TalkText to a human — (888) 965-5150Investigators Available Now
Client LoginOrder Services Online
Encyphir Risk Management
← Back to Blog
7 min read

Employee Theft: How to Detect, Investigate, and Prevent It

Andrew Lyssand
Andrew Lyssand
October 15, 2024
Employee Theft: How to Detect, Investigate, and Prevent It

Table of contents

What Employee Theft Actually Looks LikeWarning SignsHow Employee Theft Investigations WorkWhat to Do and Not Do When You Suspect TheftPrevention: Making Theft Harder Before It StartsIndustry-Specific Patterns We See RepeatedlyThe Role of Digital Evidence in Modern Theft CasesWhen the Suspected Employee Is an ExecutiveRecovery, Referral, and Insurance ConsiderationsBuilding the Pre-Hire Screen That Prevents the Next Case

Categories

Forensic AccountingCorporate InvestigationsRisk Management

Employee theft is the most common form of occupational fraud, and it is also the most underreported. The Association of Certified Fraud Examiners estimates that organizations lose about 5% of annual revenue to fraud. A significant portion of that comes from employees stealing directly from the businesses that employ them. Most cases go undiscovered for more than a year before detection.

What Employee Theft Actually Looks Like

Employee theft is not limited to someone emptying the cash register. The full spectrum of how employees steal from organizations includes:

Cash theft. Skimming revenue before it is recorded, voiding transactions and pocketing the cash, making false refunds to accounts the employee controls, and manipulating petty cash or expense accounts.

Inventory and asset theft. Removing physical inventory, equipment, or supplies for personal use or resale. This is common in retail, manufacturing, warehousing, and any business with physical goods.

Payroll fraud. Creating ghost employees who receive paychecks routed to the fraudster's account, falsifying hours worked, or manipulating commission calculations.

Expense reimbursement schemes. Submitting personal expenses as business expenses, inflating legitimate expenses, fabricating receipts, or submitting the same expense multiple times.

Check and payment fraud. Forging signatures on checks, altering payee information, issuing unauthorized checks to fictitious vendors, or redirecting legitimate vendor payments.

Data and intellectual property theft. Stealing customer lists, trade secrets, proprietary processes, or confidential business information for sale or use at a competitor.

Billing fraud. Creating fictitious vendor invoices, paying real vendors at inflated prices in exchange for kickbacks, or paying for goods and services never received.

Warning Signs

Detection often begins with behavioral or operational anomalies before a specific transaction is identified as fraudulent. Common warning signs include:

  • An employee who refuses to take vacation or cross-train others on their responsibilities. This is a classic red flag. Fraud typically requires the fraudster to maintain exclusive control over a process. When someone else learns the job, the fraud can be discovered.
  • Lifestyle changes inconsistent with salary: new vehicles, home improvements, or discretionary spending that does not match the employee's known income.
  • Complaints from vendors or customers about payments, statements, or account activity that do not match the records you hold.
  • Discrepancies in account reconciliations, missing documentation, or altered records identified during routine review.
  • An employee who becomes defensive when questioned about specific transactions or who resists standard oversight procedures.

How Employee Theft Investigations Work

A proper investigation follows a structured methodology. It is designed to produce evidence that is useful in legal proceedings, not just internally.

Preserve and secure records. The moment theft is suspected, take steps to preserve relevant records before the subject can alter or destroy them. This means securing physical documents, backing up relevant electronic files, and limiting further access for the suspected employee.

Forensic financial review. A forensic accountant analyzes the relevant accounts, transactions, and records to find the full scope of the fraud: how it was committed, over what period, and the total amount taken. This goes well beyond identifying a suspicious transaction. The goal is to reconstruct the complete fraud scheme.

Interview strategy. Interviews are conducted in a specific sequence, starting with witnesses and collateral sources before moving to the primary subject. Interviewing the suspect too early compromises the investigation.

Evidence documentation. All findings are documented in a format suitable for HR proceedings, civil litigation, criminal referral, and insurance claims.

What to Do and Not Do When You Suspect Theft

Do: Consult a professional before taking action. Many internal investigations are compromised or made legally complicated by well-intentioned but procedurally incorrect internal handling.

Do: Work with your attorney and an investigator at the same time. The investigation informs the legal strategy. The legal strategy shapes what the investigation needs to produce.

Do not: Confront the employee immediately. A premature confrontation typically results in document destruction, account manipulation, and a subject who has been alerted to prepare a defense.

Do not: Conduct the investigation using only internal personnel who have working relationships with the subject. Objectivity matters both for the quality of the investigation and for its credibility in later proceedings.

Prevention: Making Theft Harder Before It Starts

Effective theft prevention programs operate on a familiar principle: the fraud triangle requires opportunity, pressure, and rationalization. Eliminating opportunity through internal controls is the most direct lever available to organizations.

  • Segregation of duties. No single employee should control an entire financial process. The person who approves purchases should not also issue checks. The person who opens mail should not also record payments.
  • Mandatory vacation and job rotation. These interrupt schemes that require continuous access.
  • Regular account reconciliation. Have someone other than the person who handles transactions review the accounts. This catches discrepancies before they compound.
  • Anonymous reporting channels. Give employees a way to report suspected theft without risk. The ACFE consistently finds that tips are the most common initial detection method for occupational fraud.

Industry-Specific Patterns We See Repeatedly

Employee theft does not look the same across every sector. Understanding how schemes show up within a specific industry helps leadership recognize them earlier.

