A personal assistant in New York recently admitted to stealing nearly $10 million from an elderly couple who trusted her with access to their finances. According to federal prosecutors, Catalina Corona worked for the couple for years and used that position of trust to deposit hundreds of checks made payable to herself or to cash, without the victims’ knowledge or consent. The fraud allegedly ran from about 2017 through 2024, and the money was used to pay credit card bills and buy luxury items from brands like Louis Vuitton, Cartier, and Gucci.
Here’s the part that should make every business owner, nonprofit leader, and family member sit up straight.
This was not a complicated cyberattack.
This was not a hacker in another country.
This was not some elaborate Hollywood-style fraud.
It was access. Trust. Lack of oversight. And time.
And time is exactly what fraudsters need.
Fraud Usually Does Not Start With $10 Million
Most fraud does not begin with someone stealing millions on day one.
It starts small.
A check here.
A transfer there.
A personal expense “accidentally” paid from the wrong account.
A reimbursement that no one questions.
A vendor payment that looks normal enough to pass through.
Then the fraudster watches.
Did anyone notice?
Did anyone ask for backup?
Did anyone review the bank statement?
Did anyone compare the cleared checks to the accounting records?
When the answer is no, the behavior escalates.
In this case, the scheme reportedly went undetected for years. Yahoo Finance reported that the fraud came to light after a bank flagged a suspicious $1,500 check in 2024. Think about that. Not a $150,000 transfer. Not a giant wire. A $1,500 check.
That is the lesson.
Fraud is often caught in the small details, but only if someone is actually looking.
The Real Risk Is Not Just “Bad People”
Yes, people commit fraud. But fraud does not happen in a vacuum.
Fraud grows where systems are weak.
That means the real question is not, “Do I trust this person?”
The better question is, “Have I built a system that does not require blind trust?”
That may sound harsh, but it is actually kind.
Strong controls protect everyone. They protect the owner. They protect the bookkeeper. They protect the assistant. They protect family members. They protect employees who are doing the right thing.
Because when there is no oversight, everyone is vulnerable.
The Fraud Triangle Was Sitting Right There
Most occupational fraud has three ingredients: pressure, opportunity, and rationalization.
The one you can control most directly is opportunity.
You may not know whether someone is under financial pressure. You may not know what they are telling themselves to justify bad behavior. But you can absolutely control whether one person has unchecked access to money.
In this case, the assistant had access to financial accounts and allegedly used checks, unauthorized transfers, and impersonation tactics to move money out of the victims’ accounts.
That is not just an elder abuse warning. It is a business warning.
If one person can create, approve, record, and reconcile money movement without review, you do not have a finance system.
You have a hope-and-prayer system.
And hope is not an internal control.
What Business Owners Can Learn From This Case
This story involved an elderly couple, but the same patterns show up inside businesses and nonprofits all the time.
A trusted employee handles the books for years.
A founder never reviews the bank activity because “she’s been with us forever.”
A nonprofit treasurer signs checks without seeing invoices.
A business owner gives one person access to bookkeeping, banking, payroll, and credit cards.
Everyone feels comfortable.
Until something feels off.
Then the cleanup begins, and cleanup is always more expensive than prevention.
Here are the controls that would have made this kind of fraud much harder to pull off.
1. Separate Access From Approval
The person entering bills should not be the only person approving payments.
The person writing checks should not be the only person reviewing bank activity.
The person reconciling the account should not be the only person with access to the bank.
You do not need a massive accounting department to make this work. Even small businesses can create simple separation of duties.
For example:
The assistant can prepare payments.
The owner approves them.
The bookkeeper records them.
A separate reviewer looks at the monthly bank statements.
That is not bureaucracy. That is protection.
2. Review Bank Statements Directly From the Bank
Do not rely only on reports generated from the accounting system.
Why? Because accounting records can be manipulated.
Bank statements show what actually cleared.
Every month, someone independent should review the bank statement and look for:
Checks made payable to cash
Checks made payable to employees or assistants
Unusual transfers
New payees
Duplicate payments
Personal expenses
Large credit card payments
Payments just under approval thresholds
Missing check numbers
Electronic transfers with vague descriptions
You are not looking for perfection. You are looking for patterns.
Fraud almost always leaves a trail.
3. Stop Using “Cash” as a Payee
Checks made payable to cash are a giant red flag.
Could there be a legitimate reason? Maybe once in a while.
But routinely? Absolutely not.
A basic rule every business, nonprofit, and family office should adopt is this:
No checks payable to cash without written documentation and approval.
Even better, avoid them entirely.
Money should have a clear destination, a clear purpose, and clear backup.
4. Require Backup for Every Payment
Every payment should answer three questions:
Who was paid?
Why were they paid?
Who approved it?
No invoice, no receipt, no written explanation, no payment.
This is where a lot of fraud prevention becomes boring, and that is a good thing. Boring systems catch expensive problems.
Fraudsters love vague processes. They hate documentation.
5. Watch for Lifestyle Red Flags
The stolen money in this case was reportedly used for luxury purchases and credit card payments.
That does not mean every employee with a nice handbag is committing fraud. Let’s be clear.
But when someone with access to money suddenly shows signs of spending far beyond what makes sense, especially alongside secretive behavior, missing documentation, or resistance to oversight, it is worth paying attention.
Fraud prevention is not about suspicion for the sake of suspicion.
It is about noticing when the story and the numbers do not match.
6. Do Not Let Trust Replace Oversight
This is the hardest one.
Fraud often happens because the person is trusted.
“They’re like family.”
“They’ve handled this for years.”
“They would never do that.”
“I don’t want them to think I don’t trust them.”
Here is the truth: good people do not mind good controls.
If someone gets offended because you want bank statements reviewed, invoices attached, or payment approvals documented, that reaction is information.
You are not accusing anyone by putting controls in place.
You are running things like a grown-up.
7. Pay Attention to Elder Financial Abuse
This case is also a reminder that older adults are especially vulnerable when they rely on others for help managing daily finances.
The FBI reported that adults over 60 filed more than 147,000 elder fraud complaints in 2024, with reported losses totaling about $4.885 billion.
Families should consider safeguards like:
A trusted second reviewer on accounts
Monthly statement reviews
Transaction alerts
Limits on check-writing authority
Separate roles for caregiving and money management
Regular meetings with financial advisors, attorneys, or accountants
Immediate follow-up on unusual bank activity
The goal is not to take away independence. The goal is to protect dignity, assets, and peace of mind.
The Bottom Line
Fraud prevention is not about paranoia.
It is about refusing to make it easy.
The $10 million personal assistant fraud case is shocking because of the amount. But the mechanics are painfully familiar: access, trust, weak oversight, and years of missed warning signs.
That is how fraud grows.
So here is the question every business owner, nonprofit board member, and family should ask today:
If someone were stealing from us, how quickly would we know?
If the answer is “I’m not sure,” that is your starting point.
Pull the bank statements. Review who has access. Look at payment approvals. Check whether one person has too much control. Start with one account, one month, one process.
You do not need a perfect system by Friday.
But you do need a system.
Because fraud does not wait until you are ready.
