Skip to content
Field note

How to Spot Employee Fraud Before It Costs You

Employee fraud is the misuse of company funds or assets by the people trusted with them, and it is quiet by design. The warning signs show up earlier than most owners think; what you do in the first days after a suspicion decides most of what it costs you.

I have sat across the desk from a lot of business owners in the days after they first said the word "fraud" out loud. The pattern is almost always the same: the numbers had been whispering for months, somebody finally listened, and now the owner is caught between disbelief and anger, not sure whether they are allowed to check the things they want to check. This guide covers what employee fraud actually looks like in Ontario businesses, the signs that show up early, what to do (and not do) the day suspicion lands, and how a professional investigation runs from first call to findings report.

What counts as employee fraud?

Employee fraud is any deliberate misuse of an employer’s funds, assets, or authority for personal benefit. In the files that cross my desk, it almost always takes one of a handful of shapes:

  • Payroll manipulation. Inflated hours, ghost employees who exist only on the payroll run, or unapproved rate changes that survive because nobody reconciles the payroll report against the org chart.
  • Expense fraud. Personal purchases dressed up as business costs, duplicate submissions of the same receipt, or mileage and per diem claims for trips that never happened.
  • Inventory shrinkage. Product leaving through the back door, written off as damage or count error, often in quantities small enough that each individual loss looks like noise.
  • Procurement kickbacks. An employee steers contracts to a vendor in exchange for a percentage, a favour, or a job later. The invoices are real; the prices are not.
  • Time theft. Systematic misrepresentation of hours worked, second jobs run on your clock, or badge-in patterns that do not match any work product.

The common thread is trust. Every one of these schemes depends on the person being exactly who the business stopped watching, which is why the losses run so much longer than anyone expects.

In practice the categories blur. A real file rarely contains one clean scheme; it contains a person and the opportunities their role gave them. A bookkeeper’s fraud lives in payments and reconciliations, a warehouse lead’s in counts and write-offs, an operations manager’s in vendors and approvals. When you understand the role, you understand where to look.

What are the warning signs of employee fraud?

The earliest signals are usually behavioural, not financial. In my experience the financial evidence confirms what the behaviour already suggested:

  • An employee who never takes vacation, refuses to cross-train anyone, or gets visibly uncomfortable when someone else touches their files. Schemes need daily tending; time off is when they surface.
  • A lifestyle that quietly outruns a salary: the new truck, the renovation, the trips, without any obvious outside explanation.
  • Vendor relationships that feel personal. One supplier who always wins, invoices that are round numbers, a contact who only deals with one employee.
  • Resistance to routine controls: missing documentation, "the system was down," reconciliations that are always one month behind.
  • Financial patterns that bend the wrong way: margins sliding while sales hold, adjustments and write-offs clustering under one person’s approval authority, or expense categories that grow without a business reason.
  • Documents that exist only as copies. Originals that are always missing, PDFs where system exports should be, and signatures that never quite photograph clearly.

Across files, one signal repeats: exceptions cluster around one person. Ask the quiet question, "who benefits from this being hard to check?", and the list of names is usually short.

None of these proves anything on its own, and treating any single sign as proof is how employers end up on the wrong side of a wrongful dismissal claim. What the signs justify is a closer, quieter look.

Why do most cases go undetected for months?

Fraud survives on two things: trust and routine. The person running the scheme is usually the person the owner would vouch for first, which means the early oddities get explained away by the very people best positioned to catch them. And most schemes are built to live inside routine: each transaction sits under the approval threshold, each write-off looks like the last legitimate one, and the losses only become visible when someone steps back and looks at the pattern across months rather than the entries one by one.

Small and mid-sized businesses carry extra exposure for a structural reason: the same person often handles a transaction from start to finish. When one employee can create a vendor, approve the invoice, and reconcile the account, the control that would have caught the scheme does not exist. By the time it surfaces, the damage is already compounding: direct financial loss, legal exposure if the response is mishandled, and reputational risk if it becomes public.

It is also worth knowing how these cases actually come to light, because it is rarely the audit. It is the scheme’s keeper finally taking a vacation, a new hire asking a question nobody had asked in years, a vendor calling about an invoice that was supposedly paid, or a tip from someone who noticed more than they let on. The window between that first crack and the employer’s first visible reaction is where cases are won or lost, which is exactly why the next section matters more than any other in this article.

What should you do first if you suspect fraud?

The first days decide most of what follows. The instinct is to confront the employee and demand answers. It is almost always the most expensive move available.

Before anything else

Do not confront the employee, do not announce an investigation, and do not start pulling records outside your normal duties in a way the employee can see. A confrontation warns them to destroy evidence, aligns their story, and hands their lawyer an argument that the process was unfair from the first conversation. Preserve first. Confront at the end, if at all, with counsel in the room.

