Wearables Strike Again: Deceased Woman’s FitBit Used to Solve Her Murder


Jeremy Clopton, CFE, CPA, ACDA
Director, Forensics and Valuation Services

In what seems to be a pattern in investigations, a deceased woman’s FitBit was used to help solve her alleged murder. In this situation, the data from the FitBit, as well as social media activity, was used to disprove an account of events provided by her husband.

This story illustrates how data beyond the obvious can be used in investigations of all types. The same mentality can be beneficial to fraud examiners as well. The key is to consider all the potential data points available to help in an examination. 

Let’s consider a financial statement manipulation scheme. While you may know the user ID that posted the entry, it is important you look even further for evidence of who actually posted it. Other relevant data points may include:

  • Date/time the entry was posted
  • Workstation from which the entry was posted
  • User ID typically associated with that workstation, compared to the user ID posting the entry
  • Was the user signed in remotely or in the office?
  • Who was in the office on the date/time the entry was posted (badge access records)?
  • Was there email activity or other digital activity on the workstation?
  • Who actually logged in to the workstation from which the entry was posted?

Clearly there is a lot more information than just the date, debit/credit, account number and amount. As you approach your next examination, consider the following:

  • What is the alleged scheme?
  • What other data can help me determine what happened or who was involved?
  • Are there data sources to help corroborate or refute the allegations?
  • Do the patterns of activity match our expectations?

I’m not saying a FitBit and social media will help solve your next investigation, though I am confident there is quite a bit more data out there you may find useful to your case.

You can hear Jeremy speak on how to effectively communicate complex data next week at the 28th Annual ACFE Global Fraud Conference, June 18-13 in Nashville.

From Input to Insight: Detecting Tone Through Machine Learning



Jeremy R. Clopton, CFE, CPA, ACDA, CIDA
Director, Big Data & Analytics, Digital Forensics, BKD, LLP and
H. Bryan Callahan, CFE, CPA/CFF, CVA
Director, Forensics & Valuation Services, BKD, LLP

Big data. Analytics. Machine learning. Artificial intelligence. These topics, and many others, are being used with regularity in all aspects of business — from marketing and operations to recruiting and retention. They should also be topics used regularly when discussing fraud examination techniques. According to the ACFE's 2016 Report to the Nations, proactive data monitoring and analysis were associated with the highest reduction in both median loss and median duration compared to all other anti-fraud controls.

In a recent case, analytics and machine learning were applied to the analysis of a variety of textual data sources. Much of what occurred in the scheme was off-book — not recorded in the company’s financial statements. Without transactional data to rely on, our examiners leveraged other data to use in the investigation and provided information to enhance the interview process.

A large company became aware of a potential theft scheme involving the IT director and some of his direct reports. The allegations were brought to the company’s attention by a whistleblower who had previously been terminated. The individuals involved in the scheme were taking old IT equipment that still had value and selling it on eBay. The user ID used to sell the equipment was in the company’s name, though it was not in the company’s control. Rather, the IT director linked his personal PayPal account to the “company” eBay account. All payments that came through the account deposited directly to his personal account, never remitting funds to the company.

Typically, transactional-based analytics would have been the starting point. However, without transactions to analyze, examiners turned to email and instant messages of the IT department personnel. The first approach — keyword searching — did not net much in the way of direct evidence. 

The second approach — tone detection — identified a number of instant messages between the IT director and a supervisor which had a conspiratorial tone (other common tones in examinations include nervous, evasive, anxious and intimate). The topic of those communications was the eBay scheme.

In addition, tone detection also identified a couple of emails between the IT director and some female colleagues that may have been a little too “friendly” for normal professional relationships. While these were not used in this investigation, these types of results can be useful in lawsuits and investigations involving sexual harassment.

Armed with text messages, examiners interviewed the IT director who confessed to the scheme. Both machine learning — in this case specifically tone detection — and traditional analytics using keyword searching were used to successfully uncover the scheme at hand.

