Every two years, the Association of Certified Fraud Examiners publishes what is widely regarded as the most authoritative study on occupational fraud in the world. The 2026 Report to the Nations, now in its 14th edition, draws on 2,402 investigated cases across 143 countries, with documented losses exceeding USD 3.4 billion.
After thirty years and more than 20,000 cases, one finding has never budged: the single most effective way to detect fraud inside an organisation is to make it easy for people to speak up.
Here is what the 2026 edition tells us about the state of whistleblowing systems, and where most organisations still fall short.
The Scale of Occupational Fraud in 2026
Key Figures From the Study
The numbers that open the report are worth sitting with. The median loss per case in the 2026 study is USD 104,000. The mean, pulled upward by large schemes, reaches USD 1.457 million. The ACFE estimates that organisations globally lose approximately 5% of their annual revenue to fraud each year.
Across the three main fraud categories:
- Asset misappropriation is the most common scheme, appearing in 90% of cases with a median loss of USD 100,000.
- Corruption appears in 45% of cases, with a median loss of USD 150,000.
- Financial statement fraud is the rarest at 6% of cases but the most damaging, with a median loss of USD 1 million.
Why Duration Matters More Than Most Organisations Realise
The median time between a fraud beginning and being detected is 12 months. Twelve months is widely cited as a benchmark, though the more useful frame is what it costs to go undetected for that long.
The relationship between duration and loss is not gradual. Frauds caught within the first six months carry a median loss of USD 40,000. Push that to 12 to 18 months and the figure more than doubles. Schemes that run for five years or more produce a median loss exceeding USD 1.1 million.
Every month without a detection mechanism is a month where losses compound. The speed at which an organisation can surface a concern has a direct cost attached to it.
Tips Are Still the Number One Detection Method, and Have Been for 30 Years
Who Is Actually Reporting, and to Whom
In the 2026 study, 43% of occupational frauds were initially detected via a tip. Internal audit followed at 15%, management review at 13%. Together those three methods account for over 70% of all detections. But tips alone represent nearly three times the detection rate of the second-ranked method.
This finding has appeared in every edition of the Report to the Nations since 1996. Thirty years of data, across tens of thousands of cases, pointing consistently to the same conclusion: the most reliable fraud detection tool an organisation has is its own people.
Of those tips in 2026, 55% came from employees within the organisation. A further 21% came from customers, and 11% from vendors. Anonymous sources accounted for 14%.
That last figure says something important. If 14% of tips come from anonymous sources, 86% come from people willing to identify themselves when the conditions feel right. The barrier to reporting is less often anonymity than it is trust: trust that the concern will be handled properly, that the reporter will be protected, and that something will actually be done. A reporting channel that prioritises anonymity above all else addresses one part of that equation. One that combines anonymity options with a structured, transparent follow-up process addresses the whole of it.
It is also worth noting where those reports land. In the 2026 study, 32% of tips were reported directly to a supervisor rather than through a formal channel. Another 15% went to a fraud investigation team, 14% to an executive, and 8% to a coworker. A significant portion of reporting happens informally, through relationships rather than systems.
What Having a Formal Reporting Mechanism Changes in Numbers
The ACFE data is direct on this point: organisations with a formal reporting mechanism in place had a median fraud loss of USD 100,000, compared to USD 150,000 for those without one. Median duration was 11 months with a mechanism versus 17 months without.
The difference between having a formal mechanism and not having one amounts to six months and USD 50,000 in median losses, before accounting for investigation costs, reputational exposure, or regulatory consequences.
The Digital Shift: Web and Email Now Surpass the Telephone Hotline
How Reporting Channel Usage Has Evolved Since 2016
One of the clearest structural changes in the 2026 edition concerns how people report. For the first time in the history of the study, web-based reporting and email both overtook telephone hotlines as the most commonly used formal reporting channels.
The shift has been building steadily since 2016. At that point, telephone hotlines accounted for 40% of formal reports, with email at 24% and web-based at 17%. By 2026, the picture has now reversed:
- Web-based reporting: 46%
- Email: 34%
- Telephone hotline: 23%
The ACFE notes this directly, observing that web-based and online reporting has grown continuously since 2018 while telephone use has declined across the same period.
What This Means for How You Design Your Speak-up Programme
Employees are signalling through their behaviour that they prefer digital, asynchronous channels. An organisation that has built its speak-up programme entirely around a telephone hotline is not meeting its people where they are.
The practical consequence is fewer reports reaching the surface, later detections, and higher losses. A speak-up programme designed for 2026 needs to offer the channels people actually use.
The Implementation Gap: Who Actually Has a Whistleblowing System
Large Organisations vs Small Businesses
The 2026 report includes a finding that should give pause to anyone advising on compliance infrastructure. Among organisations with 100 or more employees, 85% have an established whistleblowing mechanism. Among organisations with fewer than 100 employees, that figure is 24%.
The ACFE identifies this as the single largest implementation gap across all 18 anti-fraud controls studied, and connects it directly to the detection data. The implication is straightforward: small businesses rely on tips to detect fraud at the same rate as larger organisations, but three quarters of them have no formal channel for those tips to come through. A USD 100,000 median loss also lands differently at a small business than at a large one, representing a far greater share of annual revenue.
