My friend, Gabe Trevizo, recently shared the story of his admin stealing money from him.

I asked permission to share the craziness and at the end gave some tips on how to avoid this yourself.

Buckle up.

But first, this week's sponsor.

BROUGHT TO YOU BY...

​NetSuite is the #1 Cloud ERP that gives you complete visibility and control over your business operations, including financials, inventory, HR, CRM and more. Over 37,000 organizations have turned to NetSuite to help grow their top and bottom lines.

​Click here to learn what top CFOs complete every day to become more strategic and efficient.

Get the CFO Checklist

Want to advertise to 40,000 small business owners and leaders? Go here.

​

A STORY OF GETTING STOLEN FROM (AND HOW TO AVOID IT)

I recently saw this on my Twitter/X timeline:

I had questions… so I DM’d Gabe.

Gabe Trevizo is a long-time entrepreneur with a diverse range of business ventures, including one of which (Suds2Go) was on Shark Tank.

Eventually, he shared 2 more posts that broke down the whole story.

Today, I share his story in full and at the end share some ways you can avoid the same mistakes.

Here is Gabe’s story, slightly edited for clarity.

My Admin Stole From Me
by Gabe Trevizo

In July of 2021, I took my family on a RV trip to Yellowstone, Glacier and the Grand Tetons. It was a 4-week trip and something we had planned for almost a year prior.

Leading up to the trip I had discussed with my admin and Senior Appraiser, Ron, the added responsibilities would have.

The trip started out great, everything was going smoothly I was texting with Ron and the admin regularly. Everything was going fine.

On day 16 I received a text from Ron saying that Trina had been in a bad car accident. He had learned of the accident from her sister, who had called and sent a picture of an SUV (similar to this one below) that closely resembled Trina’s.

Trina was in the ICU and had lost her phone at the scene, so she was unable to reach out.

But something was off with the picture. The SUV’s rims didn’t seem to match what I remembered, and the landscape didn’t seem to resemble Arizona. I showed my wife and told her my feelings but felt immediately guilty for even questioning it.

At this point I had no idea or any hunch that she was indeed stealing money.

We had another 3 weeks or so to go on this vacation and we considered heading home. Ron is a superstar employee and said absolutely not, he’d handle all the administrative work on top of running the appraisers and operations. We carried on but I was shaken about what had happened to Trina and the current state of my business.

I started to correspond with Trina’s “Sister” via the phone number Ron had given me. The story was Trina was headed to Tuscon to visit her parents and was was hit by a 20 something year old drunk driver. She was going through reconstructive surgeries to repair her legs and shoulder and it was a miracle she was alive. Because of this, she couldn’t speak to me, but was working to get her phone back up and going.

This went on for a week or so. I would text the sister and learn Trina was having complications. There were infections, more surgeries and Trina was in and out of consciousness. Around day 7 or so I started to get suspicious about the whole story. It wasn’t sitting well, specifically the picture that was sent of the scene and the up and down story I was getting from her sister.

I started testing the sister a little in the texts.

Can I talk to Trina?

What is the hospital and room number? I want to send something.

These requests would be met with silence, then get a response a few days later of moving hospitals, more issues, and the like. Trina’s sister said just give them a few days to settle in and then she’d send me the info.

By this time, I was about a week away from getting back into town. So, I continued on the trip, unsure what to think and what was ahead.

When we got back from our trip, I was a bit overwhelmed. Anytime you leave any business for over a month you know there will be a lot to catch up on.

I was finally able to communicate with Trina via text from her phone, but was now 100% sure that Trina’s accident was a complete lie. One tell was a text about a bag of goodies she’d received that I’d never sent.

Prior to leaving for the trip, we’d started seeing a downturn in business and so I’d told Trina she was going to need to cut her hours (I didn’t have the workload) or work in some of my other businesses to maintain full time hours.

I also told her that I’d be bringing in another bookkeeper I had used in the past to look at the books and help me cut spending.

Now that I was back, I spent the next few days looking into payroll and who was getting what. As I dove into the numbers, I started seeing discrepancies in Trina’s hours reported. She would charge for 86 hours one pay period, then 92 hours, then 83.5 etc.

I pulled the payroll stubs for the past 3 months and logged into Quickbooks. I started comparing the stubs to the payroll withdrawals and my heart sank. For months Trina was inflating her numbers in Quickbooks every pay period by a random amount of hours. She had gotten more brazen as time went on and the extra hours went from 5-25 depending on her needs. I had become her ATM. I was furious , but I was mostly embarrassed.

Yes she was a parasite, a leach and thief but this responsibility rested solely on my shoulders. It was nobody else’s fault.

