Category Archives: Fraud

Industrialized Theft

In at least one way you have to hand it to Ethically Challenged, Inc.;  it sure knows how to innovate, and the recent spate of ransomware attacks proves they also know how to make what’s old new again. Although society’s criminal opponents engage in constant business process improvement, they’ve proven again and again that they’re not just limited to committing new crimes from scratch every time. In the age of Moore’s law, these tasks have been readily automated and can run in the background at scale without the need for significant human intervention. Crime automations like the WannaCry virus allow transnational organized crime groups to gain the same efficiencies and cost savings that multinational corporations obtained by leveraging technology to carry out their core business functions. That’s why today it’s possible for hackers to rob not just one person at a time but 100 million or more, as the world saw with the Sony PlayStation and Target data breaches and now with the WannaCry worm.

As covered in our Chapter’s training event of last year, ‘Investigating on the Internet’, exploit tool kits like Blackhole and SpyEye commit crime “automagically” by minimizing the need for human labor, thereby dramatically reducing criminal costs. They also allow hackers to pursue the “long tail” of opportunity, committing millions of thefts in small amounts so that (in many cases) victims don’t report them and law enforcement has no way to track them. While high-value targets (companies, nations, celebrities, high-net-worth individuals) are specifically and individually targeted, the way the majority of the public is hacked is by automated scripted computer malware, one large digital fishing net that scoops up anything and everything online with a vulnerability that can be exploited. Given these obvious advantages, as of 2016 an estimated 61 percent of all online attacks were launched by fully automated crime tool kits, returning phenomenal profits for the Dark Web overlords who expertly orchestrated them. Modern crime has become reduced and distilled to a software program that anybody can run at tremendous profit.

Not only can botnets and other tools be used over and over to attack and offend, but they’re now enabling the commission of much more sophisticated crimes such as extortion, blackmail, and shakedown rackets. In an updated version of the old $500 million Ukrainian Innovative Marketing solutions “virus detected” scam, fraudsters have unleashed a new torrent of malware that hold the victim’s computer hostage until a ransom is paid and an unlock code is provided by the scammer to regain access to the victim’s own files. Ransomware attack tools are included in a variety of Dark Net tool kits, such as WannaCry and Gameover Zeus. According to the ACFE, there are several varieties of this scam, including one that purports to come from law enforcement. Around the world, users who become infected with the Reveton Trojan suddenly have their computers lock up and their full screens covered with a notice, allegedly from the FBI. The message, bearing an official-looking large, full-color FBI logo, states that the user’s computer has been locked for reasons such as “violation of the federal copyright law against illegally downloaded material” or because “you have been viewing or distributing prohibited pornographic content.”

In the case of the Reveton Trojan, to unlock their computers, users are informed that they must pay a fine ranging from $200 to $400, only accepted using a prepaid voucher from Green Dot’s MoneyPak, which victims are instructed they can buy at their local Walmart or CVS; victims of WannaCry are required to pay in BitCoin. To further intimidate victims and drive home the fact that this is a serious police matter, the Reveton scammers prominently display the alleged violator’s IP address on their screen as well as snippets of video footage previously captured from the victim’s Webcam. As with the current WannaCry exploit, the Reveton scam has successfully targeted tens of thousands of victims around the world, with the attack localized by country, language, and police agency. Thus, users in the U.K. see a notice from Scotland Yard, other Europeans get a warning from Europol, and victims in the United Arab Emirates see the threat, translated into Arabic, purportedly from the Abu Dhabi Police HQ.

WannaCry is even more pernicious than Reveton though in that it actually encrypts all the files on a victim’s computer so that they can no longer be read or accessed. Alarmingly, variants of this type of malware often present a ticking-bomb-type countdown clock advising users that they only have forty-eight hours to pay $300 or all of their files will be permanently destroyed. Akin to threatening “if you ever want to see your files alive again,” these ransomware programs gladly accept payment in Bitcoin. The message to these victims is no idle threat. Whereas previous ransomware might trick users by temporarily hiding their files, newer variants use strong 256-bit Advanced Encryption Standard cryptography to lock user files so that they become irrecoverable. These types of exploits earn scores of millions of dollars for the criminal programmers who develop and sell them on-line to other criminals.

Automated ransomware tools have even migrated to mobile phones, affecting Android handset users in certain countries. Not only have individuals been harmed by the ransomware scourge, so too have companies, nonprofits, and even government agencies, the most infamous of which was the Swansea Police Department in Massachusetts some years back, which became infected when an employee opened a malicious e-mail attachment. Rather than losing its irreplaceable police case files to the scammers, the agency was forced to open a Bitcoin account and pay a $750 ransom to get its files back. The police lieutenant told the press he had no idea what a Bitcoin was or how the malware functioned until his department was struck in the attack.

