Why Law Enforcement is Not to Blame for Fraud

/

GUEST BLOGGER

Martin Kenney
Managing Partner of Martin Kenney & Co., Solicitors

“Fraud is alive and well in Canada,” wrote Jessica Lewis of the Canadian law firm Bennett Jones LLP in Financier Worldwide magazine this month. “It is thriving and fraudsters are innovating,” she said. “The ongoing boom in white-collar crime is partly the result of Canada’s lack of a uniform regulatory system and ineffective law enforcement.”

I agree. There are regulatory frailties in Canada, particularly the absence of Ultimate Beneficial Ownership (UBO) identification during corporate registration. These regulatory anomalies and loopholes need to be addressed. But fraud is also on the increase globally.

Whenever austerity measures are put in place, fraudsters come to the fore to prey on the desperate and needy (not to mention the greedy). The U.K., for example, recorded a whopping 25 percent increase in 2016 for reported fraud in general, much of this fueled by banking and online scams.

Policing and austerity
As Lewis alludes, law enforcement in Canada does not come out well in these situations. Similarly in the U.K., The Guardian reported that “….the police have not been interested in investigating such cases even though the losses have been as much as £25,000.”

On the face of it, the police appear to be neglecting their roles as investigators and prosecutors of those committing such crimes. The U.K.’s Prime Minister (and then Home Secretary) Teresa May, said only last year, “Fraud shames our financial system.” But I don’t believe that criticizing the police for their perceived failings really touches on the root of this problem. It’s a much larger issue.

Most police forces across the Western world have borne the brunt of austerity measures imposed by their governments. The problem is that, as a consequence, they have inadequate resources and frontline policing must take priority. The U.K. has seen its fraud squads dismantled and specialist fraud investigators deployed elsewhere.

Investigating fraud is a highly specialized discipline, requiring significant training and ongoing courses designed to try to ensure that concerned detectives keep pace with a highly dynamic crime that is constantly evolving. In particular, fraud perpetrated by cyber criminals is extremely difficult to police. Not only does it require an added expertise that only few detectives possess, it also introduces cross-jurisdictional issues typically associated with this form of deception.

Cross-border fraud
Fraudsters are not stupid. They understand that if they are in Russia, the Ukraine or China (for example), then attacking victims in other countries, such as the U.K., Canada or the U.S., makes perfect sense. By inserting the buffer of international borders, there is little likelihood of Western law enforcement agencies receiving sufficient levels of cooperation required to bring the culprits to book (especially given the current political climate).

Sadly, there is little prospect of this status quo changing anytime soon. The political differences make for uneasy relationships between the law enforcement agencies concerned. This means that criminals operating out of the Eastern Hemisphere can effectively attack their Western victims online with impunity. If we add to the mix the realistic prospect of corruption and its impact on the overall scenario, it is obvious why Eastern bloc criminals are confident in their doubtful activities going unhindered. They can simply pay off local law enforcement officers (who should be apprehending them).

Law enforcement agencies (and police in particular) are being blamed for failures to investigate fraud. In an ideal world, police forces would be able to open a “new box of detectives” and deploy them as demand requires. Unfortunately, this is not the case. So until there is a reinvestment in the police, fraud will continue to grow and go unpunished.

Martin Kenney is Managing Partner of Martin Kenney & Co., Solicitors, a specialist investigative and asset recovery practice based in the BVI and focused on multi-jurisdictional fraud and grand corruption cases. Mr. Kenney was recently selected as one of the Top 40 Thought Leaders of the Legal Profession in 2017 by Who's Who Legal International. He is the only fraud and asset recovery lawyer included in this list of thought leaders drawn from 16 different practice areas.

www.martinkenney.com |@MKSolicitors

Fraud Magazine: Special Case Study Issue

/

FROM THE PRESIDENT

James D. Ratley, CFE

The editors of Fraud Magazine know the value of a good story. They like to begin feature articles and many of the columns with case histories because they know you want illustrations of fraud examination principles in action.

We go one step further in our latest issue. Most of the feature articles are detailed analyses of case histories, including the cover article, "To snare a menace: 'Synthetic identity' fraudster stole millions."

The authors — Anthony P. Valenti, CFE, CAMS, and Stephen G. Korinko, CFE, CAMS, CPP — tell of a cyberfraudster who not only ripped off the identity of a client but created new "synthetic" guises to do it.