These topics and more are covered in the ACFE’s 2-day course, Using Data Analytics to Detect Fraud. Working through the data analysis process and assessing case studies from a data perspective, the course will help you:

  • Focus on the analytics process to successfully apply analytics in your examinations.
  • Learn the fundamental data analysis techniques and how to perform them in a variety of software solutions.
  • Learn about advanced analytics techniques, including text analytics, visual analytics and predictive modeling.
  • Strategize how to apply analytics in specific fraud schemes and develop a framework for
  • that application.

Transactions, communications, technology and other assets continue to generate more data every day. The use of analytics, machine learning, artificial intelligence and other advanced analytics methods will help anti-fraud professionals evolve their methods to keep up with the complex occupational fraud landscape.

You can read more about this course and more events and seminars in our latest Resource Guide.

Casting a Net(work) to Crack Down on Corruption


Jeremy Clopton, CFE, CPA, ACDA
Senior Managing Consultant, Forensics and Valuation Services, BKD, LLP

In nearly every industry in the 2014 Report to the Nations, corruption was the most common fraud scheme. And while this means there is likely plenty of attention given to corruption, it remains one of the more difficult types of fraud to detect and try to prevent. Much of the basis of corruption is power and influence, neither of which typically show up in the financial aspects of an organization. However, we do have something in our organizations we can use to take a more aggressive approach to detecting corruption — data.

Data Types
We have more data in our organizations now than we have ever had. Organizations continue to generate more data each day — data with great variety. It is the variety of data that provides us a means by which to take a more aggressive approach to addressing corruption. We need to analyze all of the data we have in our organizations, both structured and unstructured. Structured data comes in columns and rows, neatly organized. This is the data traditionally analyzed in examinations. Unstructured data is everything else, which in many organizations accounts for 80 percent of the data. This has typically been left to the digital forensics specialists for analysis.

Analysis Methods
When it comes to analyzing data sets to address corruption, it takes more than just structured data. That said, the structured data is a great place to start. An analysis of attributes of vendors, customers, employees and others an organization is doing business with can provide insights into potential relationships and conflicts of interest. The results of the attribute analysis becomes the foundation for further analysis that includes unstructured data. 

Incorporating all of the available unstructured data is a critical next step when addressing corruption in an organization. One of the key data sets for expanding the relationship network related to individuals in your organization is communications data. Email, phone logs, text messages and other means of electronic communication provide context around the relationships between individuals inside and outside the organization. Not only the entities and individuals in the email, but the actual content of the messages and nature (tone) of the communications.

In addition to communications data, other useful information includes social media postings, business documents and information regarding an individual’s role in a particular business process (such as purchasing/contracts). Using this information, coupled with the communications data and relationships from attributes, allows you to build an enhanced relationship network that provides insights not otherwise available in the normal course of business. This network may provide the information you need to identify signs of corruption in your organization.

Additional Information
To learn more about this topic, head over to Fraud-Magazine.com and check out the Fraud EDge column. A colleague and I recently wrote a six-article series on the topic of integrating data analytics and digital forensics for more effective analysis of all data in an organization. If you’re attending the upcoming ACFE Global Fraud Conference, I will be presenting on this very topic. I hope to see you there!

Back to the Basics: Red Flags and the Fraud Triangle


Jeremy Clopton, CFE, CPA, ACDA
Managing Consultant, Forensics and Valuation Services, BKD, LLP

When it comes to looking for ways to improve fraud detection and prevention efforts, sometimes it is best to get back to basics. By basics, I mean the very basics – shapes and colors.  

Criminologist Dr. Donald R. Cressey developed the Fraud Triangle to help examiners understand what leads individuals to commit fraud. Many people refer to the signs that indicate an individual is facing pressure, sees an opportunity or is beginning to rationalize behaviors as red flags. The key becomes identifying the red flags that indicate the legs of the Fraud Triangle are coming together, thus increasing the risk for a potential fraud.

