Thriller Author & Speaker

rita crundwell (1500 x 1000 px)

by · In: Forensic Accounting, Prevention · on

Before Behavior Can Change—Belief Must Change

Most people think fraud comes from the outside.

A hacker. A thief. A stranger.

That’s comforting, but it’s also usually wrong—at least when it comes to accounting fraud, corruption, and the quiet kinds of theft that happen in plain sight.

Because the real threat usually isn’t “out there.” It’s inside your org chart. Inside your approvals. Inside your assumptions. And most of the time, it’s not your system… It’s the person sitting at the keyboard. 

In my work, the people most likely to defraud you are rarely strangers. They’re the people you already know. The ones you rely on. The ones you trust.

That’s not paranoia.

That’s pattern recognition.

And it’s why the phrase “trust but verify” keeps showing up—usually as a warning people nod at…and then ignore.

Because it still accounts for an overwhelming share of organizational fraud, it’s rarely a stranger. It’s a trusted insider, operating inside the gaps we never bothered to check. Why? Because we trusted them.

And here’s the part that stings: these people are cons.

“Con” is short for a confidence game—they win your confidence first, because it’s a necessary step in the process of defrauding you. Successful cons are exceptionally good at it. And once they have your confidence—look out.

Smart people get conned every day. Not because they’re incompetent, but because they’re busy, decent, and wired to trust what feels familiar.

President Reagan popularized the phrase during Cold War treaty negotiations with Mikhail Gorbachev, calling it an “old Russian maxim”—trust, but verify—because agreements are meaningless without verification.

But outside geopolitics, it matters even more—because in real life, betrayal doesn’t look like a movie villain.

Why “Trust People Until They Give You a Reason Not To” Fails

Most of us were raised on a simple moral lesson:

Trust people until they give you a reason not to.

It sounds decent. Even noble.

Unfortunately, in fraud—and in many of the worst betrayals in life—that advice fails at the exact moment it matters most.

Because by the time someone “gives you a reason,” the damage is already done.

Fraud thrives where trust already exists.

Not because trust is bad.

Because trust creates access.

And access—without oversight—is opportunity.

Trust Is Not the Enemy. Unchecked Access Is.

Here’s the part people miss:

The biggest fraud risks often aren’t behavioral.

They’re structural.

Too much access. Too little oversight. Too much reliance on one person.

That’s why I’ve said for years that verification isn’t about suspicion—it’s about structure.

Healthy organizations don’t run on “good vibes.” They run on clear roles, effective controls, and routine verification—because pressure, opportunity, and rationalization can coexist in any human being under the right conditions.

That’s not cynicism. That’s realism.

“Verify” Doesn’t Mean “Assume the Worst

One of the most important clarifications from my Wiley textbook is this:

The message is not to withhold trust.

It’s to trust—but verify. Because “verify” has a practical meaning.

In the simplest terms, verification asks three questions:

  • Completeness: Is anything missing?
  • Accuracy: Is what’s recorded actually correct?
  • Validity: Is it real, legitimate, and authorized?

No accusation. No witch hunt. Just evidence.

That’s the entire point of “trust but verify” when you apply it to fraud risk: you don‘t manage risk with feelings. You manage it with objective proof.

A Case Study: Dixon, Illinois — The Rita Crundwell Fraud

If you want a clean illustration of how trusted access can beat a whole town’s common sense, look at Dixon, Illinois—population just 15,000. 

Rita Crundwell was the city treasurer. Over roughly two decades, she siphoned off public funds—nearly $54 million—without detection. It stands today as the largest municipal fraud in U.S. history.

One of the most maddening details is how simple the eventual discovery was.

The City of Dixon’s recorder/clerk needed the bank statements to prepare the monthly Treasurer’s report to the city council. Rita had always done that.

What she discovered was shocking—a secret account no one had known existed. For roughly 20 years, Crundwell ran the fraud through a single city bank account—an account that survived because the city failed to enforce separation of duties and routine reviews.

This wasn’t an advanced cyber scheme.

It wasn’t a “perfect crime.”

It was a basic, long-running control failure—protected by trust.

And if that one piece of verification had happened a decade earlier, the same outcome would have occurred: that bank statement would have surfaced, the secret account would have been exposed, and the fraud would have begun to collapse. A simple but efficient separation-of-duties routine: have someone other than the city treasurer pick up the bank statements. Not rocket science.

Let that sink in.

“We trusted Rita” was the common refrain as I interviewed Dixon officials—the mayor, city council members, and residents—and then spoke with the whistleblower: City Clerk Kathe Swanson, the one who first spotted the secret account while Crundwell was out of town. On previous trips, Crundwell had her cousin pick up the mail. Guess she forgot this time.

Here’s the general shape of how a fraud like this survives for so long:

  • The fraudster sits in the “trusted” seat. A long-tenured insider with authority, respect, and very little friction.
  • One person becomes the system. When a single role controls too many steps—setup, approvals, reconciliations—verification becomes optional.
  • Oversight becomes ceremonial. Reviews happen, but they’re high-level, rushed, or based on summaries provided by the same person being “trusted.”
  • The story explains the pain. Budget cuts, staff shortages, deferred maintenance—those look like “small-town reality”…until you learn what was quietly being siphoned.
  • The lifestyle is the clue—after the fact. When the money is gone, everyone can connect the dots. While it’s happening, people normalize what they don’t understand.

NOTE: I was the financial fraud expert in the documentary All the Queen‘s Horses, which lays out how this played out and what it cost the town. I’ll do a later post that goes deeper on Dixon—what warning signs were missed, how she actually pulled it off and stayed under the radar, and the simple verification habits that would have ended it years earlier. 