Fraudsters create synthetic identity persons, according to the authors, by combining real Social Security numbers with different dates of birth plus fictitious names and addresses. The combinations are endless. Law enforcement personnel now are trying to track identities that technically don't exist.

The author's perpetrator went to extreme measures — he bought a credit reporting agency's protection service, changed the date of the birth linked to the victim's account and effectively blocked the victim's access to his credit file. The fraudster changed the victim's telephone number and address so now the agency would call or write the fraudster whenever it detected any "unusual activity." Thus, the fraudster had an open window into the client's financial movements and the fraud examination almost from the start.

Apparently, the fraudster could now unlock the credit history just before filing a fraudulent loan application so merchants could access his credit history, then lock the account and await responses from those merchants and financial institutions.

Ultimately, the authors write that they were able to identify the fraudster's given name (and numerous synthetic persons with multiple addresses, which the fraudster had created) by comparing the victim's actual addresses with those listed in credit reports and with fraudulent information on applications the fraudster submitted to credit card companies, retail merchants and banks.

The authors then were able to link the fraudster to other victims and crimes, which amounted to millions of dollars in losses.

They connected the fraudster to the theft of $2 million from a hedge fund, fraudulent student loan applications and fraudulent receipt of veterans' benefits, among other crimes. They referred all the frauds to the U.S. Postal Inspection Service, which presented the case to the local U.S. attorney's office. (Be sure to read the interview with the inspector in charge of the New York Division of the U.S. Postal Inspection about synthetic identity fraud.)

The cyberfraudster received a multi-count indictment and faces mandatory jail time. Not a bad story.

German Company Loses $44 Million to One Business Email Compromise Scam

/

GUEST BLOGGER

Ron Cresswell, J.D., CFE
ACFE Research Specialist

As discussed in a recent Fraud Examiner article, the FBI has issued several warnings recently about business email compromise (BEC) scams. In a traditional BEC scam, a fraudster uses a fake email from a high-level executive to trick an employee into wiring funds to the fraudster. According to the FBI, there has been a dramatic increase in BEC-related losses since January 2015. This month brings more troubling news.

The BEC Attack on Leoni AG
In one of the costliest BEC scams yet, the German company Leoni AG announced that it lost more than $44 million to fraudsters. Leoni AG is the largest supplier of electrical wires and cables in Europe. The company has more than 76,000 employees in 32 countries, including Romania, which is where the fraud began.

According to reports, the fraudsters used cloned emails to target a chief financial officer (CFO) working in the company’s factory in Bistrita, Romania. The CFO received an email asking her to wire $44 million to a specific bank account. The email appeared to be from one of the company’s executives in Germany who frequently requested wire transfers by email. Because the request followed the company’s usual procedure, the CFO approved the wire transfer.

The scam seems simple, but it required a significant amount of advance work by the fraudsters. Although details are still sketchy, the fraudsters probably used social engineering and phishing emails to gather crucial information about the company. That information included the company’s internal procedures for requesting and approving wire transfers. For example, Leoni AG has four factories in Romania, but only the one in Bistrita was authorized to make wire transfers. With this information, probably gathered through months of network surveillance, the fraudsters were able to craft a simple but effective BEC scam.

Romanian authorities are still investigating the theft, which was reported by Leoni AG in August. The identities of the fraudsters are unknown, but there are reports that the money was wired to a bank in the Czech Republic.

Could It Have Been Prevented?
Could Leoni AG have prevented the theft? That’s unclear based on current information. However, the following measures might have stopped it:

  • Two-step verification procedure. The fraud probably would have been discovered if the CFO called the company’s German headquarters to confirm the wire transfer request. Many companies require that kind of two-step verification procedure for wire transfers.
  • Employee education. The theft also might have been prevented if the CFO knew enough about BEC scams to be suspicious of the $44 million request. That is why companies should educate their employees about BEC scams and other common frauds.

Conclusion
Fraud professionals should continue to follow news of the Leoni AG case, which is still in the early stages of investigation. It’s the story of a sophisticated, multinational company that lost $44 million through a relatively simple BEC scam. As more information comes out, the Leoni AG case may provide some valuable lessons. 

Fraudsters First Across Finish Line

/

GUEST BLOGGER

Emily Primeaux, CFE
Assistant Editor, Fraud Magazine

I’ll admit it: I am a sports nut. It doesn’t matter what the event is, the combination of tough competition and sheer athleticism is enough to glue me to the TV. I once turned on a Division II collegiate women’s bowling competition in my hotel room while spending a night in Mobile, Alabama. Not because there wasn’t anything on, but because I wanted to watch it.