The August issue of the Journal of Accountancy includes an article that examines the inner-workings of an $8 million dollar fraud. In the article, there are repeated examples of pressures (debt, a new baby, gambling, divorce), opportunities (approval access, password knowledge) and rationalization (paying off existing debt). After reading the fraudster’s part of the article it is clear that the Fraud Triangle was complete and, though they went unnoticed, there were multiple red flags. The latter half of the article, written by Dr. Mark Nigrini (author of Forensic Analytics and Benford’s Law), explains the controls and methods organizations should consider to help mitigate the risk of the fraud scheme perpetrated.  

This article emphasizes three important uses of data for fraud investigators:

  • Fraud Triangle analytics – While this fraud took place back in the early 2000s, today the widespread use of email, social media and instant messaging provides a large volume of data for analysis. Analyzing these communications, as well as the related geo-tagging data, may help an investigator identify pressures, opportunities and rationalizations.  
  • Control testing – One of the keys to this fraud scheme’s success was the ability of the fraudster to log in to the system under another individual’s credentials. In fact, there are multiple users’ credentials the fraudster described using during the scheme. Analyzing the access logs of various users with check request and approval authority is beneficial for both deterrence and detection. For example, most employees work off a single computer. Users that log in through multiple terminals may be indicative of a control issue.
  • Payroll trends – The fraudster in the article stated his subordinate had to have the day off in order for the fraud to work. This provided the access needed to take the fraudulent checks. An analysis of the payroll detail, in this situation, would likely have shown an unusual pattern in vacation time for the subordinate. Typically used for vendor activity, trend analysis is also beneficial in analyzing payroll activity (or any activity with an expected pattern over time).

As technology changes, so too must our investigation methods. In 2004, when this fraud took place, it may not have been possible to use data for the three types of tests described above. Ten years later these are just a small subset of the ways fraud investigators use data. However, it all comes back to the basics of shapes and colors. Investigators use data to find the red flags indicating the legs of the Fraud Triangle are all in place.

Follow Jeremy on Twitter @j313 or at BKDForensics.com.

How to Tame ‘Data in the Wild’


Misty Carter, CFE
ACFE Research Specialist

Emails, social media posts, blogs, instant messages — what do they all have in common? For one, they are tools used by millions of people each day to communicate with the rest of the world. What else do they have in common? They help detect fraud. You might be wondering, “Why and how is a Facebook update relevant to fraud detection?” Consider how much new data is created every second. Think about how many posts, emails or text messages you personally send each day. Now think about how much of this data is never touched. 

To put it into perspective, a study conducted by International Data Corporation (IDC), a U.S. market research firm, estimated that text, also known as unstructured data, will account for 90 percent of all data created in the next decade. Unstructured data, sometimes referred to as “data in the wild,” is basically free-form data that has not been put into a structured format. Since unstructured data is a relatively unexploited resource for fraud examiners, it makes sense to use it in a way that can provide more insight into areas prone to fraud that might have been previously untouched.

Before coming to the ACFE, I spent 10 years working in the audit field. I found mining through text data during fraud investigations to be one of the most useful tools in my auditing toolkit. Today, many fraud examiners are using a similar data analysis method to help explain, understand, or interpret a situation or a person’s actions or thoughts. This type of non-traditional analysis is referred to as textual analytics. In fact, the FBI and Ernst and Young’s Fraud Investigation and Dispute Services Practice have used textual analysis on email communications from past corporate investigations to determine the most common words used by employees engaged in rogue trading and fraud. As a result of their analysis, they identified the top 15 keywords and phrases used by fraud perpetrators. This list of keywords can be used proactively to prevent fraud from occurring or spot it early in the process.

The use of keywords, however, is only one facet of analyzing textual data. The ACFE’s new online course, Textual Analytics, identifies various techniques that can help fraud examiners, including examples of how data from free-text fields, email, social media sites and other sources can be used to uncover fraud. This course provides an overview of different types of data and how it should be managed prior to being analyzed. It also explains how textual data can be used to assess fraud risk in areas that might not be on management’s radar. 

If you are looking for new and innovative ways to add value to your organization, this course will provide you with the tools necessary to effectively reduce fraud risk exposure while enhancing your fraud detection skills.

Read more about the new course.