As the ACFE and other professional organizations have told us, within its world, cybercrime has evolved highly sophisticated methods of operation to sell everything from methamphetamine to child sexual abuse live streamed online. It has rapidly adopted existing tools of anonymity such as the Tor browser to establish Dark Net shopping malls, and criminal consulting services such as hacking and murder for hire are all available at the click of a mouse. Untraceable and anonymous digital currencies, such as Bitcoin, are breathing new life into the underground economy and allowing for the rapid exchange of goods and services. With these additional revenues, cyber criminals are becoming more disciplined and organized, significantly increasing the sophistication of their operations. Business models are being automated wherever possible to maximize profits and botnets can threaten legitimate global commerce, easily trained on any target of the scammer’s choosing. Fundamentally, it’s been done. As WannaCry demonstrates, the computing and Internet based crime machine has been built. With these systems in place, the depth and global reach of cybercrime, mean that crime now scales, and it scales exponentially. Yet, as bad as this threat is today, it is about to become much worse, as we hand such scammers billions of more targets for them to attack as we enter the age of ubiquitous computing and the Internet of Things.

Offered & Bid

Our Chapter was contacted last week by an apparent victim of an on-line auction fraud scheme called shilling.  Our victim bought an item on the auction and subsequently received independent verification that the seller had multiple ID’s which he used to artificially increase the high bid on the item ultimately purchased by our victim.  On-line consumer auctions have been a ubiquitous feature of the on-line landscape for the last two decades and, according the ACFE, the number of scams involving them is ever increasing.

The Internet allows con artists to trade in an environment of anonymity, which makes fraud easier to perpetrate. So every buyer of items from online auctions not only has to worry about the item being in good condition and every seller has to be concerned about being paid, they must both also worry about whether the other party to the transaction is even legitimate.   Common internet auction fraud complaints include products that never arrive, arrive damaged, or are valued less than originally promised. Many complaints also stem from sellers who deliver the product but never receive payment. Almost all auction sites have responded over the years by  instituting policies to prevent these types of fraud and have suspended people who break the rules. eBay, for example, has implemented buyer protection and fraudulent website protection programs, as well as several other safeguards to prevent fraudsters from abusing their auction services but the abuses just seem to go on and on.

What apparently happened to our victim is called shilling.  Shilling occurs when sellers arrange to have fictitious bids placed on their item to drive up the price. This is accomplished either by their own use of multiple user IDs (as our victim suspects of her seller) or by having other partners in crime artificially increase the high bid on their item; typically, these individuals are friends or family members of the seller. If the shiller sees a legitimately high bid that does not measure up to his or her expectations, s/he might burst in to give it a boost by raising the bid. This auction activity is one of the worst auction offenses and is cause for immediate and indefinite site suspension for any seller caught in its performance by any legitimate auction.

A related ploy that also raises lots of complaints is called sniping.  Sniping is a bid manipulation process in which an unscrupulous bidder bids during the last few seconds of an auction to gain the high bid just as the time runs out, thus negating the ability of another bidder to answer with a still higher bid. Most bidders who successfully engage in this practice do so with the aid of sniping technology. In general, sniping is legal; however, most online auctions sites have instituted no-sniping policies, as the practice is devious and may harm legitimate, honest bidders.

Then there’s bid shielding.  Bid shielding is a scam in which a group of dishonest bidders target an item and inflate the high bid value to discourage other real bidders. At the last moment, the highest bidder or other bidders will retract their bids, thereby shielding the lower bidder and allowing him to run away with the item at a desirable, and deceitful, price.

In the relentless drive for more customers, some sellers resort to bid siphoning which occurs when fraudulent sellers lure bidders off legitimate sites by offering to sell the “same” item at a lower price. They intend to trick consumers into sending money without delivering the item. By going off-site, buyers lose any protections the original site may provide, such as insurance, feedback forms, or guarantees.  This practice is often accompanied by sellers embellishing or distorting the descriptions of their wares. Borrowed images, ambiguous descriptions, and falsified facts are some of the tactics a seller will utilize in misleading a buyer with the end of guiding her to participation in a siphoning scheme.

The second chance scammer offers losing bidders of a closed auction a second chance to purchase the item that they lost in the auction. As with siphoning victims, second chance buyers lose any protections the original site may provide once they go off-site.