So of course I’m beyond thrilled that the Olympic games are finally here. I’ll don my red, white and blue and spend the next three weeks supporting the gymnasts, rowers, divers, weight lifters, runners, footballers… I’ll even tune into handball. 

However, as with any other huge event, the Olympics produce all kinds of vulnerabilities when it comes to fraud. And of course, the spotlight has been on Brazil in the months leading up to the games due to reports of unlivable conditions in the athletes’ village, the threat of the Zika virus and alleged corruption in Rio de Janeiro. Beyond what the media reports, though, is the tough reality that fraudsters will find a way to capitalize on susceptible targets.

Beware unauthorized ticket sources
Consumers scrambling for last-minute tickets should be wary of fraudulent websites promising entry to events — including the opening and closing ceremonies — despite selling them in breach of official restrictions. Scammers register domains containing the keywords “rio” or “rio2016” which mimic official ticketing sites. By registering the domains, it makes the site look more credible. Users who input their credit card details into these sites are giving cybercriminals access to their bank accounts.  

According to The Guardian, an unauthorized ticket source under the name of “bookriogames2016.com” claims to be “a secure and transparent platform for buying tickets for the Rio Olypmic (sic) Games” and tells users “you’re protected with us.” But according to the consumer group Which?, purchasers run the risk of not being allowed into any of the events and won’t be eligible for a refund.

Olympic organizers say that as of July 30 more than 80 percent of the tickets available for the Rio Olympics had been sold. Fans looking for tickets should be careful and buy only from the official ticketing website

Phishing for fools
Security experts are warning fans to be aware of spam and phishing campaigns surrounding the games. One scam in particular sent fake lottery win notifications supposedly from the Brazilian government and the International Olympic Committee. To claim their winnings, the recipients are asked to provide personal details. Of course there is no prize — unless you count identity theft!

Other fraudsters use spam mail or online banner advertisements to “sell” souvenirs related to the Olympics. Experts strongly recommend not buying anything advertised in these methods. Again, visiting the official Olympics website to purchase merchandise is the safest bet.

Enjoy the Opening Ceremonies tonight! I know I will.

Fraud Displaced During EMV Transition

/

GUEST BLOGGER

Zach Capers, CFE
ACFE Research Specialist

Last year, I wrote about the U.S.’s transition to EMV credit cards and the associated fraud liability shift from card issuers to merchants. The article mentioned the possible side effect of fraud being displaced from in-store to online transactions as has happened in many countries that have undergone similar transitions; one year later, the initial data is in and that possibility is now a reality.

A new report from ACI Worldwide shows that online credit card fraud during the 2015 holiday season increased by 8 percent over the 2014 holiday season. Furthermore, the report shows that 1 out of every 67 online credit card payments was a fraudulent attempt compared to 1 out of 72 the year previous. While there are many factors at play and online purchases continue to increase year over year, the findings correspond with increases expected by industry experts and follow the trends previously experienced by other countries.

Meanwhile, the transition to EMV credit cards has resulted in other forms of turmoil for merchants big and small. Visa was recently sued by Wal-Mart over the card issuer’s insistence on a signature verification system rather than a PIN requirement that Wal-Mart and many others claim would significantly increase security for customers while reducing fraud. Wal-Mart’s central claim is that Visa makes more money by processing signature based transactions than they would with a chip and PIN system, thus profiting at the expense of retailers and their customers.

Another complication wrought by the adoption of the new credit card systems is the slow certification process for new credit card terminals required by last year’s liability shift. A New York Times report in March documented the plight of mid-sized business that were still waiting for their new payment terminals to be certified despite having them in place since the November 2015 deadline. Some merchants argue that relationships between financial institutions and certification firms leave little motivation to speed up this process since uncertified merchants must continue to pay for any fraudulent activity incurred on their terminals.

On Capitol Hill, Wal-Mart and others seem to have an ally in U.S. Senator Dick Durbin who recently assailed the credit card industry’s refusal to allow PIN based transactions and the delayed certification process. The senator also echoed the frustration of many consumers regarding long waits at retail checkout counters caused by slow software processing in new card terminals.

As more consumers adapt to their new EMV credit cards and new merchant terminals are certified and updated with improved software, some of the unexpected issues with EMV adoption will be resolved. Unfortunately, many of the most significant problems with the transition were either widely predicted or entirely avoidable.