What I recommend instead, in order:

  1. Preserve quietly. Secure copies of the records that made you suspicious: reports, emails, approval chains, access logs. Copies, not originals removed from their place; the goal is to freeze the picture, not disturb the scene.
  2. Limit who knows. Every additional person told is a chance the subject hears about it. Keep it to the decision-makers and, early, your lawyer.
  3. Involve employment counsel. Fraud responses in Ontario live inside employment law, privacy law, and, if it goes far enough, criminal and civil proceedings. Counsel involved from the start also extends privilege over parts of the work.
  4. Decide what outcome you actually want. Termination for cause, restitution, an insurance claim, a police report, or just a quiet exit all demand different standards of evidence. The investigation should be scoped to the outcome, not run on momentum.
  5. Check your insurance and reporting obligations early. Commercial crime and fidelity policies often carry notice requirements that start running when you first suspect, not when you confirm. Counsel can also advise on if and when a police report serves the outcome you chose.

None of this requires certainty. It requires care. The employers who end up paying twice are the ones who acted on certainty they did not have.

How does a fraud investigation work in Ontario?

When a case comes to us, it runs through a sequence that exists for one reason: producing findings your lawyer can act on without the process itself becoming the problem.

  1. Risk review. We start with the policies, records, and access controls around the suspicion: who could do what, which controls existed on paper but not in practice, and where the pattern could be hiding.
  2. Financial record analysis. The transaction trail gets reconstructed to isolate where the pattern lives: which accounts, which approval chains, which periods. This is where a vague suspicion becomes a specific, documented question.
  3. Discreet interviews and, where warranted, surveillance. Peripheral interviews are framed as routine process reviews. Where the case justifies it, lawful surveillance or an undercover placement documents what the records cannot: the side business run on company time, the meeting with the vendor, the inventory leaving.
  4. Background checks on implicated individuals. Corporate registrations, property records, civil litigation history, and open-source research often surface the connection that explains the scheme: the vendor registered to a spouse, the numbered company at the employee’s home address.
  5. A findings report counsel can act on. Everything lands in a report built for scrutiny: sources identified, methods documented, evidence handled so forensic work and testimony can stand behind it.

Two things clients are often surprised by. First, the work is quieter than expected: most of a fraud file is records and pattern analysis, not trench coats. Second, findings arrive in stages, and interim findings are actionable: access can be tightened, approval chains rerouted, and losses stopped mid-file without tipping the subject that anyone is looking.

We work alongside your legal team throughout. Fraud investigations that skip that step tend to produce evidence that does not hold up later, and in a fraud case, evidence that does not hold up is worse than no evidence: you have shown your hand and armed the other side.

Broadly, yes, within real limits, and the limits are where employers get hurt. Employers in Ontario can monitor company systems, review records employees created in the course of their work, and investigate suspected wrongdoing. Ontario’s Employment Standards Act requires employers with 25 or more employees to have a written electronic monitoring policy stating whether and how they monitor; the requirement is about transparency, not permission, but an employer whose actual practice contradicts its written policy starts any dispute on the back foot.

The limits that matter in practice: employees keep a reasonable expectation of privacy in some places even at work, and Ontario courts recognize a privacy tort (intrusion upon seclusion) that gives employees a direct route to damages when an employer’s snooping crosses into their genuinely private affairs. Covert measures aimed at a specific person need a documented, reasonable justification and a scope matched to it. This is a large part of why suspected fraud is the point where employers bring in a licensed investigator: an investigation run to evidentiary standards protects the employer from becoming the defendant.

Video deserves its own sentence, because it is where instincts run ahead of the law. Cameras in working areas, disclosed and serving a legitimate purpose, are one thing; cameras in washrooms or change areas are never defensible; and a covert camera aimed at one specific employee needs a documented justification, a narrow scope, and a time limit. Proportionality is the test a court will apply afterward, so it is the test to apply before.

What should you ask before hiring an investigator?

Whoever you hire, ask three things before anything starts:

  • Are you licensed, and under what? Private investigators in Ontario are licensed under the Private Security and Investigative Services Act. Ask for the licence number and check it; an unlicensed "investigator" contaminates everything they touch.
  • Have you worked financial cases specifically? General PI experience is not fraud experience. Ask how they handle financial records, what their relationship with counsel looks like mid-file, and what their reports have survived.
  • What exactly is the scope? Get the scope, method boundaries, reporting cadence, and cost structure in writing before work begins. A written scope is also part of your legal protection: it documents that the investigation was a measured response to a specific concern.

On cost, the honest answer is that nobody can quote a fraud investigation as a flat number without guessing, and you should be wary of anyone who does. What drives cost is scope: the volume of records to analyze, whether surveillance or an undercover placement is warranted, and whether devices need forensic imaging. Verifying a narrow suspicion is a small engagement; reconstructing a multi-year scheme is not. The practical protection is a phased scope, where each stage’s findings decide whether the next stage is worth buying.

Suspected fraud cases usually run through our workplace investigations practice, often alongside undercover placements and digital forensics. However you proceed, move early. Every month a scheme runs, the loss grows, the records age, and the story hardens. The owners who come out of these cases well did not wait to be certain. They treated suspicion as a reason to look properly. And when the file closes, spend one afternoon on the cheapest control there is: make sure no single person can create a vendor, approve its invoices, and reconcile the account, and have someone different run the reconciliation at least once a year. Most of the schemes I have investigated would not have survived that afternoon.

End of note

Articles are general. Your case isn’t.

Every case starts with a free, confidential consultation and a written scope before any work begins.