One of the most common complaints associated with on-line auctions is price manipulation.  To avoid price manipulation, consumers need to understand the auction format before bidding. Sellers may set up the auction with questionable bidding rules that leave the winning buyer in an adverse situation. For example, say you are a winner in an auction. You bid $50, but the lowest successful bid is only $45. The seller congratulates you on your win, and requests your high bid of $50 plus postage.  As another example, let’s say the highest bidder retracts his bid or the seller cancels it, which leaves you the highest bidder. The seller then wants you to pay the maximum bid amount, citing that the previous high bidder had outbid you. Finally, let’s say you win a straight auction with a high bid of $85. The seller contacts you and instructs you to send your high bid, plus shipping, packaging, listing fee costs, and numerous other charges.

Our last example relates to the practice of fee stacking which refers to the addition of hidden charges to the total amount due from the winning bidder after the auction has concluded. Shipping and handling fees can vary greatly; therefore, the buyer should inquire before bidding to avoid unexpected costs. Typically, postage and handling fees are charged at a flat rate. However, some scheming sellers add separate charges for postage, packaging, handling, and shipping, and often devise other fees to tack on as well, leaving the buyer with a much higher purchase price than anticipated.

Then there’s the flat failure to ship the purchased merchandise.  This is the one type of on-line auction fraud that most people have heard of even if they don’t themselves participate in on-line auctions and involves a seller receiving payment for the item sold, but not shipping the merchandise. If the merchandise does not arrive, the buyer should contact the seller for the item or request a refund, hopefully having kept a receipt of payment for the purchase. If the purchaser made the purchase with a credit card, s/he can contact the credit card company to deny the charges. If the buyer gets nowhere with the seller, the buyer should contact the U.S. Postal Inspection Service, as the failure to ship constitutes mail fraud.

On the other hand fraudulent buyer claims of lost or damaged items are also considered mail fraud. Some buyers falsely claim the item arrived damaged or did not arrive at all, and thus refuse payment. Sellers should insure the item during shipping and send it via certified mail, which requires a signature verifying receipt.

A related buyer scam is switch and return.  Let’s say you have successfully auctioned a vintage item. You, the seller, package it with care and ship it to the anxious buyer. But when the buyer receives it, he is not satisfied. You offer a refund. However, when the buyer returns the item, you get back an item that does not resemble the high-quality item that you shipped. The buyer has switched the high-quality item with a low-quality item and returned it to you. The buyer ends up with both the item and the refund.

The on-line market is awash in fakes. The seller “thinks” it is an original; but the buyer should think again. With the use of readily attainable computer graphics and imaging technology, a reproduction can be made to look almost identical to an original. Many fraudsters take full advantage of these capabilities to dupe unsuspecting or uninformed buyers into purchasing worthless items for high prices.

If you are a fraud examiner working with clients involved in the on-line auction market or a buyer or seller in those markets …

— Become familiar with the chosen auction site;
— Understand as much as possible about how internet auctions work, what the site obligations are toward a buyer or seller, and what the buyer’s or seller’s obligations are before bidding or selling;
— Find out what protections the auction site offers buyers;
— Try to determine the relative value of an item before bidding;
— Find out all you can about the seller, especially if the only information you have is an e-mail address.  If the seller is a business, check with the Better Business Bureau where the seller/buyer is located;
— Examine the feedback on the seller and use common sense. If a seller has a history of negative feedback, then do not deal with that seller;
— Consider whether the item comes with a warranty, and whether follow-up service is available if it is needed;
— Do not allow the seller or buyer to convince you to ignore the rules of a legitimate internet auction.

The Client Waltz

waltzNot too long ago I attended a dinner meeting out of town and had a short discussion about field work with a fellow fraud examiner working her first fraud examination as part of an investigative team.  The corporate counsel of the client organization had directly engaged her small firm and my new friend and dinner partner was experiencing difficulty in gaining access to the client staff with whom she needed to work to perform her part of the investigation.  The root problem seemed to be that the engaging counsel had failed to adequately brief either the lead fraud examiner or his client on just how the examination was be conducted and, consequently the examiners were experiencing frustration because they didn’t think they were initially working with the right people to get their job done.

All too often, fraud examiners are asked to rely on a small number of primary contacts – such as the controller, chief financial officer, or business process manager – to supply all the information for an engagement. In some instances, these individuals may, as a result of confusion or worse, prevent the examiner from speaking with other members of the area under review – a practice referred to as shuttling. But regardless of whether this occurs, talking only with supervisors and managers may not elicit the detail and precision necessary for an effective review.  It’s critical that CFE’s know how to break down any barriers that keep them from those with actual knowledge of the fraud, while at the same time avoiding any damage to their rapport with the primary review contact (in this case, the corporate counsel).  This can be an intricate dance indeed! By enhancing their interpersonal soft skills, CFE’s can walk this delicate line more effectively and increase the likelihood of an outcome satisfactory to all parties. Several key skills, in particular, help fraud examiners gain access to all relevant client staff and elicit the kind of information that will result in a better investigative product.