Ready To Stop Reading This Article?

I know what you’re thinking: “I already know all this.”

And you’re also thinking that what happened in Dixon, Illinois, could never happen in your organization. You and your team are too savvy, too experienced, too educated to ever let a Rita Crundwell get away with what she did.

Think what you will. I live a very comfortable retirement because plenty of people believed that… right up until I got the call to help expose the damage.

But before you dismiss all this, consider a little-known fact: Dixon is the boyhood home of Ronald Reagan—the guy who helped popularize “trust but verify.” They even erected a statue of him a few blocks from City Hall… where an entire community failed to follow their most famous resident’s advice… for two decades.

Ronald Reagan Statue along the Riverwalk in Dixon, IL

So before you walk away, pause for ten seconds and ask yourself one question:

If it could happen to them… why not you?

The Trap: Outsourcing Verification to “The Audit”

Many leaders think they’ve handled verification because an audit happens every year.

That’s a dangerous assumption. (A future post will explain why: The Expectation Gap)

Audits have a purpose. Good auditors are professionals.

But audits are not designed to “hunt intent.”

They test samples. They confirm balances.

They usually trust before they verify—because that’s how traditional auditing works.

Fraud prevention requires something different:

  • Controls that make concealment harder.
  • Oversight that makes rationalization riskier.
  • A culture where people expect verification as normal—not personal.

If you’re reading this as a leader, here’s the blunt version: an annual audit is not a substitute for internal accountability.

It’s not a substitute for clean separation of duties.

And it’s definitely not a substitute for someone who asks hard questions every month.

A Human Lie Detector

You were not hired to be a human lie detector.

You were hired to exercise control responsibilities—as outlined in the company’s policies and procedures manual, which you were trained on.

And if you’re an external auditor, you’re carrying out a fiduciary responsibility. The standards don’t ask you to “feel out” the character and integrity of the people who create or approve transactions. They ask you to obtain objective evidence.

So when someone says, “I trust them,” and uses that as a reason to stop verifying, that’s not professional judgment. That’s someone not doing their job.

It really is that simple.

Which means you have a couple of choices.

You can ignore this advice and keep treating trust like a substitute for verification. Maybe one day I’ll get a call, and we’ll meet in person… in the aftermath.

Trust me on this: that won’t be a good meeting.

Or you can change how you view trust—right now—and make it permanent.

Choose well.

How to Practice “Trust But Verify” Without Becoming a Cynic

If you want to keep trust healthy—and keep your organization (and life) protected—make verification boring.

Make it routine.

Make it impersonal.

Here are three ways to do it.

1) Verify the work, not the person

You don’t say, “I don’t trust you.”

You say, “We are testing the control mechanism—not you.”

“The position you occupy has responsibilities, and this is how we do it here.”

And if somebody tries the classic line—“Oh, don’t you trust me?”—here’s the response:

Of course, we trust you. Otherwise, you wouldn‘t have the responsibilities you do. This isn’t personal. I’m just doing my job. And honestly—if we didn’t verify, why do any audits at all?”

Here are some examples of “verify the work” habits that actually matter:

  • Two sets of eyes on bank reconciliations; real separation of duties.
  • Independent review of vendor setup and vendor bank changes.
  • Approval limits that actually mean something (and aren’t routinely bypassed).
  • Monthly financial review by someone who can ask hard questions—and won’t backdown when they don’t like the answers.

People who are honest won’t be offended by a system that treats verification as normal.

They’ll be relieved.

2) Remove single-point control of money

If one person can authorize, record, and reconcile—your “trust” has become a control failure.

Rotate duties. Force vacations. Separate custody from recordkeeping.

Fraud loves comfort. It loves routine. It loves “no one else knows how to do it.”

If you hear that sentence in a finance function, treat it like a flashing light on the dashboard. Because “only I can do it” often really means “no one else can see it.”

3) Build a truth channel that doesn‘t depend on courage

Even the best controls miss what coworkers see.

That’s why independent reporting channels matter: people don’t need proof—they need a safe place to speak up. (If you missed my last post, it digs into this in detail—why whistleblowers matter, why people stay silent, and what a real hotline should look like.)

You don’t build this because you assume everyone is bad.

You build it because you accept the truth about human nature:

Pressure happens. Temptation happens.

And sometimes the person who “would never do that” is the one doing it. (If you read my post on Harry, you know exactly what I mean.)

Final Thought

Trust is essential to functioning organizations, families, and communities.

But blind trust—especially when paired with access and authority—is an invitation to harm.

So the lesson isn’t to stop trusting. It’s to stop confusing trust with control.

W.H. Auden put it perfectly in just a few words: “Evil is unspectacular and always human.”

Meaning: it doesn’t always kick the door in.

Sometimes it holds the door open.

Sometimes it’s been in your company for 20 years.

Sometimes it eats at your table.

Take another look at Crundwell’s photo at the beginning of this post. She’s not your typical white-collar criminal. She’s no “Harry.”

She’s a reminder that evil often looks ordinary… even familiar.

Think of her the next time you feel tempted to trust before you verify.

— Tom Golden

I’m headed to a warmer climate for a while, so no post next week. See you in a couple weeks. Subscribe so you never miss a post.

About Tom | Sam Halloran Series | Speaking | Youtube Channel | Contact Tom
Tom Golden

TOM GOLDEN

TOM GOLDEN has retired from leading one of the largest forensic accounting investigation practices in the US. He has a national reputation in financial crime investigation and is a frequent presenter to Fortune 500 companies and many organizations, including the FBI and the IRS.


Comments or questions? Tom would love to hear from you. Hit the CONTACT TOM button below

Contact Tom