New Data Tools for Your 2017 Fraud Examinations


Jeremy Clopton, CFE, CPA, ACDA, CIDA
Director, Big Data & Analytics, Digital Forensics
BKD, LLP | Forensics & Valuation Services

“New Year, New You” can be found everywhere from email subject lines to magazine covers to marquees at local fitness center. January is the time to begin new things. With that in mind, here are a few of the new items to consider in your next fraud examination.

First, let’s talk about some new methods to consider:

  • Advanced analytics: Rather than relying on sampling and rules-based queries alone, take your analytics to the next level. Incorporate correlation across disparate data sets, outlier detection based on multiple attributes and look for patterns across data sets that indicate anomalous activity. 
  • Text analytics: Easily one of my favorites and one of the most overlooked. There is a lot of value to be extracted from text —names, places, events, topics and even tones of communication may be extracted. These elements can help build the foundation of a case and enhance interviews and interrogations.
  • Machine learning and artificial intelligence: The more cutting-edge of the recommended approaches, machine learning and artificial intelligence are increasingly valuable in complex and large-scale investigations. These are the foundations for predictive coding, which allows you to review a large set of documents, communications or transactions in a manner that is both efficient and effective. Supervised machine learning allows you to “teach” the computer what to look for and return similar results. Whereas, unsupervised machine learning allows the computer to “teach” you what trends, patterns and anomalies exist in the data set. 

Last, here are some data sources you may not have considered in the past:

  • Communications Data: You’re likely thinking that communications data isn’t something new to consider—  you have used email, phone records, text messages and others for years. Applying text analytics and machine learning to email can help you learn about the dynamics, happenings and relationships in an organization before you interview a single individual. What’s more, leveraging tone detection may uncover the conversation about a scheme that isn’t explicitly discussed as such.
  • Internet of Things: The Internet of Things is all the rage. With robots, voice recognition technology and artificial intelligence being incorporated into more and more products, there is data being captured in places we never thought possible. For example, Amazon Echo’s Alexa was recently subpoenaed in a murder case  in Arkansas. This example shows just how much data we have surrounding us each and every day.

These are just a few of the new items for you to consider as you embark on your examinations in 2017. As the year progresses, I will include posts on each of these in the context of examinations, as they make news and describe how you can incorporate them into your approach. I will also discuss other emerging technologies that may reshape how a fraud examination is performed.

How are Your Organizations Deterring the Fraudulent Flow of Intellectual Property Out the Door?


James D. Ratley, CFE

I bet your organization works extremely hard to find good employees. Weeks of intensive searching, vetting of qualifications and background checks hopefully yield hardworking, loyal colleagues. Of course, you know all that cultivation still can yield some rotten apples.

Ryan Duquette, CFE, CFCE, author of the latest Fraud Magazine cover article, "Insider threats! Using digital forensics to prevent intellectual property theft," quotes studies that show that half of all departing employees leave with confidential company information — either deliberately or unintentionally. That's sobering. How are your organizations deterring the fraudulent flow of intellectual property out the door?

Because most fraud examinations focus on establishing if, and how, someone did what they're suspected of doing, the author writes, they must learn fraudsters' common methods to remove sensitive information. These include the obvious means, such as personal webmail accounts, portable storage media and personal devices. But they also include accessing corporate systems via remote sessions and cloud storage.

Duquette emphasizes that fraud examiners should be part of the everyday work routines to examine new and leaving employees. "Your input and expertise is vital because you might see different patterns and suggest other methods, which could help examine broader fraud matters in your organization,” he writes.

Fraud examiners can use their skills at observing behaviors to help their organizations, he explains, such as looking for those who take proprietary information home via thumb drives or email without authorization, and inappropriately seek or obtain proprietary or classified information on subjects not related to their work duties.

Duquette also says we can help by looking for those who disregard the organization's computer policies on installing personal software or hardware, access restricted websites, conduct unauthorized searches or download confidential information.

