We Just Discovered an Employee Has Embezzled From Us — What Do I Do Now?

The Answer in 60 Seconds

First, do not confront the employee. Preserve evidence quietly: lock email, retain server logs, secure physical records, take backups. File a police report — Singapore Police Force or the Commercial Affairs Department (CAD) for material commercial fraud — most Fidelity Guarantee (FG) policies require a police report as a condition precedent. Notify your FG insurer within the policy notification window (often days to weeks of discovery). Engage a forensic accountant (insurer often has a panel) to quantify the loss. Engage employment counsel before any disciplinary action — botched dismissal can complicate the claim. Document the discovery, the audit trail, and the chronology in a timestamped record. Most FG policies have discovery period restrictions (typically the act must be discovered within the policy period or within 3–6 months after termination of policy or employment).

The Step-by-Step

Discovering an employee embezzlement is a moment of multiple competing instincts: anger, urgency, the desire to confront, the desire to "make it right immediately." The right response is the opposite of those instincts. Preservation, documentation, professional engagement, and discipline produce both better recovery outcomes and a defensible claim. The article below sets out the sequence.

Hour 0 — Stop, do not confront, preserve

The single most damaging mistake in employee fraud cases is the confrontation reflex. The instinct is to call the employee in, demand an explanation, and either fire them on the spot or insist on repayment. The consequences:

Employee tipped off, may destroy evidence (delete emails, transfer funds, leave the country)
Insurer may decline FG cover (cooperation conditions breached)
Police investigation compromised
Civil recovery weakened
Wrongful dismissal exposure if dismissal is later overturned

Instead:

Lock the employee's email account remotely (with IT, quietly)
Preserve all access logs (system logs, building access, file access)
Secure physical records the employee had access to
Take backups of everything the employee touched — accounts, customer lists, supplier records
Limit knowledge of the discovery to the minimum necessary group (typically: founder/CEO, finance/audit lead, legal, HR if needed, but not the rest of the team)

Do not yet:

Confront the employee
Disable physical access (which would tip them off)
Discuss with other staff
Communicate externally

Hour 0–24 — Initial assessment and engagement

Verify the discovery. Many initial "fraud" suspicions turn out to be process errors, miscommunications, or legitimate transactions misread. Before escalation, an experienced finance person should verify the underlying facts.

Once verified:

Engage employment lawyer. Within 24 hours of verification. Singapore employment law (under the Employment Act 1968) and proper inquiry processes matter — particularly for summary dismissal for misconduct. A botched dismissal creates a wrongful dismissal claim that complicates everything.

Notify Fidelity Guarantee insurer. Most FG policies have notification windows of:

"As soon as reasonably practicable" — most common
7 days, 14 days, or 30 days specified — some wordings
Strict notification requirements — late notice can void cover

Initial notification should include: nature of suspected dishonesty, employee name, role, period (estimated), quantum (estimated), nature of evidence held.

Engage forensic accountant. Singapore has multiple firms with established forensic practice — KPMG, Deloitte, EY, PwC, RSM, BDO Singapore, and specialist boutiques. The insurer typically has a panel; engaging panel forensic accountants ensures cover for the cost. Engaging your own without insurer authorisation may not be reimbursable.

Day 1–7 — File police report, secure evidence

Police report.

For commercial fraud above a few thousand SGD, the Commercial Affairs Department is the typical SPF unit. For smaller cases, file at any Neighbourhood Police Centre or via SPF e-Services.

The police report:

Documents the offence
Triggers SPF investigation
Is typically a condition precedent for FG insurance claims
Provides a reference number for civil and insurance proceedings

Singapore criminal offences potentially relevant:

Criminal breach of trust (sections 405–409 of the Penal Code 1871)
Cheating (sections 415–420)
Forgery (sections 463–477)
Computer Misuse Act 1993 offences if computer systems were involved

Forensic investigation begins.

Forensic accountants typically:

Reconstruct transaction history
Identify the dishonesty scheme
Quantify net loss (gross loss minus recoveries)
Identify scope and period
Trace funds where possible
Produce a defensible report for insurance and legal proceedings

This typically takes 4–12 weeks for moderate cases, longer for complex schemes.

Day 7–30 — Suspension, then disciplinary action

Once evidence is preserved and forensic investigation is underway:

Suspend the employee with pay (initially). This:

Removes their access to systems, premises, customers
Avoids tip-off
Provides time for proper inquiry
Doesn't yet trigger termination remedies

Conduct proper inquiry. Per Singapore employment practice:

Notify employee of allegations in writing
Provide opportunity to respond
Conduct hearing (formal or informal depending on context)
Document the inquiry thoroughly
Decision on disciplinary action

Termination decisions:

For clear, proven dishonesty: summary dismissal under the Employment Act
For ambiguous cases: termination with notice plus civil/criminal proceedings to recover
Engage employment counsel for the specific termination strategy

Avoid:

Public statements about the dismissal
Disclosure to other employees beyond minimum necessary
Making the dismissal a publicity event
Settling on the spot for a fraction of the loss