As a general rule the CFE team leader should try to set up a detailed engagement planning and ground rule meeting with the primary examination contact(s) before starting the examination and then follow up with a formal engagement letter. Meeting the corporate counsel for lunch, for example, would have helped break the ice and provide a more relaxed environment for initial discussion then the hurried phone call from the client counsel that apparently took place in this case.  During the meeting, the lead CFE should try to identify some common ground that can be used throughout the engagement to shore up the relationship and help build rapport. S/he should also take note of the clients’ mannerisms and reactions and keep them in mind later when performing the review. When posing a tough fraud related question to the client, for example, the auditor can then observe whether the client’s mannerisms change compared to those observed while simply establishing rapport. Subsequent further probing on the part of the review team may be warranted if discrepancies are noted.

It’s always a challenge for a team of fraud examiners to quickly learn as much as possible about the business processes affected by a fraud before speaking directly with process owners. Otherwise, those involved with the fraud may perceive the CFE’s as ill prepared or uninformed and be prompt to try to take advantage of that ignorance. When any team member lacks familiarity with the client’s business, her credibility and professionalism may be called into question, and the relationship with the client can quickly become impaired.

Understanding the basic mechanics of client financial business processes up front enables the team to devote more of their engagement efforts to direct examination work. In other words, it helps ensure team member practitioners don’t spend an inordinate amount of time learning while on the job, focusing instead on staying alert for unusual transactions involving the fraud, changes in suspect behavior, and other potential issues. Moreover, examination subjects are more likely to point out more complex issues and solicit input if they feel comfortable with the examiner’s abilities. These insights, in turn, may lead to opportunities for documenting a wide range of situations useful later in court and subsequent recovery efforts.

And it goes without saying that team members should avoid excessively confident or arrogant behavior. In most instances client employees will know more about their operation than the investigative team, and they deserve respect for their expertise. Client staff should be lead to perceive the team as working collaboratively with them in a didactic manner to help resolve a difficult situation — this approach typically achieves the best results. By contrast, even a perception of an adversarial or gotcha approach can quickly sour the situation and compromise the entire process of the examination.

When asking the tough questions, the ACFE tells us that team members should avoid phrasing that may seem confrontational, and they should refrain from steering the response. For example, instead of saying, “You review the XYZ report weekly, correct?” the examiner could say something like, “Could you help me understand how often you review the XYZ report?” Essentially, CFE’s should ask open ended, nonthreatening questions, followed by requests for clarification. Also, be sure to express interest.  Team members should always try to show genuine interest in the subject’s work. In most instances, client employees are proud of what they do, and are pleased to share the details of their work with those they perceive as experts. Expressing interest can elicit valuable information and enhance the examination quality.  Interest is demonstrated by not appearing rushed and by asking relevant, informed questions.  Although this approach takes time (and CFE’s are always pressed for time), it can lead to insight and knowledge that always proves invaluable during the court room and prosecution phases that so often follow from our work product. For example, the unusual or infrequent irregular transactions/events that may not surface during standard interviews or via sample-based testing but are so vital to our work can often be highlighted in this manner.

Client employees contacted in the course of the investigation should be assured that the team is only interested in the facts and that no one is looking to judge them or their work product. Examiners need to listen carefully and objectively to subjects and avoid approaching discussions with apparent preconceived notions or biases. Maintaining impartiality will not only enhance our results, it should result in a stronger relationship with the main client, even when engagements lead to the confirmation of the suspected fraud.

Clarifying the significance of examination findings and discussing workable approaches for moving forward with the main client, help maintain the CFE to client relationship and establishes the CFE as a trusted fraud expert and advisor. For example, suppose the CFE, during her examination discovers that someone in the organization (not connected with the suspected fraud) has the ability to receive goods into inventory, perform physical inventory procedures (cycle counts), make inventory adjustments based on inventory counts, and directly write off damaged inventory to scrap. When reporting this collateral fact, the CFE might want to do more than simply document the apparent access and segregation of duties issues. S/he might want to elaborate on the finding’s significance for potential future fraud by mentioning the risk of loss of inventory (assets), as the employee’s level of system access provides an opportunity to inappropriately write off usable product as damaged, lost, or never received and then use it for personal gain. Descriptive interactions of this type add value to the examination by enabling our main client to fully appreciate the larger risks (even beyond the present fraud) associated with findings and take appropriate action to address them.

When identifying and framing any fraud related issue, CFE’s should keep its true level criticality in context. Managers and business leaders do not appreciate drama, and overreacting can hurt the examiner’s credibility and rapport with valuable future business contacts. Sticking to the facts can help keep almost any sensitive situation from spinning out of control.

Mindful management of the mechanics of client relations can change a stunted two-step into a graceful waltz.  All it takes is practice.