The Controls Most Associated With Lower Losses
The implementation gap extends across other controls as well. Organisations that had strong anti-fraud programmes in place consistently showed lower losses and faster detection times. Three controls stood out for their impact:
- Surprise audits, present in 44% of organisations, were associated with a 50% reduction in median fraud losses.
- Proactive data monitoring is in place at 58% of larger organisations and 17% of small ones.
- Management review is present at 79% of larger organisations and 41% of smaller ones.
Those numbers carry more weight in a regulatory environment that has made the investment considerably harder to defer.
The European Union's Whistleblower Protection Directive, which came into force in 2021, requires all organisations with 50 or more employees to establish a formal internal reporting channel, with member states having transposed it into national law at varying speeds. France's Sapin II legislation has imposed similar obligations since 2017. The United Kingdom, Australia, and a growing number of jurisdictions outside Europe have introduced or strengthened equivalent frameworks in recent years.
The 2026 implementation data sits against that backdrop. An organisation without a formal reporting mechanism is increasingly not just operationally exposed, it is potentially non-compliant. The gap between large and small organisations on hotline adoption is partly a resource gap. It is also, in some cases, a compliance gap that regulators are becoming less patient with.
What Happens After a Report Is Made
The 2026 data shows that once a fraud surfaces, organisations do mobilise: management was alerted in 64% of cases, internal audit in 45%, fraud investigation teams in 43%, and legal in 39%. The harder question is what happens to the concerns that never make it that far, the ones raised informally to a supervisor and quietly set aside.
The pattern of informal reporting noted earlier creates a structural problem here. Tips that reach a supervisor informally are harder to track, harder to investigate consistently, and highly dependent on the judgment of whoever receives them. They also leave little in the way of audit trail, which matters when organisations face regulatory scrutiny or legal proceedings.
Why the Investigation Infrastructure Matters as Much as the Channel
The strength of a speak-up programme is ultimately measured by what happens after someone speaks up. The case management infrastructure sitting downstream determines whether a concern becomes a proper investigation or quietly disappears.
In the 2026 study, 80% of victim organisations modified their anti-fraud controls after a fraud was detected. The median loss for organisations compelled to make changes was more than double that of those that were not. Reactive investment in controls is significantly more expensive than proactive investment.
What Allows Fraud to Take Hold
The 2026 report asks respondents to identify the primary internal control weakness that contributed to each fraud investigated. A lack of internal controls was cited in 33% of cases. Override of existing controls accounted for 19%. A lack of management review followed at 18%. Together, those three root causes account for 70% of all frauds in the study.
A reporting channel does not fix weak controls or management override. But it does create a parallel detection layer that operates regardless of where those weaknesses sit.
Behavioural Red Flags: The Signals That Exist Before the Fraud Escalates
84% of fraudsters in the 2026 study displayed at least one behavioural red flag before they were caught. The most common included living beyond their means at 38%, financial difficulties at 27%, and unusually close relationships with vendors at 21%.
Part of what makes those signals so costly is that they are rarely invisible. People notice, and what stops those observations from becoming reports is rarely a lack of awareness. It is a lack of confidence that reporting will be taken seriously, a fear of being identified, or simply not knowing where to go. Without an accessible, trusted reporting channel, those observations tend to stay private.
What This Means for Organisations in 2026
The 2026 edition largely confirms what thirty years of ACFE data has established, but adds a few findings worth acting on.
1. Channel design matters more than it did five years ago.
The move away from telephone hotlines is not a marginal trend. It is a consistent, multi-year shift in how employees choose to report. Organisations that have not yet built out web-based reporting are working against the grain of their own people's preferences.
2. Access remains unequal.
The gap between large and small organisations in whistleblowing system adoption is significant and well-documented. Fraud risk does not scale down with headcount. The infrastructure to detect it needs to be available regardless of organisation size.
3. Culture and mechanics reinforce each other.
Organisations that invest in both an accessible reporting channel and a genuine speak-up culture detect fraud earlier and suffer lower losses than those that rely on either alone. The mechanics create the conditions. The culture determines whether people use them.
That distinction is built into Whispli from the ground up. The company was founded in 2016 by Sylvain Mansotte, who two months into a new role uncovered a USD 20 million fraud that had gone undetected for 12 years, and found himself navigating the experience of being a whistleblower with no infrastructure that made it easy or safe to do so. That experience, and the gap it exposed, is what Whispli was built to close.
The platform covers the full spectrum of what the 2026 data points to: anonymous and non-anonymous reporting across web, email, and an AI-powered voice hotline, structured case management, and a dedicated module for conflicts of interest and gifts and hospitality disclosures.
For organisations with large frontline workforces, where access to a web form or email is not always practical, Whispli Voice AI provides an additional intake channel. Unlike outdated, traditional telephone hotlines, it transcribes and anonymises verbal reports directly into the case management system, removing the manual step that most hotlines still require. A speak-up programme that is technically available but practically inaccessible to a significant portion of the workforce is not a complete programme.
Whispli is now deployed across more than 35 countries, in over 70 languages, by organisations ranging from listed multinationals to mid-sized businesses navigating their first compliance programme. Whatever the starting point, the 2026 data makes the case clearly enough: the question for most organisations is no longer whether to invest in a speak-up programme, but whether the one they have is actually working.
The full report is available at acfe.com/report-to-the-nations.
%201.avif)
%201%20(2).avif)
%201%20(1).avif)
