
A business bank fraud investigation detects, documents, and proves financial theft against your accounts — check kiting, forged or altered checks, ACH and wire schemes, lapping, and insider fraud by employees or controllers. Forensic investigators reconstruct the money trail from bank records and internal ledgers, isolate who had access and opportunity, and assemble evidence that supports recovery, insurance claims, and prosecution.
Most published guidance on bank fraud starts after the money is gone — a wire has left, and the clock is running on a recall. That matters, and we cover it in our companion piece on wire fraud forensic investigation and fund recovery. This article is about the harder, more valuable problem: detection — finding the fraud that is still running, especially the internal schemes that never trip an external alarm because the person committing them controls the very records meant to catch them.
What counts as bank fraud against a business?
“Bank fraud” is not one crime. For a small or mid-market company it is a family of schemes that share a common signature: money moving in a way the accounting record either hides or mislabels. Investigators separate them by mechanism, because each leaves a different evidentiary fingerprint.
| Scheme | How it works | Primary evidence trail |
|---|---|---|
| Check kiting | Drawing on uncollected funds by cycling checks between two or more accounts to exploit float | Bank ledger vs. available-balance timing; deposit/withdrawal velocity; inter-account transfers |
| Check forgery / altered checks | Forged signatures, altered payees or amounts, counterfeit check stock | Cleared check images, endorsement analysis, positive-pay exceptions |
| ACH fraud | Unauthorized debits, changed vendor banking details, payroll or tax-payment diversion | ACH origination files, change-request emails, vendor master-file edits |
| Wire fraud | Fraudulently induced or unauthorized outbound wires, often via business email compromise | Wire instructions, email headers, approval logs, counterparty accounts |
| Lapping | Stealing a customer payment, then covering it with a later customer’s payment | A/R aging drift, posting-date gaps, remittance vs. deposit mismatches |
| Insider / employee fraud | A controller, bookkeeper, or bank insider abusing access to authorize, conceal, or redirect funds | Access logs, journal entries, override history, segregation-of-duties gaps |
| Account takeover | Credential theft giving an outsider control of online banking | Login telemetry, device fingerprints, new-payee and limit changes |
The distinction that reorganizes the whole investigation is external vs. internal. External fraud — a stolen credential, a spoofed vendor email — is often loud: an unfamiliar payee, a login from a strange device. Internal fraud is quiet by design. The person running it reconciles the account, approves the entries, and answers the auditor’s questions. That is why detection, not just recovery, is where a forensic investigator earns their keep.
How is check kiting actually detected?
Check kiting survives on float — the lag between when a bank credits a deposited check and when it actually collects the funds. A kite cycles checks between two or more accounts (sometimes at different banks) so that each account appears to hold money that is, in reality, the same dollars in perpetual transit. On any single day the books can look solvent. The fraud lives in the timing.
Detection is a ledger-and-timing analysis, not a gut feeling. Forensic investigators pull the transaction-level history for every linked account and look for a specific pattern:
- A persistent, often growing gap between the ledger balance and the collected (available) balance.
- High-velocity round-dollar deposits and withdrawals that offset one another within days.
- Recurring transfers between the same small set of accounts with no underlying commercial purpose — no invoices, no goods, no services.
- Deposits timed precisely to cover checks about to clear, week after week.
- Escalation: the sums required to keep the cycle alive climb over time, because float alone cannot fund a real deficit forever.
Banks run automated kite-detection on velocity and float, but their view stops at their own walls. When the cycle spans multiple institutions — or when it is entangled with an insider who manages the company’s side of the reconciliation — an independent investigator who can subpoena or lawfully obtain records from every account and lay them on one timeline is what actually proves the scheme. The evidentiary punchline is a reconstructed cash-flow model showing that the “balance” was never real.

Why is insider bank fraud so hard to catch — and how do investigators break it open?
Insider schemes exploit a single structural weakness that is nearly universal in smaller organizations: one trusted person controls too many steps. When the same employee can create a vendor, approve a payment, sign or release it, and then reconcile the bank statement, there is no independent check on any transaction. The Association of Certified Fraud Examiners consistently reports that occupational fraud schemes run for a long time before discovery and that weak internal controls are a leading factor — see the ACFE’s Report to the Nations for the underlying research.
