Benford’s Law can be a tricky concept to grasp at first, but it provides an extra method for fraud examiners to test data for potentially fraudulent activity. Here’s more on what it is exactly and how fraud examiners can use it.Read More
As the world witnesses a surge in fraud incidents, leveraging artificial intelligence (AI) for fraud detection could be the key to saving millions of dollars in financial fraud losses. Organizations worldwide are increasing their investment in AI-based fraud detection solutions, indicating that the industry is bullish on the capabilities of AI in fraud.Read More
Associate Director of Forensic Services, SKP Business Consulting
In the current electronic age, e-discovery is considered one of the key approaches for gathering evidence in litigation and investigations into misconduct. With new tools being created to help uncover and understand electronic data, the industry is evolving to new heights. When there is a large amount of data to review, the process requires a purpose-led approach to ensure the evidence is compiled objectively and accurately.
E-discovery reviews are based on keywords, timelines and communication patterns relevant to a purpose or defined objective. Amidst multiple aspects — like the nature of email threading, parent-child linkages, text analytics and communication patterns considered for review — the following eight elements are essential types of email evidence to not overlook in your examinations:
- Calendar: A potential subject may schedule meetings that are contextually important to a case.
Example: In a Foreign Corrupt Practices Act investigation, a calendar appointment with an individual at a posh restaurant a few days prior to the approval for a regulatory license may be relevant if the individual’s name in the appointment and the name of the public official providing the license are the same or similar.
- Automatic email: Dates mentioned in an automated out of office response may be important for connecting a chain of events associated with a concerned individual.
Example: If the dates of out of office responses sent during a vacation conflict with contract negotiation dates with a third party it may be a red flag to look into.
- Travel and hotel information: Travel and hotel booking information can contain vital evidence.
Example: In a kickback investigation, payment details as part of a travel or hotel booking voucher that contain the name of a payee/credit card holder may be relevant to correlate an employee’s relations with a suspected vendor/third party.
- E-commerce purchases/email alerts: Alerts from e-commerce sites or courier agencies can play key roles in examinations.
Example: A dispatch intimation from a shipper from a suspected third party to an employee’s personal address may be relevant for further enquiry in a conflict of interest or kickback investigation. Similarly, banks and financial institutions send alerts (on cash deposits, exceeding limits, swipe of card in unusual locations, etc.) as email alerts. These email alerts may be relevant in a chain of events to correlate and corroborate with the available information in the context of a review.
- Group/other registrations: Email IDs registered with certain sites (gambling, pornographic or dating) and emails received from such sites may be relevant during investigations into misconduct.
- Task classification (flagging): Task classification and completion are used for the convenience of tracking key activities/communications. Such tagging may highlight certain patterns.
Example: A pattern of prioritizing the approval of third party invoices over others along with task classification by a user department representative, who is using the services of the concerned third party, may show possible indications of favoritism by the employee.
- Self-emails, notes/task listing: Many individuals send emails to themselves as a reminder, notification, to-do list, etc.
Example: A self-email by an accountant containing the phrase ”change estimations” may be relevant in a financial statement fraud. It is necessary to understand that some of the content mentioned in self-emails may not necessarily have the keywords identified as relevant for the case. Similarly, subjects may update their tasks/notes as part of their email service, which may contain messages of evidentiary value.
- Folder structures: Every individual has a way of organizing their email communications. This includes the way the individual has classified their folders within their email service or the archival methodology they had adopted. These aspects provide necessary insights in understanding which folders contain relevant information.
Reviewing digital data for evidence requires objective-driven searches in order to understand and interpret a given circumstance. Awareness of possible alternative evidence provides the ability to anticipate and look for some of the above categories of communications in search of evidence. While not all these categories may be relevant in every case, these are vital ways to find the evidence needed to detect fraud.
Lindsay H. Gill, CFE, Director of Forensic Technology
Forensic Strategic Solutions
News stories would lead you to believe that once an email or file is deleted, all hope is lost. Take heart — deleted data will not leave your investigation DOA. The mere absence of the information combined with other artifacts left behind can prove valuable to your investigation.
One of the latest challenges facing forensic analysts is the use of anti-forensic tools. While most frauds leave behind a digital footprint, the more technologically savvy fraudsters are now using anti-forensic tools to encrypt, delete or destroy data. Their goal, of course, is to make it more difficult to uncover the footprints of fraud.
Luckily, there are a few prevalent anti-forensic tools that can help you overcome them:
Hiding data through encryption
The encryption of data encodes it, leaving it unreadable without authorization. While organizations often deploy encryption for security measures, a fraudster may use encryption to obfuscate nefarious activity. Some encryption tools leave a signature on the digital media indicating the presence of an encrypted volume. The challenge created by encrypted data is the need for the encryption key to access the information — without it you are left with few options. But fear not, the mere existence of encryption software may be the smoking gun you need to show concealment.