As always, we have to review local, regional and national privacy laws and regulations on examining employees, which seem to change daily around the world.

"If the employee’s role grants them privileged access to highly confidential data such as payment card numbers, personally identifiable information or financial information, there's a risk that your activities might result in compliance issues," Duquette writes. "For example, you might locate payment card and transactional data and duplicate it to present as evidence. That action, while well intended, might be in a contravention of a policy or control that you've agreed to adhere to because you're moving the data outside of a controlled environment."

As Duquette implores, don't let departing employees leave with valuable intellectual property. Use digital forensics in daily workflows before they resign and in exit interviews to prevent IP theft rather than potentially be involved in litigation after they're gone.

Read more about the cover article and more at

Understanding and Mitigating Smartphone Risks


Nikola Blagojevic, CFE, CISA

In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:

  • Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
  • User identification and passwords (to emails, social networks, etc.).
  • Mobile applications that record PII.
  • Geolocation data about the smartphone user.

Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.

So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.

Understanding and mitigating the risks

The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:

  1. Data leakage resulting from device loss or theft.
  2. Unintentional disclosure of data.
  3. Attacks on decommissioned smartphones.
  4. Phishing attacks.
  5. Spyware attacks.
  6. Network spoofing attacks.
  7. Surveillance attacks.
  8. Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
  9. Financial malware attacks.
  10. Network congestion.

We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.

Here are various measures that can help reduce the risks associated with mobile devices:

  • Encrypt mobile devices.
  • Regularly update mobile devices' applications and operating systems.
  • Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence.  For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be:  "t@1rbfw@1pc."

CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)

Find even more tips on how to guard your PII in the full article on

Back to the Basics: Red Flags and the Fraud Triangle


Jeremy Clopton, CFE, CPA, ACDA
Managing Consultant, Forensics and Valuation Services, BKD, LLP

When it comes to looking for ways to improve fraud detection and prevention efforts, sometimes it is best to get back to basics. By basics, I mean the very basics – shapes and colors.  

Criminologist Dr. Donald R. Cressey developed the Fraud Triangle to help examiners understand what leads individuals to commit fraud. Many people refer to the signs that indicate an individual is facing pressure, sees an opportunity or is beginning to rationalize behaviors as red flags. The key becomes identifying the red flags that indicate the legs of the Fraud Triangle are coming together, thus increasing the risk for a potential fraud.

The August issue of the Journal of Accountancy includes an article that examines the inner-workings of an $8 million dollar fraud. In the article, there are repeated examples of pressures (debt, a new baby, gambling, divorce), opportunities (approval access, password knowledge) and rationalization (paying off existing debt). After reading the fraudster’s part of the article it is clear that the Fraud Triangle was complete and, though they went unnoticed, there were multiple red flags. The latter half of the article, written by Dr. Mark Nigrini (author of Forensic Analytics and Benford’s Law), explains the controls and methods organizations should consider to help mitigate the risk of the fraud scheme perpetrated.  

This article emphasizes three important uses of data for fraud investigators:

  • Fraud Triangle analytics – While this fraud took place back in the early 2000s, today the widespread use of email, social media and instant messaging provides a large volume of data for analysis. Analyzing these communications, as well as the related geo-tagging data, may help an investigator identify pressures, opportunities and rationalizations.  
  • Control testing – One of the keys to this fraud scheme’s success was the ability of the fraudster to log in to the system under another individual’s credentials. In fact, there are multiple users’ credentials the fraudster described using during the scheme. Analyzing the access logs of various users with check request and approval authority is beneficial for both deterrence and detection. For example, most employees work off a single computer. Users that log in through multiple terminals may be indicative of a control issue.
  • Payroll trends – The fraudster in the article stated his subordinate had to have the day off in order for the fraud to work. This provided the access needed to take the fraudulent checks. An analysis of the payroll detail, in this situation, would likely have shown an unusual pattern in vacation time for the subordinate. Typically used for vendor activity, trend analysis is also beneficial in analyzing payroll activity (or any activity with an expected pattern over time).