Insurance claim under Fidelity Guarantee

Standard FG claim file (per typical Singapore wordings, e.g. Tokio Marine, Lonpac, Great American):

Completed claim form
Police report copy
Forensic accountant's report
Employment records (offer letter, role, access privileges, termination letter)
Internal audit findings and supporting documents
Bank statements, ledgers, transaction records
List of recoveries (cash recovered, salary owed, CPF balances offset)
Statutory declaration (where required)

Key FG considerations:

Discovery period: acts must typically be discovered within the policy period. Late discovery (after policy lapse) is usually limited to a 3–6 month tail.
Period of dishonesty: acts during the policy period are covered; acts before are limited (typically 12 months prior to termination).
Aggregate limit: FG policies have annual aggregate limits; multi-employee or multi-event scenarios can exhaust the aggregate.
Employee scope: named-position vs all-employee policies differ; check that the dishonest employee is within scope.
Recovery offset: outstanding salary, CPF, bonuses owed to employee are typically offset against the claim payment.

See Article 48 for full FG mechanics.

Civil recovery and subrogation

After insurance settlement, the insurer is typically subrogated to the employer's right to recover from the employee. Recovery options:

Civil action against the employee personally (for the amount paid plus interest)
Asset tracing (forensic; bank account freezing orders where supported)
Bankruptcy proceedings if the amount is material and assets are insufficient
Criminal compensation orders (where the employee is criminally convicted)

Recovery rates vary widely. Most embezzlers do not retain the funds (gambling, lifestyle, debts). Realistic recovery rates of 10–40% of the loss are common; some cases recover much less, occasional cases recover most.

Internal communication

To the wider team (typically after employee departure):

Brief, factual, non-sensationalised
Acknowledge the situation without details
Reaffirm controls and culture
Address the elephant in the room — staff are already speculating

To customers and suppliers (where they were affected):

Coordinate with legal counsel
Factual notification where customer/supplier records were affected
Avoid defamation of the departing employee

To the public:

Generally, not. Employee fraud doesn't typically merit public statement unless required by regulatory disclosure.

Specific scenarios

Scenario A: Accounts staff diverted customer payments to personal account

Forensic reconstruction of customer payments vs deposits
Customer relationship preservation important
FG typically responds (subject to policy terms)

Scenario B: Sales staff faked expense claims over years

Forensic review of expense claim history
Period of dishonesty often longer than current policy — discovery period and look-back period matter
FG response depends on the specific policy terms

Scenario C: Warehouse staff stole stock

Stock count discrepancy investigation
May fall under FG (employee dishonesty) or under stock theft cover (different policy)
Coordination of cover responses

Scenario D: IT administrator misused privileged access

Cyber implications (data, system integrity)
Both Cyber and FG may respond
Forensic IT investigation alongside accounting forensic

Scenario E: Senior executive committed major fraud

D&O implications if executive is also a director
Significantly higher quantum typical
Public/regulatory disclosure may be triggered for listed companies
FG aggregate limits may be exhausted; D&O/Crime stack-up may be relevant

Common Mistakes / What Goes Wrong

Confronting the employee immediately. Tips them off, evidence destroyed.
Skipping the police report. Often a condition precedent for FG; claim falls.
Late notification to FG insurer. Notification windows are often strict.
Engaging own forensic accountant without insurer authorisation. Cost not reimbursed.
Botched dismissal triggering wrongful dismissal counterclaim. Complicates everything.
Settling privately with employee for partial repayment. May void FG; may compromise criminal case.
Public communication that defames the employee. Defamation counterclaim risk.
Internal control overhaul announced publicly during proceedings. Provides ammunition for employee's defence.
Not checking discovery period limits. Pre-termination acts may be excluded if discovered too late.

What This Means for Your Business

For Singapore SMEs, employee dishonesty is a low-probability but high-impact event. The discipline that helps when it happens:

Maintain Fidelity Guarantee cover with appropriate limits and named-position scope.
Maintain segregation of duties. Single-approver finance is the structural enabler of most embezzlement.
Run regular reconciliation. Bank-vs-ledger, customer payments-vs-deposits, expense claims-vs-receipts. Anomalies are easier to detect early.
Conduct background checks at hire. References, criminal record check, qualification verification. Proportionate to role.
Build the response playbook before you need it. Who calls the lawyer, who locks email, who briefs the forensic accountant, who notifies the insurer — these are not decisions to invent during a crisis.
Cultivate culture as control. Most embezzlement happens where the culture tolerates it. Strong ethical signalling matters.

The post-incident response is structured: preserve, file, engage, claim, recover. The pre-incident position determines whether the post-incident path is viable. Insurance funds the response; controls and culture prevent the incident.

Questions to Ask Your Adviser

What is my Fidelity Guarantee policy's discovery period, and what's the look-back period for pre-policy acts?
Are all employees covered, or is the policy named-position or named-individual?
What internal control warranties does my policy require, and am I compliant?
What is my insurer's panel for forensic accountants and employment counsel?
How does the policy interact with my D&O if a director-level employee is involved?

Related Information

Published 4 May 2026. Source verified 4 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.