Lapping: the classic concealment engine
Lapping is the signature accounts-receivable fraud. The insider pockets Customer A’s payment, then applies Customer B’s later payment to A’s account to hide the shortfall, then C to cover B, and so on — a rolling deficit that must be fed forever. It is detectable through forensic reconciliation: comparing the date a customer says they paid against the date the payment posted, then hunting for systematic delays, out-of-sequence postings, unexplained write-offs, and credits that never match a real remittance. Customer confirmations and deposit-slip analysis usually close the case.
Segregation-of-duties failure
The investigator maps every financial workflow to the individuals who touched it and flags where authorization, custody, recording, and reconciliation collapse onto one person. That map is both a diagnosis and evidence: it shows opportunity, and opportunity narrows the suspect pool. Journal-entry testing then surfaces the tells — round numbers, entries booked after hours or on weekends, manual overrides, entries to rarely used suspense or clearing accounts, and adjustments that always fall just under an approval threshold.
Because insider fraud so often leaves its clearest trail in devices and messages, financial analysis is paired with digital forensics — recovering deleted spreadsheets, examining email for altered vendor instructions, and preserving access logs in a defensible chain of custody. When the exposure points at leadership or a partner, a discreet business partner background investigation can establish undisclosed conflicts, prior misconduct, or hidden entities receiving the diverted funds.
How is ACH fraud and account takeover detected?
ACH fraud and account takeover blur the internal-external line, because an outsider with stolen credentials and an insider with legitimate access can produce nearly identical transactions. Detection therefore separates identity from authority: was the person who moved the money who they claimed to be, and were they permitted to move it that way?
For unauthorized ACH debits and diverted vendor payments, investigators examine the ACH origination files, the vendor master file’s change history, and the email thread behind any banking-detail change — the classic vendor-impersonation pattern is a “please update our account” message from a look-alike domain, timed just before a scheduled payment. For account takeover, the trail is technical: login telemetry, device fingerprints, IP geolocation, session timing, and the sequence of new-payee additions, limit increases, and alert-suppression changes that almost always precede the theft. Correlating that telemetry against the accounting record shows whether the fraud entered through a compromised credential, a malicious insider, or both acting together — a distinction that determines who is liable and how the money is recovered.
What are the red flags a business should never ignore?
Fraud rarely announces itself, but it disturbs the ordinary rhythm of the books. The following signals, especially in combination, warrant a forensic look:
- A finance employee who never takes vacation, refuses to delegate, or resists any review of “their” accounts.
- Bank reconciliations that are chronically late, hand-adjusted, or never independently reviewed.
- A widening gap between book cash and bank cash, or recurring “timing” differences that never fully clear.
- Vendors with P.O. boxes, addresses matching an employee, or bank details changed shortly before a large payment.
- Customer complaints that paid invoices still show as open (a lapping tell).
- Unusual transfers between company accounts with no business rationale, or checks payable to cash.
- Rising volume of voids, refunds, write-offs, or adjustments concentrated under one person.
- Duplicate payments, sequential missing check numbers, or positive-pay exceptions being overridden.
If several of these are present, do not confront the suspected individual first. Premature confrontation destroys evidence, tips off the subject, and can expose the company to wrongful-accusation liability. Preserve, then investigate.
How does Honeybadger approach a business bank fraud investigation?
Our financial investigations practice is intelligence-led and evidence-first. Financial forensics, digital forensics, and background intelligence are handled in-house and remote-by-design from our Arizona home command, which means we work nationwide and internationally without waiting on a chain of subcontractors. We run a disciplined sequence:
- Preserve first. Before anyone is alerted, we lock down bank records, accounting-system audit trails, email, and relevant devices under a defensible chain of custody so the evidence survives a courtroom challenge.
- Reconstruct the money. We rebuild the true cash flow from source records — bank statements, cleared-check images, ACH and wire files, and the general ledger — onto a single timeline, independent of the books the suspect maintained.