As technology changes, so too must our investigation methods. In 2004, when this fraud took place, it may not have been possible to use data for the three types of tests described above. Ten years later these are just a small subset of the ways fraud investigators use data. However, it all comes back to the basics of shapes and colors. Investigators use data to find the red flags indicating the legs of the Fraud Triangle are all in place.

Follow Jeremy on Twitter @j313 or at

The Wild West ... or Just Wait and See? What Anti-Fraud Professionals Should Understand About Digital Currencies


Guest Blogger

David Long, JD, CFE, CAMS
Principal, Northern California Fraud Prevention Solutions

Recently the digital currency, Bitcoin, has exploded into the news. Much of the news coverage has been decidedly negative. A number of events occurred that have instilled in the public’s mind a vaguely negative impression about Bitcoin, to those at least, who have actually ever heard of Bitcoin. 

In October 2013, the FBI arrested Ross Ulbricht, a.k.a. “Dred Pirate Roberts,” who is alleged to have been the mastermind behind Silk Road, a website devoted to selling illegal drugs and other illicit items and services. The sole medium of exchange on Silk Road: Bitcoin. Then in January 2014, Charlie Shrem, a well-known member of the Bitcoin community and the CEO of BitInstant, one of the most well-known and largest bitcoin exchanges at the time, was arrested on money laundering charges.  Later, in early 2014, Mt. Gox, the Tokyo-based digital currency exchange collapsed and the ensuing loss of millions of dollars-worth of customer’s bitcoins spread through the news like wildfire.  Taken together, these events have caused many anti-fraud professionals working in law enforcement, regulatory agencies, compliance departments, as well as other institutions where digital currencies could conceivably be an issue, to eye Bitcoin and other alternative currencies with a healthy dose of skepticism.

Also, these events have hurt the relative strength of Bitcoin in relation to the dollar. The Bitcoin to dollar exchange rate reached a high of over $1,000 on some exchanges on November 27, 2013; however, the rate dropped to a low of $421.91 on April 7, 2014, and continues to fluctuate, further fueling skepticism about Bitcoin’s long-term viability. 

In spite of the negative news, Bitcoin continues to gain support commercially among merchants and retailers. The Sacramento Kings of the National Basketball Association, the Chicago Sun-Times and, among others, now accept bitcoins as a method of payment. In addition, thousands of small businesses scattered across the U.S. with notable concentrations in San Francisco and New York, also are accepting bitcoins.

Because Bitcoin is a disruptive technology, there were no real applicable regulatory or enforcement mechanisms in place when Bitcoin came into existence in 2009. The nature of the Bitcoin protocol is such that regulations already in existence, in most cases, could not be easily adapted to the Bitcoin protocol. The exchange, transmission, trade, securitization and commoditization of bitcoins all have regulatory implications. Regulators are rightly concerned about such issues as consumer protection, anti-money laundering/countering the financing of terrorism, fraud prevention and more. However, because of Bitcoin’s disruptive nature, the application of existing regulations often place Bitcoin into a regulatory grey area.

In March 2013, the U.S. Financial Crimes Enforcement Network (FinCEN) issued guidance that characterized certain Bitcoin companies, namely Bitcoin exchanges as non-bank financial institution “money services businesses,” namely “money transmitters.”  Money transmitters must register with FinCEN and follow the Bank Secrecy Act’s (BSA) anti-money laundering (AML) regulations and must develop bank-level AML and Know Your Customer compliance standards for their businesses. 

For anti-fraud professionals whose work might involve digital currencies, it is important to reach out and coordinate efforts with other professionals, whether they are employed in law enforcement, regulatory agencies, or compliance departments. Digital currencies are here to stay, and a proactive approach will go a long way in successfully facing difficult issues related to digital currencies likely to arise in the future.

If you would like to learn more about the Digital Currency Environment’s impact on the anti-fraud profession, register now for the David Long’s upcoming ACFE webinar: Anti-Money Laundering in the Digital Currency Environment.