HomeHOAPropertyRental
TractOps
Sign In
Finance

Trust Account Fraud Prevention: The Controls That Actually Stop Insider Theft

PM firms lose an average of $180K-$400K in embezzlement cases, and the trusted bookkeeper is the perpetrator more often than not. The control framework that actually catches it before the damage compounds.

MT

Marcus Thompson

Community Finance Advisor

February 2, 2026|9 min read

The Real Pattern

Across 2024-2025 published cases of PM firm embezzlement, the median loss has climbed to roughly $280K, with cases ranging from $80K to over $2M. The Association of Certified Fraud Examiners' 2024 Report to the Nations puts the median fraud duration at 12-14 months before detection. The perpetrator is the trusted long-tenured bookkeeper in roughly 60% of cases, the broker themselves in 15%, and outside vendors in collusion with internal staff in most of the rest.

The pattern is depressingly consistent: trust given over years, control gaps that nobody re-examined, and a slow drift from small unauthorized transactions to larger ones. The good news is the controls that prevent this are not complicated — they are just rarely implemented.

Segregation of Duties

The foundational principle, and the one most violated at small firms because "we don't have the staff." The minimum acceptable separation:

  1. The person who can initiate a payment cannot also approve it.
  2. The person who reconciles the bank account cannot be the same person who has signature authority on it.
  3. The person who manages the vendor list cannot also approve invoice payments.

At firms with 3-5 office staff, this requires the broker or owner to actively participate in approvals, not delegate. The most common failure mode is the broker who signs blank check stacks for the bookkeeper "to save time."

The Three Controls That Catch 80% of Cases

  • Independent monthly bank statement review. Statements should be delivered (unopened) to a person who does not reconcile the account. They review them for unusual transactions, then hand them to the reconciler. This single control catches most check-tampering and unauthorized transfer schemes.
  • Mandatory annual vacation. Anyone with access to trust funds must take at least 5 consecutive business days off, during which another staff member runs their job. About 30% of fraud cases unravel during the perpetrator's first forced vacation because the substitute notices something off. The fraudster who can never take a vacation is signaling something.
  • Vendor master file audit. Quarterly review of the vendor list. Cross-check vendor addresses against employee addresses. Verify vendor TINs against IRS records. Phantom-vendor fraud — paying invoices to a "vendor" that is actually the bookkeeper's PO box — is one of the highest-frequency schemes.

Account-Level Controls

  • Daily positive pay or check verification through the bank. The bank's fraud-prevention tools refuse to clear checks not pre-authorized by the company.
  • ACH debit blocks on trust accounts. The default should be that no outside party can ACH-debit the trust account. Authorized ACH originators are whitelisted explicitly.
  • Wire transfer requires two-person approval, called in to verify. Wire fraud (typically through compromised email accounts impersonating a board president or owner) accounted for a meaningful share of 2024-2025 losses.
  • Dual signature on checks above a threshold. Common threshold: $5,000. Higher than that requires the broker plus one other signer.

The IT Side

Embezzlement increasingly has an IT vector. The controls:

  1. Unique login per user — never shared credentials. Audit logs that show who did what, when.
  2. Email security: multi-factor authentication on everything, with phishing-resistant MFA (hardware key or authenticator app, not SMS) for accounts that can initiate payments.
  3. Vendor banking change verification: any change to a vendor's bank account requires a phone call to a known contact at the vendor, never just email confirmation. Wire fraud through fake invoice update emails was the fastest-growing scheme in 2024.

The Annual External Review

A licensed CPA reviewing the trust accounts annually costs $3,000-$8,000 depending on portfolio size. Most state regulators do not require it, but operators who do it consistently catch issues 6-12 months earlier than those who do not. The review should include:

  • Confirmation that bank balances match property sub-ledgers at year-end.
  • Walk-through of segregation of duties.
  • Test sample of vendor invoices to verify legitimacy.
  • Review of unusual transactions or aging items.

The Cultural Element

Most fraud cases unfold in environments where the perpetrator was beyond suspicion, controls were relaxed because of trust, and questions were not asked because "she's been here 12 years." The healthy frame is that controls protect the trusted employee, too. They protect honest employees from suspicion when something goes wrong, and they protect the firm from the rare bad actor. The bookkeeper who pushes back on segregation of duties is often the bookkeeper the firm should be most worried about.

If You Find Something

The instinct in most cases is to confront the employee and try to resolve it quietly. That is exactly the wrong move. The right sequence:

  1. Document what you have found without alerting the suspected party.
  2. Engage outside counsel and a forensic accountant before any conversation with the employee.
  3. Notify your bonding/insurance carrier — most policies have notice requirements that, if missed, void coverage.
  4. Plan the termination, account access revocation, and law enforcement notification as a single coordinated sequence.

Firms that handle the response well typically recover 40-70% of losses through insurance and restitution. Firms that handle it poorly often recover less than 10%.

Back to all articles

Tags

Fraud PreventionTrust AccountingInternal ControlsProperty Management