How to Prevent Ghost Vendors from Eating Your Project

Published on: Mon Sep 09 2024 by Ian Hawley

Money for nothing, or am I sure that Ghost Vendors didn’t just eat my project?

Ghostbusters Afterlife

A little while ago we wrote about Ghost workers: Who are they and how to deal with them.

For many governments, particularly in the FCAS places team Abyrint often operates, the wage bill is the biggest ‘bucket’ of expenditures, and the one most susceptible to – and sometimes even designed for – funny business.

But there are always some non-wagebill costs, and the more you invest (good, in principle), the more you need to take steps to make sure that Ghost Vendors Don’t Eat Your Project. This is particularly important where funding and recipient clients are different, because bandits exploit the space between you.

You’ll recall we divided up Ghost Workers into three groups: the totally fictitious, the real-but-not-seen-anywhere-like-proportionate-to-their-pay, and the were-real-but-now-regrettably-not-available (whether dead or alive) still on the payroll.

Something similar can be done for Ghost Vendors: we identify three broad groups:

• Pure chateau-bottled fraud
• The three cup trick
• The lemon

This article:

• describes these in turn, for with non-financial services, goods and works (on the assumption that auditors for things in the financial category will generally be more successful in the basic task of checking bank balances than the auditors at Wirecard…)
• sets out some practical steps that you, your monitors, and your third-party monitors can take to reduce your chances of getting fooled

Pure Chateau-Bottled Fraud

In Pure Chateau-Bottled Fraud, payment is made against invoices or delivery/notes that have no basis in anything actually having been delivered – either because the contract agreed to advances, and/or because payment was made without evidence of delivery.

This example from Sierra Leone, https://twitter.com/GleanerSierraLe/status/162287369174122497 appears to have both of these aspects.

In this case from Kenya, KES 1 billion was apparently spent without any services being delivered: https://www.businessdailyafrica.com/bd/economy/auditor-flags-sh1bn-prisons-payout-to-ghost-suppliers-3444638

In both cases, mis- or non-communication between units within an organization, whether inadvertent or deliberate, facilitated the supplier getting paid for nothing: stating the obvious, that can happen between organisations (e.g., funder and recipient), too.

Prospects for Chateau-Bottled Fraud are particularly strong:

• Where material advance payments are permitted (but how else to enable small and/or suppliers to bid?)
• At the end of a financial year where ‘use it or lose it’ provisions can incentivize weaker control on checking delivery
• When staff handling approvals and/or payments change over
• If the cashier/accounts payable person is suborned

Chateau-Bottled Fraud is easiest with someone on “the inside” to approve payments, hurry things along, mau-mau the clerks; but the advance payment doesn’t need it.

The three cup trick

In the three cup trick, the recipient sees something, but it is either not the thing they think it is, or, if they are in on the deal, is something that gives at least a façade of plausible deniability.

A classic example is demonstration of real but irrelevant/unrelated delivery:

• payment is made against a photograph of a real toilet or school – that already existed, but cannot be differentiated by the recipient client from what was to be delivered
• payment is made against a real car being landed at the docks – but the same car is leveraging instalment payments from multiple clients

For moveable goods, ‘Revolving door’ frauds are a variation: where goods are delivered but then removed.

There’s no need for someone on “the inside” for the three cup trick; at a certain point, the embarrassment of the fear that you have been played can be enough to motivate a client not to look too hard until e.g., they are rotated out.

The lemon

In the case of the lemon, there is no existential issue: something gets delivered - but what has been delivered is not the quality it was meant to be, but rather at best a placebo, or useless, at worst dangerous. And either the client representative does not realise, or has plausible deniability to not notice.

The issue of vehicles that look good but turn out to be cut-and-shuts, or held together with porridge, is well known.

But lemons are widespread in intellectual services too:

• in our work, we’ve regularly encountered drafts of manuals or studies that turn out to be a copy-paste from another location in the region (not always with 100% find-and-replace):
• Paying for services with inherently opaque, and potentially inflated, value, such as advertising – of which the Canadian Sponsorship Scandal/”Adscam” is a fine example
• Opaque value and cut-and-paste get amusingly near to the bone of Global North professional services:
  • Law firms charging hundreds of pounds for a cut and paste from a public UK Government website
  • Reports that have been structured with the help of ChatGPT, and are, granted, ‘better than Wikipedia’

In some cases, the buyer, and/or their technical adviser, may know they have bought a lemon, and be getting a kick-back. In others, the client may simply not be well placed to tell the difference between a serious piece of work and a lemon.

Won’t get fooled again

Here are our quick recommendations of how not to be a sucker, depending on what you are buying:

1. Intellectual works/consultancy services: a. Was the document actually delivered (at some specific time etc)? b. Are the document properties and the track changes (basic, but surprising how many people don’t change them) sensible? Does it set off any alarms in free online anti-plagiarism software? c. Is there someone inhouse with the expertise to sign off the quality? d. If externally funded, and/or if there is not someone inhouse with the expertise, is there someone external (funder or adviser) who can sign off the quality?

2. Goods (moveable): a. Time and location-specific evidence of physical receipt: for anything not part of a regular flow of goods, ideally an automatically time- and GPS-stamped photograph b. Confirmation that the goods are what (including quality) and how many, they are meant to be c. Records of where the goods have or have not gone since receipt (to avoid ‘revolving door’ frauds)

3. Works (non-moveable and moveable): a. Moveable: i. evidence of before and after condition of goods to which works have been done ii. informed assessment of nature and quality of work b. Non-moveable: i. before-and-after verification evidence – time, date and location-stamped (to avoid evidence from another location/context being interpolated) ii. informed assessment of nature and quality of work done – independent consulting engineer or similar (with suitable safeguards against backhanders/kickbacks from suppliers to consulting engineers) iii. for substantial works, interim verification evidence

Scepticism, not box-ticking; not big data, but many small data

Fundamentally, the key to not getting turned over by ghost vendors is attention, scepticism and dispatch by each individual person in their separate role, rather than thoughtless boxticking; three characteristics that are not completely straightforward to automate.

What digital systems, including the Aby.Dev system we have been working on, can do, is facilitate the ‘many small data’ – and NB, as far as possible, data and raw evidence (pictures, recordings etc), not judgments – that need to flow to confirm that these goods, or these works, were found at this place, at this time.