12 Types of Employee Theft (With Examples)

Employee theft costs U.S. businesses an estimated $50 billion per year, according to research compiled by Embroker's 2025 workplace theft analysis. The typical case runs 12 months before anyone catches it, and 43% are detected only after a tip from another employee.

Understanding the specific forms theft takes is the first step toward preventing it. Time theft looks nothing like cyber theft. Expense account fraud requires different controls than inventory shrinkage. Your prevention strategy needs to match the actual risk profile of your business.

How common is employee theft?

The numbers are significant. Research suggests that roughly 75% of employees steal from their employer at least once, and nearly two-thirds report committing theft at their current job. The top five methods by frequency are billing fraud (18%), cash theft (15%), larceny (11%), payroll manipulation (11%), and skimming (9%), according to the same research.

Retail accounts for 60% of employee theft cases due to high-volume transactions and inventory exposure. But theft is not a retail-only problem. Professional services firms face data and intellectual property theft. Financial services organizations face embezzlement and skimming. Every industry has a version of this problem.

The 12 types of employee theft by frequency

Before examining each type in detail, it helps to know which are most common. Based on research from Embroker and ACFE data, here are the five most frequently reported forms:

• Time theft (most prevalent, affects nearly every industry)
• Billing and expense fraud (18% of reported internal theft cases)
• Cash theft and skimming (15% of cases)
• Larceny and inventory theft (11% of cases)
• Payroll manipulation (11% of cases)

Each of the 12 types below involves different assets, different detection methods, and different prevention strategies. Knowing which risks apply to your organization helps you design the right controls.

1. Time theft

Time theft occurs when an employee is paid for hours they did not actually work. It is the most common form of employee theft and one of the hardest to detect. Common examples include clocking in for colleagues, padding timesheets, taking extended breaks, or using company time for personal tasks during remote work hours.

The financial impact is easy to underestimate because it accumulates slowly. An employee who steals 30 minutes per day, five days a week, costs an organization roughly 120 hours per year in unearned wages. Multiply that across a team and the number grows quickly.

2. Embezzlement

Embezzlement involves someone who is trusted with financial access misusing it for personal gain. Bookkeepers who transfer funds to personal accounts, managers who approve payments to fictitious vendors, payroll administrators who add unauthorized pay increases: these are all forms of embezzlement.

The most effective prevention controls are separation of duties and mandatory financial audits. When one person both approves and processes payments, the opportunity for embezzlement is significantly higher. Build in a second set of eyes on financial transactions above a defined threshold.

3. Data theft

Data theft is the unauthorized access, copying, or distribution of proprietary company information. It is one of the fastest-growing forms of employee theft because the value of data has increased dramatically, and the act itself can happen without anyone noticing.

Former employees are a particular risk. Sales representatives who download client lists before resigning, engineers who copy source code, HR professionals who retain employee records: all of these constitute data theft with significant legal and competitive consequences. Strong offboarding procedures and access revocation protocols are essential controls. Document your fraud prevention approach with documentation practices that create a clear audit trail.

4. Inventory theft

Inventory theft covers any unauthorized removal or misuse of physical company assets, whether that is retail merchandise, raw materials, office equipment, or supplies. It often occurs at receiving, shipping, or storage points where oversight is inconsistent.

Regular cycle counts, camera coverage at key inventory access points, and cross-checking purchase orders against received goods all reduce inventory theft exposure. The challenge for retail organizations is that inventory theft is often incremental, with individual incidents small enough to fall below the threshold for investigation until the pattern becomes visible.

5. Expense account fraud

Expense account fraud happens when employees falsify or exaggerate reimbursement claims. This includes submitting personal expenses as business costs, inflating mileage, creating receipts for meals or travel that did not happen, or splitting large expenses across multiple reports to avoid approval thresholds.

Clear expense policies with documented receipt requirements and manager sign-off are the baseline. Organizations that run expense reports through automated flagging systems catch patterns that manual review misses: duplicate submissions, round-number claims, and out-of-policy vendors that appear repeatedly.

6. Payroll fraud

Payroll fraud involves manipulating the compensation system to generate unauthorized payments. It can include creating ghost employees, falsifying hours worked, unauthorized pay rate increases, or duplicate payroll submissions. Like embezzlement, it requires some level of system access and often goes undetected for extended periods.

Payroll audits that compare headcount against active HR records, combined with mandatory approval chains for payroll changes, are the most effective controls. A payroll change that goes through two approvers is significantly harder to manipulate than one that only requires the payroll administrator's sign-off.

