While Macy’s centennial Thanksgiving DayParade in NYC may have once again thrilled the audience gathered in front of its flagship store, all is not well on the inside.
The Gist
In a recent press release, Macy’s announced it would have to delay the company’s quarterly earnings report after discovering a single employee concealed up to $154 million in expenses over nearly three years. Here are some of the key details from the release:
- The unnamed employee deliberately hid small package delivery costs from Q4 2021 to Q3 2024.
- The hidden expenses represent about 3-3.5% of Macy’s $4.36 billion in delivery costs during this period.
- Macy’s has initiated an independent forensic accounting investigation.
-
The company has since strengthened internal controls and confirmed there was “no material impact” on financial results.
But the story didn’t end there. Four months later, Macy’s announced a CFO transition.
On April 1, 2025, the retailer said Thomas J. Edwards, CFO and COO of Capri Holdings, will succeed Adrian Mitchell as Macy’s new CFO and COO, effective June 22.
While Macy’s stated the leadership change was unrelated to the accounting issue, industry analysts note that financial reporting integrity almost always falls under a CFO’s purview. As one expert told CFO Dive, “The unfortunate reality of being CFO is that once the mistake was found, the board had to act.”
Why it Matters
This case underscores how internal fraud and process failures can ripple far beyond accounting.
Even when unintentional, incidents like Macy’s can erode investor confidence, delay reporting cycles, and create reputational fallout that extends well beyond the balance sheet.
It also illustrates how fragile manual oversight can be — especially in large organizations where trust, scale, and complexity collide. According to a 2024 Insider Threat Report”
-
48% of organizations say insider attacks have become more frequent in the past year.
-
51% experienced six or more insider-related incidents.
-
Nearly 30% reported remediation costs exceeding $1 million per event.
These aren’t isolated anomalies; they reflect a growing systemic challenge inside enterprise environments where visibility and accountability lag behind volume and velocity.
Why Insider Threats Succeed
The Information Systems Audit and ControlAssociation (ISACA) is a professional association with 180,000 members who workin digital trust fields. In July, ISACA published a paper titled WhySo Many Organizations Underestimate Insider Threats. In thereport, they identified four primary drivers related to human nature, not a technology or attack technique.
These include:
- The first was simply known vs. unknown. We tend to distrust unknown factors more than known factors.
- The next driver was inherent trust. Nobody hires people they don’t trust.
- Next is a fundamental miscalculation of risk. Much of he energy and noise in cybersecurity is focused on external threats, the various attacks, threat actor groups, and nation-states driving them when, in fact, an insider is involved in data breaches 60% of the time.
- The final driver was budget. They believed cybersecurity experts would likely prioritize guarding against external threats over insider threats.
But it’s not just the human factor. The partner ecosystem and business payment process are target-rich environments for internal and external fraudsters. Vendor management is complex, especially for businesses with hundreds or thousands of third-party suppliers.These companies are particularly susceptible to insider and/or external attacks because they are not able to continuously monitor and enforce proper security protocols and controls throughout the lifetime of each individual vendor relationship.
Another unique type of threat that businesses struggle with is the malicious insider. Unlike external attackers, who need to invest heavily in surveillance and information gathering to discover where their target’s soft belly is, the insider has a distinct advantage: They already intimately know the organization’s inner workings. This is exactly what occurred at Macy’s and in 2023 at Apple when an employee swindled $17 million through kickbacks, inflated invoices, and more.
Trustmi’s Take
Macy’s $151 million concealment—and the subsequent CFO transition—serve as a case study in the real cost of internal blind spots.
To combat internal fraud such as what transpired at Macy’s and Apple, companies should implement comprehensive payment security solutions that offer end-to-end protection and utilize AI and machine learning to detect abnormal payment activities, perform real-time risk assessments, and identify insider threats. By automating financial processes and providing full visibility from vendor onboarding to payment release, these solutions reduce manual errors and increase transparency.
Companies should also prioritize implementing advanced fraud detection systems, regularly audit their financial processes, and foster a culture of ethical behavior. Last but certainly not least, invest in strengthening an organization’s defense against internal fraud by training employees on fraud prevention while establishing clear reporting mechanisms that make it quick and easy to report suspicious activities.