Deletion of data
Deleted data is possibly the easiest form of anti-forensic activity to address. The delete key on a keyboard would be more accurate if it simply read, “hide.” When data is “deleted” the location where the data resides is merely marked as available — leaving the original data intact until it is overwritten by new data. There are many forensic analysis tools that can identify and recover deleted files or fragments of deleted files not fully overwritten. Information about the deleted files, such as the date of deletion, often proves to be a valuable artifact in an investigation.
Destruction of data
The use of data wiping software is one method a fraudster can use to make it more difficult to restore deleted data. Data wiping will overwrite the free space marked as available when the file was deleted, likely leaving it unrecoverable. The wipe can be performed on an entire disc or a specific area. The good news is that wiping software leaves a footprint that can be useful to your investigation. Review the computer’s program list for wiping tools and document the steps you take in an attempt to recover the “wiped” files. The existence of a wiping program and your efforts to recover the data may serve as evidence of the lengths a suspect went to in an attempt to conceal wrongdoing.
As fraudsters become savvier, investigators will see more sophisticated anti-forensic activity to cover the suspect’s tracks, but remember, even anti-forensic activity leaves valuable evidence.
Unaoil, a Monaco-based oil consulting company, was recently exposed in a media investigation for potentially supporting or facilitating bribes on behalf of large multinational firms in the oil and gas industry. Though the company is from Monaco, Unaoil is believed to have supported companies in winning contracts across Middle Eastern and African countries. The investigation, which Fairfax Media and The Huffington Post conducted, identified several emails providing references to the routing of bribes.
The Unaoil case provides several lessons on using forensic email reviews to help gather evidence or indications of fraud, misconduct and regulatory non-compliance. Investigators who use these reviews rely on communication as a raw form of evidence that exhibits subjects' unethical or illegal intent. Keyword searches are an effective method of identifying evidence in the huge volumes of data stored in digital devices. Investigators choose keywords based on context and relevance to the case.
An analysis of the evidence gathered by Fairfax Media and The Huffington Post on the Unaoil case reveals a number of lessons on forensic email reviews for investigators.
Using code words in communication
Many of the leaked Unaoil emails and excerpts contain several code words referring to individuals, organizations, events and the contexts of the communication. Individuals are referred to as "Doctor," "Ivan," or "Lighthouse." Keywords can help disguise intent in communication. For example, bribers or bribe receivers (public officials) might not be red-flagged in email if they identify themselves by code name or keyword.
Of course, these reviews wouldn't be effective unless investigators are aware of the keywords subjects are using because generic keywords might show inconsistencies.
Investigators should look for:
- Data (files created, system logs, etc.) and communication (email and chat logs) pertaining to a specific time period (a month, quarter or a year that's relevant to the incident or the issue in question).
Dissecting the chain of events
The leak in the Unaoil case included emails referencing the opening of a separate bank account to channel funds; a request for depositing funds into an unknown, third-party, offshore account; and a payment rejected by a bank, which noted the transaction "may conflict with U.S. government sanctions." In that case, the rejected payment was subsequently cleared by the bank.
Automated communications from a banking channel on payouts or deposits might be ignored assuming they're irrelevant. However, if someone attempts to place some of these transactional communications into the overall chain of events relating to the issue or the incident in question, it helps in identifying relevant evidence on a violation or misconduct. Such communication might not contain any of the keywords (including names of key people) that are considered in the review.
When looking at the chain of events, investigators should consider the following three key factors:
- Inconsistent nature of received communication.
- Unusual patterns of communication and the use of "Bcc:" in emails.
- Communication representing financial transactions or financial manipulation.
These outliers help put together events and look at them from a bird's-eye view. Looking at the chain of events in this way enables the investigator to identify potential red flags. For instance, a Bcc: communication might show that the perpetrator intended to involve the subject in the blind copy field without the receiver knowing it.
Forensic email reviews help uncover clues
Organizations should consider using forensic email reviews in new ways to uncover information to understand key players' communication patterns, including what and with whom they communicating, and files they're sending and receiving. If you conduct this type of analysis on each individual for an isolated sample period you might identify specific keywords.
These reviews should extend beyond keyword-based searches to examine communication among identified individuals, time-period-based information exchange, inconsistent/unusual patterns or nature of communication, and any suspect references to financial transactions and manipulation.
The Unaoil case demonstrates how you can use these tactics in forensic email reviews to help unravel large-scale, complex fraud schemes and discover communication patterns, preserved digital evidence and, most importantly, fraud perpetrators' own words — saved for posterity.
Read the full article, with even more tips for reviewing emails, at Fraud-Magazine.com.
Sundaraparipurnan Narayanan is the associate director of forensic services at SKP Business Consulting LLP. His email address is: SNarayanan@skpgroup.com.