- Map access and opportunity. We chart who could authorize, move, record, and reconcile funds, exposing segregation-of-duties failures and narrowing the field to those with both access and opportunity.
- Test the anomalies. Ledger/available-balance analysis for kiting, A/R posting-date analysis for lapping, journal-entry and vendor-master testing for diversion, and digital forensics for concealment and communications.
- Quantify the loss. We calculate the provable amount — distinct from what is merely suspected — because insurers and prosecutors act on documented figures, not estimates.
- Coordinate the endgame. We work alongside your counsel, the bank’s fraud unit, insurers, and law enforcement, delivering a report and exhibits built to support recovery, a fidelity-bond claim, and prosecution.
Throughout, we protect the reversible-vs-irreversible line: we document and preserve, we never destroy, and we never take actions — freezes, confrontations, terminations — that belong to you and your counsel. Where the fraud has a cyber dimension, such as account takeover or business email compromise, our cybersecurity team examines the intrusion path, and our background intelligence unit traces beneficiaries and shell entities behind diverted funds.
How do investigators build evidence that survives court and recovers money?
A suspicion recovers nothing. Money comes back through insurance claims, civil action, restitution orders, or bank liability — and every one of those demands admissible, quantified evidence. That means an unbroken chain of custody on every record and device; source documents rather than summaries; a loss figure tied to specific transactions; and analysis a qualified examiner can defend under cross-examination.
Coordination is deliberate. Banks have fraud and Regulation-governed dispute processes with strict notification windows — the FDIC publishes guidance for consumers and businesses on reporting and liability, and unauthorized wire or ACH activity should also be reported to the FBI’s IC3, which can trigger the financial-fraud kill-chain for rapid freezing of destination accounts. Suspicious-activity reporting flows through the network overseen by FinCEN. A forensic investigator packages your evidence so it lands correctly in each of these channels rather than dying in an inbox.
For schemes that are specifically check- or ACH-based, our focused companion guide on check and ACH fraud investigation for businesses goes deeper on positive pay, ACH filters, and dispute timelines.
Frequently asked questions
How is a forensic investigation different from a financial audit?
An audit tests whether financial statements are fairly presented against materiality thresholds; it is not designed to catch a determined insider who manipulates the underlying records. A forensic investigation assumes deception, targets specific anomalies, follows individual transactions to their source, preserves a chain of custody, and produces evidence built for recovery and prosecution rather than for an opinion letter.
Should we confront the suspected employee before investigating?
No. Confrontation before evidence is preserved is the single most common way businesses destroy their own case — records get deleted, funds get moved, and the company can face wrongful-accusation exposure. Preserve records and devices quietly, engage counsel and a forensic investigator, and let the evidence be secured before anyone is alerted.
Can you investigate fraud across multiple banks or states?
Yes. Our financial and digital forensics are remote-by-design and run from our Arizona home command, so we work across banks, states, and borders. Multi-institution reach matters most in check kiting and diversion schemes, where the money crosses several accounts and no single bank sees the whole picture.
How quickly should we act if we suspect bank fraud?
Immediately. Bank dispute and liability windows for unauthorized transactions are measured in days, and the odds of freezing diverted wire or ACH funds fall sharply after the first 24 to 72 hours. Fast evidence preservation also stops an active scheme from growing. Call us the moment the pattern appears — before you confront anyone.
About Honeybadger Solutions
Honeybadger Solutions is an Arizona-licensed security and investigations firm delivering intelligence-led forensics, investigations, and cyber services to executives, general counsel, families, and organizations nationwide and internationally. Digital forensics, financial investigations, cybersecurity, and background intelligence are handled in-house — not brokered to third parties — from our Arizona home command, keeping every engagement discreet, controlled, and defensible.
Offices: Casa Grande (HQ), Phoenix, and Oro Valley, Arizona.
Phone: 602-725-2818
Confidential consultation: If you suspect check kiting, insider theft, or an unauthorized transfer against your business accounts, contact us before confronting anyone — evidence preservation in the first hours often decides whether the money comes back.