is your product. Billable hours drive your revenue.
So when someone inflates their hours—even just a little—it adds up. Half an hour here. An hour there. Rounding up on every task.
Sometimes it's to hit utilization targets. Sometimes it's to make up for "admin time" that doesn't get billed. Sometimes it's just because nobody's really checking.
The problem isn't just the money. It's that your data gets skewed. Projects look profitable when they're not. You think you have capacity when you don't. Decisions get made based on bad information.
The Vendor Who's Paying Someone Back
A team member selects a specific vendor for every project. Not because they're the best option—because that vendor is giving them something back. A kickback. A referral fee. A "gift."
Your business pays inflated prices. The vendor delivers mediocre work. And the employee pockets the difference.
None of these require criminal genius. They just require a gap in oversight and someone under enough pressure to take advantage of it.
External Fraud: When Someone Outside Tries to Exploit Your Systems
Internal fraud happens when your own people make bad choices. External fraud happens when someone outside your organization sees an opportunity to take advantage of your processes.
These schemes are often more sophisticated—and they target the very things that make creative and experiential service businesses nimble: quick vendor onboarding, fast payment cycles, and decentralized decision-making.
The Fake Invoice From a Legitimate Vendor
You've worked with ABC Productions dozens of times. So when an invoice shows up from them, you pay it.
Except this one didn't actually come from ABC Productions. It came from a fraudster who researched your business, figured out who you work with, created a fake invoice on nearly identical letterhead, and sent it hoping you'd pay without verifying.
Sometimes they even compromise the real vendor's email and send it from what looks like the right address.
We consulted with a client recently after this exact fraud had occurred - where before they knew it, over $200,000 left their bank account and was unable to be recovered.
The Vendor Bank Account "Update"
You get an email from a vendor you've been working with for years: "We've changed banks. Here's our updated account information for future payments."
You update your records and pay the next invoice. Except that email didn't come from your vendor—it came from someone who hacked their email or spoofed their address. The money goes to a fraudster's account, and by the time anyone notices, it's gone.
This is called Business Email Compromise (BEC), and it's increasingly common. The fraudster doesn't need to break into your systems—they just need to convince you they're someone you trust.
We also consulted with a client after this exact fraud had occurred. And it could have easily been prevented.
The Too-Good-To-Be-True Vendor
A new vendor reaches out with an amazing offer. They can do the same work as your current vendor for 30% less. Their portfolio looks great. Their references check out (because the references are fake too).
You sign a contract and pay a deposit. Maybe they deliver subpar work. Maybe they deliver nothing at all and disappear. Maybe they deliver the first project perfectly to build trust, then take a large deposit for the next project and vanish.
The Phishing Scheme Disguised as a Legitimate Request
You get an email that looks like it's from your bank, your accounting software provider, or even your CEO. It says there's an urgent issue and you need to log in immediately or provide account information.
You click the link. It takes you to a site that looks exactly like the real one. You enter your credentials. And now the fraudster has access to your accounts.
Or maybe it's not about credentials—maybe the email asks you to urgently wire funds for a "time-sensitive opportunity" or "vendor emergency." The urgency is designed to make you skip your normal verification steps.
The pattern across all external fraud? They exploit trust, urgency, and the assumption that if something looks legitimate, it is.
The defense? Verify everything. Especially when it's urgent.
Call the vendor directly using a number you already have on file (not one in the email)
Confirm bank account changes through a separate communication channel
Never click links in emails asking for login credentials
Question urgency—real vendors rarely threaten immediate consequences
Train your team to recognize red flags and know when to slow down
The Two Types of Controls (And Why You Need Both)
There are two kinds of financial controls you need to know about to mitigate the risk of fraud:
Preventive controls stop problems before they happen.
Detective controls catch problems quickly when they do happen.
You need both.
Preventive Controls
These make it hard to do the wrong thing—whether it's an internal temptation or an external exploit.
Requiring two people to approve payments over a certain amount
Separating the person who sets up vendors from the person who pays them
Setting spending limits on credit cards
Requiring receipts for all expenses
Making sure the person who processes payroll can't approve their own pay changes
Verifying all vendor bank account changes through a separate communication channel
Requiring contracts or agreements before adding new vendors
These aren't about catching bad people. They're about protecting good people from being put in situations where a moment of weakness becomes a serious problem. And they're about creating friction that makes external scams harder to pull off.
Detective Controls
These find problems quickly when preventive controls fail or get bypassed.
Reviewing credit card statements every month
Reconciling bank accounts
Comparing actual spending to budgets at the project level
Auditing vendor lists quarterly for duplicates, suspicious names, or vendors you don't recognize
Spot-checking timesheets against actual deliverables
Monitoring for unusual payment patterns (same amounts, round numbers, frequent small payments)
The point isn't to find fraud. The point is to create visibility so that if something's off—whether internal or external—it gets noticed before it becomes catastrophic.
Simple Things You Can Do Right Now
You don't need an army of auditors or enterprise-level software. You just need a few simple practices that create accountability and visibility.
Separate duties. The person who approves a vendor shouldn't be the same person who pays them. The person who submits expenses shouldn't be the only one who sees the statements.
Review statements monthly. Actually look at your credit card and bank statements. Don't just file them away. Look for patterns that don't make sense.
Require receipts. Not just for big expenses. For all expenses. Make it part of the culture.
Cross-check payroll. Once a month, compare your payroll list to the people who actually work for you. It takes five minutes.
Verify vendor changes. If a vendor says they changed their bank account, call them using a number you already have on file. Don't use contact info from the email.
Give people a way to report concerns. An email address. An anonymous form. Something. Make it clear that you want to know if something doesn't feel right.
Audit your vendor list. Quarterly, look at who you're paying. Do you recognize all the names? Are there duplicates? Anything that seems off?
Compare time to deliverables. Occasionally, look at how many hours were billed to a project and compare it to what actually got delivered. Does it make sense?
Train your team on red flags. Make sure everyone knows what phishing looks like, what vendor scams sound like, and when to verify before acting.
None of this is complicated. None of it requires suspicious interrogations or invasive monitoring. It's just basic visibility and healthy skepticism.
This Isn't About Creating a Culture of Suspicion
I know what you're thinking. "This all sounds like we're assuming people are dishonest." But that's not what this is about.
Strong controls don't signal distrust. They signal maturity.
They say: "We care enough about this business—and about protecting everyone in it—that we're going to do things the right way."
They protect your people from being put in impossible situations.
They protect your business from external parties trying to exploit your speed and trust.
They ensure that when you say "we trust each other," that trust is supported by systems that make it easy to do the right thing.
They preserve the culture you've worked so hard to build by making sure one person's bad decision—or one scammer's clever scheme—doesn't destroy what everyone else has created.
Healthy controls don't erode trust. They codify it. They turn "I trust you personally" into "I trust the system we've built together."
The Bottom Line
When you have the right safeguards in place, you don't have to wonder. You don't have to worry. You don't have to second-guess.
You can focus all your energy on creating, building, and making an impact.
And that's the whole point.
If it's been a while since you've looked at your financial processes, ask yourself:
Where might we be relying too much on trust and not enough on structure?
Could someone—internal or external—take advantage of a gap in our systems?
Do we have enough visibility to notice if something's wrong?
You don't need perfection. You just need enough structure that gaps don't become opportunities.