Heavy is the Head that wears the crown. As an entrepreneur and business owner there is no door to bang on, no one to fire, nobody to replace, you must look in the mirror and take your medicine. AND LEARN.

This confirmed everything to me. The accident was completely fake and she was trying to dupe me out of whatever else she could get from me.

I immediately begin to change passwords and remove her access from everything I could think of. I got on her workstation computer and to my surprise she left her GMAIL open.

I learned through her email she had moved to Oregon. She was already interviewing for new positions and it appeared she had already got hired at a construction company as a Admin.

I emailed her new employer with a simple message that said “Call me about your new employee Trina…..” At the same time I emailed Trina firing her from her position and explaining to her what I had found.

As I sent the email from my work email, I sat and watched it land in her Gmail. She opened it immediately, moved it, and changed her password, locking me out.

Later that afternoon I received a call from her new employer. It was her first day on the job and just after lunch. The owner was a little coy and he had lots of questions. How did you find out where she got hired? How did I get his information? What did she do and how did she do it? etc.

Then he said, “She went to lunch, and never came back”. It appeared Trina had realized the gig was up.

I gathered all my proof and handed it over to the Gilbert Police Department to press charges. Because she was out of state I wouldn’t get immediate justice, but she’d have to face it if she ever got stoped or arrested in the state of Arizona.

What I learned from this whole deal:

• Always have multiple people always reviewing the same finances.
• Give access in increments.
• Don’t get lazy on payroll. Approve and review. Then review again. (Now I do this part myself.)
• Do better vetting when hiring new employees. I no longer do interviews solo. I have either my wife join or a senior employee.

When it was all said and done she had stole a hefty amount of money from me. But I am not too worried about the money I lost. I sleep in peace at night, I work hard and I know I can always make more money. I am sad for her and others like her. What a terrible life to lead.

Reflections

Kurtis here. First I want to say… BRAVO to Gabe for sharing. It takes courage to share the mistakes you’ve made, but sharing allows others to learn and avoid the same mistakes.

So thank you Gabe. As a token of appreciation, I encourage you to follow Gabe on Twitter/X and check out his business, Suds2Go, which was featured on Shark Tank.

Take software permissions seriously

It seems almost impossible to get businesses to lock down their software permissions. The first impulse is to give new employees access to everything because they might need it.

This leaves you open to people snooping where they shouldn’t and doing things they wouldn’t if you were looking over their shoulder.

Software like NetSuite will allow you to lock down permissions to only the things the employee needs them to, so you can be sure employees only have what they need.

Implement segregation of duties

This is a core accounting principle that is often really hard in small to medium businesses.

The idea is this: more than one person should touch all accounting transactions.

Receiving the money? You shouldn’t be recording it and reconciling it.

Creating a new vendor? Make sure more than one person approves the vendor application.

By including more people in each transaction, you limit the ability to commit fraud without detection.

Along with this, create policies and set approval limits that are followed consistently.

This is one Gabe acknowledge failure in and is something that is extremely common.

Software like NetSuite will allow you to create multiple levels of approval, which makes stealing significantly harder.

Internal & external audits

The point of an audit isn’t to catch fraud. It’s both a forcing mechanism to improve your systems and a reminder to employees that you take this stuff seriously.

Audits are stress tests.

Web servers are stress tested to simulate a lot of traffic.

Physicians stress test your body to see how your heart performs.

Vehicles are stress tested in collisions to see how safe they are.

You should stress test your accounting to see how your processes and procedures hold up.

For many, audits aren’t practical because they’re expensive. Instead, focus on creating systems that force audit-like reviews. Inventory counts are a good example of this. Creating an event around these tests (turning it into a game of sorts) takes away some employee dread while being a reminder that you take the review functions seriously.

Review transaction-level detail monthly

I’m of the opinion that no matter how big you get, you should always do some sort of review on the underlying transaction data.

When looking at the information, look for:

1. New vendors
2. Unrecognized transaction
3. Appropriate documentation
4. Did it follow the procedure?

Not only will you learn a lot about your business, but it also shows others that you’re plugged in.

Do you think an employee who has had to pull transactions because the CEO asked for it is likely to steal money?

I doubt it.

—

No amount of steps or rules will make you immune to someone stealing money from your business.

But the right steps can significantly reduce your risk and make you less likely to be susceptible to it.

I was once talking to an IT professional about all the IT protections we’d put in place for the business. He said the idea isn’t that we make penetration of your network impossible, but that we make it harder than the guy down the street.

Hackers look for the easy opportunities.

In the same way, employees who steal take the easy opportunities. Remove them and you protect not only your business, but the employees themselves.