7. Skimming

Skimming involves diverting cash or payments before they are recorded in the company's accounting system. Because the transaction never enters the books, standard reconciliation checks do not catch it. It is most common in cash-heavy environments: retail, hospitality, and any business that accepts cash payments.

Regular surprise cash counts, rotating staff at cash-handling positions, and point-of-sale audits that flag unusually high void or refund rates are the most effective skimming deterrents. Employees who know controls exist and are enforced are less likely to attempt skimming in the first place.

8. Information theft

Information theft covers the misappropriation of business-critical knowledge: pricing strategies, supplier contracts, client relationships, unreleased product details, and proprietary processes. Unlike data theft, which typically involves digital files, information theft can also occur through notes, conversations, or memory.

Non-disclosure agreements define legal liability, but they are not a prevention strategy on their own. Access controls that limit who can see sensitive information, combined with clear policies about what constitutes confidential information, reduce the opportunity for information theft before it happens.

9. Intellectual property theft

Intellectual property (IP) theft involves taking or misusing a company's innovations, designs, patents, trade secrets, or creative work without authorization. In knowledge-economy industries, IP is often the most valuable asset a company owns.

IP theft frequently involves employees who plan to leave for a competitor or start a competing business. Monitoring unusual file access patterns in the weeks before a resignation, enforcing exit interview protocols, and conducting offboarding audits of company device activity all reduce IP theft risk. Your loss prevention strategy should explicitly address IP exposure alongside physical asset controls.

10. Kickbacks and bribery

Kickbacks occur when an employee receives personal payments or benefits from an outside party in exchange for directing company business their way. A purchasing manager who steers contracts to a vendor in exchange for cash payments, or a hiring manager who accepts referral fees, are both examples.

Strong conflict of interest policies with required annual disclosures, combined with procurement processes that require competitive bidding above a minimum contract value, reduce kickback risk. Whistleblower channels are particularly important here, since kickback arrangements are often spotted by colleagues before they surface in financial audits.

11. Cyber theft

Cyber theft by internal actors involves using company systems, credentials, or network access to steal assets or information. This is distinct from data theft in that it typically involves active exploitation of system access rather than simply copying files. Examples include using company accounts to make unauthorized purchases, manipulating financial systems, or selling access credentials to outside parties.

Role-based access controls, multi-factor authentication, and endpoint activity monitoring form the technical foundation of cyber theft prevention. HR and IT should work together to ensure that access is revoked promptly when an employee's role changes or when a separation begins.

12. Theft of services

Theft of services occurs when an employee uses company resources to deliver services to outside parties for personal gain: a consultant who runs a side business on company time, an IT employee who uses company equipment and licenses to serve private clients, or a contractor who bills client hours to the company while performing work for someone else.

This form of theft is harder to detect because it often does not produce a direct financial transaction inside company systems. Time tracking, project management records, and periodic billing audits that compare work completed against hours charged are the most effective detection methods.

How to investigate suspected employee theft

When theft is suspected, the investigation process matters as much as the outcome. Acting without documentation, confronting suspects before gathering evidence, or skipping formal procedures can expose the company to legal liability and make disciplinary action harder to defend.

Start by preserving evidence before alerting the subject. Secure relevant records, pull system logs, and identify potential witnesses. Then run a structured workplace investigation with a defined scope and documented findings. According to research on theft detection, 43% of cases are ultimately reported by a colleague. Anonymous reporting channels matter. Employees who see something need an easy, safe way to say something.

AllVoices is a leading employee relations platform that helps HR teams manage ER cases, workplace investigations, anonymous reporting, and employee feedback. When employees have a confidential channel for reporting suspected fraud, organizations catch problems before they reach the $50 billion aggregate. See how AllVoices works for HR teams managing misconduct investigations.

How to prevent employee theft before it starts

Prevention is more effective than detection, and most organizations have gaps in both. The controls that matter most are:

• Separation of duties: No single employee should have end-to-end control over a financial transaction, from authorization through payment to reconciliation.
• Regular audits: Surprise audits are more effective than scheduled ones. Employees who know an audit is coming can prepare. Unannounced checks surface what routine reviews miss.
• Clear policies with real consequences: Zero-tolerance language in a handbook is not a deterrent on its own. Visible, consistent enforcement of policy is. Employees are watching how previous cases were handled.
• Access controls: Limit system and physical access to what each role actually requires. Revoke access promptly when roles change or separations occur.
• Anonymous reporting channels: Peer-to-peer detection is the most common path to discovery. Build the infrastructure that makes reporting easy and safe. Review how to prevent workers compensation fraud for additional controls applicable to benefit-based theft.