The McDonald's Monopoly Fraud: $24M Stolen Because One Person Controlled Everything

When security becomes the threat

McDonald's Monopoly promotion, 1989-2001. $600 million in prizes. Massive marketing success.

Except almost nobody legitimately won the top prizes.

For 12 years, Jerome Jacobson—head of security for the promotion—stole nearly every major prize.

$24 million in total.

The FBI caught him in 2001. Via an informant, not internal audit.

How one person stole $24M undetected

3 PatternsWhat predicts speed in real cases

Pattern 1

Family members

Pattern 2

Mob associates

Pattern 3

Anyone willing to split the prize

Patterns are based on real recovery cases—individual outcomes vary based on evidence quality and debtor responsiveness.

Why nobody caught it

A professional overseas invoice collection service does more than send reminder emails. Here's the real workflow:

STEP 1

Guarded

the prize pieces (security)

↓

STEP 2

Allocated

pieces to regions (distribution)

↓

STEP 3

Verified

winners (validation)

↓

STEP 4

Reported

on the promotion (oversight)

💡

The best agencies don't just chase—they diagnose why you're not getting paid first.

The FBI informant

In 2001, an anonymous tip reached the FBI. Someone in Jacobson's network wanted out or got scared.

The FBI ran an 18-month investigation. Wiretaps. Surveillance. Undercover work.

They built a RICO case (Racketeer Influenced and Corrupt Organizations Act). Same statute used for organized crime.

Jacobson and 51 co-conspirators were indicted.

McDonald's learned about the fraud from the FBI. Not their own audit.

The control failure

Single Point of Control

One person handled every step. No checks. No balances.

Best practice: Separation of duties. Person who allocates ≠ person who verifies ≠ person who reports.

No Independent Verification

McDonald's trusted Jacobson to self-report. No third-party validation of winners.

Best practice: Independent audit of high-value transactions.

No Exception Reporting

Winners came from Jacobson's network repeatedly. Nobody flagged the pattern.

Best practice: Statistical analysis of anomalies (same family winning multiple times, winners concentrated in specific regions).

Trust Over Verify

Jacobson was ex-law enforcement. He had credentials. McDonald's trusted him.

Best practice: Trust is earned continuously, not granted permanently.

Your business has these too

AP Clerk Who Can:

Create new vendors
Enter invoices
Approve payments
Reconcile accounts

Risk: Fake vendor + fake invoices = embezzlement.

Fix: Separate vendor creation (requires manager approval) from invoice entry (requires dual approval over threshold).

IT Admin Who Can:

Access all systems
Delete logs
Modify audit trails
Grant permissions

Risk: Unauthorized access + evidence destruction = undetectable breach.

Fix: Independent log storage (off-site, immutable). Require two admins for sensitive changes.

Finance Manager Who Can:

Initiate wire transfers
Approve transfers
Reconcile bank accounts
Override controls

Risk: Fraudulent transfer + self-reconciliation = stolen funds.

Fix: Dual approval for transfers over threshold. Independent reconciliation by controller.

How to find your single points of failure

Map your critical processes:

Cash disbursements
Revenue recognition
Inventory management
Payroll
System access

For each, ask:

Who can initiate?
Who can approve?
Who can verify?
Who can report?

If the same person can do 3+, you have a control weakness.

Implementing dual control

Maker-Checker Model

One person creates (maker). Different person approves (checker).

Example: AP clerk enters invoice. Manager approves payment.

Threshold-Based Escalation

Low-value: single approval. High-value: dual approval.

Example: Payments under $5K: manager approval. Over $5K: manager + CFO.

Independent Reconciliation

Person who executes ≠ person who reconciles.

Example: Finance manager initiates transfers. Controller reconciles bank statements.

Audit Trail Immutability

Logs stored off-site, read-only access. Cannot be modified by operational staff.

Statistical Monitoring

Flag anomalies: Same vendor receiving multiple payments. Employee expense patterns. Login patterns.

The trust paradox

Jerome Jacobson was trusted because he was ex-law enforcement.

That trust became his weapon.

The companies with the strongest controls don't trust MORE. They verify MORE.

Trust is not a control. Verification is.

Takeaways for CFOs

Map single points of control in critical processes.
Implement separation of duties for high-value transactions.
Require dual approval over defined thresholds.
Independent reconciliation by different person than executor.
Statistical monitoring for anomalies (same patterns, same people).
Trust is not a control. Verification is.

McDonald's lost $24M because one person controlled the entire chain.

What's your Jacobson risk?

Protect Your Business

Collecty applies rigorous dual-control processes to international collections. No single person manages verification, escalation, and reporting.

Contact Collecty for receivables process review.

Sarah Lindberg

International Operations Lead

Sarah coordinates our global partner network across 160+ countries, ensuring seamless cross-border debt recovery.

Need country-specific next steps?

Get jurisdiction-specific guidance for your international debt recovery case.