In professional services firms, the typical pattern involves a trusted bookkeeper or office manager with sole control over accounts payable. The scheme usually begins small, often with a single unauthorized payment disguised as a legitimate vendor transaction. It escalates over years as the employee grows more confident that no one is watching. By the time we are engaged, total losses commonly reach six figures.

In retail and restaurant environments, cash skimming and point-of-sale manipulation dominate. The most frequent patterns are void transactions, unauthorized employee discounts, and refund schemes where funds are routed to prepaid cards. These schemes are often detectable through data analytics that compare transaction patterns across employees on the same shift. They are rarely caught because most owners are not reviewing that data.

In construction and manufacturing, the thefts tend to involve physical inventory, fuel cards, and supplier kickbacks. A purchasing manager who receives a quiet percentage from a favored vendor can inflate costs for years while remaining invisible to ordinary financial review. These cases often require both forensic accounting and surveillance to document the off-books relationship between the employee and the vendor.

In healthcare and professional offices, patient refund fraud, insurance payment diversion, and controlled substance diversion are recurring concerns. The regulatory exposure in these industries makes early and properly documented investigation even more important than in a typical commercial setting.

The Role of Digital Evidence in Modern Theft Cases

Most employee theft investigations we handle now involve digital evidence. Email, text messages, accounting system logs, access records, cloud storage activity, and external device connections frequently reveal the structure of a scheme that paper records alone cannot. A purchasing manager who is steering contracts to a relative, for example, often leaves a clear trail in personal email correspondence that never makes it into the company's official records.

Digital forensics has become a central component of serious employee theft matters. This is especially true in cases involving data theft, intellectual property misappropriation, or suspected collusion with outside parties. When an employee is preparing to leave with customer lists or trade secrets, the forensic signature is usually unmistakable. Common indicators include:

  • Mass downloads in the days before resignation
  • Unusual USB device activity
  • Personal email traffic containing company attachments
  • Cloud sync activity outside normal patterns

Recovering and analyzing this evidence requires proper preservation, and that preservation must happen before the employee is alerted or the device is reassigned.

Organizations frequently make the mistake of allowing IT staff to examine a suspected employee's computer before a forensic image is captured. Once that happens, the evidentiary value of the device may be compromised. Metadata can be altered, and a defense attorney will have ample basis to challenge whatever is recovered. Proper forensic imaging preserves the device in a verifiable state that will hold up in court and in arbitration.

When the Suspected Employee Is an Executive

Employee theft committed by a rank-and-file staff member is painful, but it is generally a straightforward matter once the evidence is gathered. When the subject of the investigation is a senior leader, the complexity multiplies. Executives typically have broad system access, authority over the very people who would otherwise conduct the investigation, and personal relationships with board members or ownership. They may also have employment agreements, severance provisions, and indemnification clauses that shape how any finding must be handled.

Our executive misconduct investigations practice is built specifically for these situations. The work is conducted under attorney direction, with extreme discretion, and with careful attention to the governance and disclosure obligations that attach when a senior officer is implicated. Board committees, audit committees, and outside counsel are typically involved from the first day.

Recovery, Referral, and Insurance Considerations

A well-documented investigation produces more than an HR outcome. It creates the foundation for civil recovery, criminal referral, and an insurance claim under the organization's employee dishonesty or commercial crime policy. Most fidelity and crime policies contain strict notice requirements and documentation standards. Claims are routinely denied or reduced when the insured cannot produce a defensible accounting of the loss. Forensic accounting work product is the document that typically satisfies carrier requirements.

Civil recovery is worth pursuing when the employee has recoverable assets, a co-conspirator with assets, or when the organization needs a judgment on record for other reasons. Criminal referral to local prosecutors or federal authorities is a separate decision. It often depends on the nature of the scheme, the amount involved, and the quality of the evidence package. Prosecutors have limited resources and tend to accept cases that are essentially ready to charge. That means the investigative work matters enormously to whether charges are brought.

Building the Pre-Hire Screen That Prevents the Next Case

A meaningful portion of the employee theft cases we investigate involve individuals with prior histories that would have been visible in a thorough pre-hire screen. Recurring indicators include civil judgments, prior terminations for cause, licensing actions, and inconsistencies in employment history. Comprehensive background investigations at the point of hire are the least expensive form of loss prevention available to any organization. This is especially true for roles with financial authority or access to sensitive data.

For vendor relationships, acquisitions, and high-stakes partnerships, the equivalent exercise is due diligence. Vendor kickback schemes and collusive billing frauds frequently involve outside parties whose history, ownership structure, or prior business conduct would have raised concerns at the front end of the relationship.

Our fraud investigation team conducts employee theft investigations with the discretion, legal rigor, and forensic methodology that produce results in court and HR proceedings. Corporate clients engage us alongside their employment counsel, and our executive misconduct investigations team takes the lead when the suspected employee s

Related posts

The Art of Tailing: How Professional Investigators Conduct Mobile Surveillance

The Art of Tailing: How Professional Investigators Conduct Mobile Surveillance

Troy NewtonTroy Newton
Apr 23, 2026
Asset Searches: How to Find Hidden Assets in Legal and Financial Disputes

Asset Searches: How to Find Hidden Assets in Legal and Financial Disputes

Jeremy MasonJeremy Mason
Dec 10, 2024
How Much Does a Background Check Cost? A Complete Pricing Guide

How Much Does a Background Check Cost? A Complete Pricing Guide

Craig BiggsCraig Biggs
Oct 14, 2025