10 Infamous Fraud Cases of the 21st Century

FROM THE RESOURCE GUIDE

ACFE Staff

A seemingly endless stream of fraud stories hits the headlines every day. On Monday you could read that an Ivy league-educated financier defrauded his victims of more than $38 million and by Friday, a European soccer star is spending his day in court.

It can be disheartening to see these stories splayed across your computer or TV screens. There is, however, a silver lining. If we’ve learned anything from taking history classes in school it’s that understanding the past helps to avoid repeating it. 

In a new ACFE online self-study course, 10 Infamous Fraud Cases of the 21st Century, we do just that. By exploring 10 notable fraud cases of the 21st century, fraud examiners can identify the methods the major players used to conduct their schemes, and analyze the aftermath and impacts of various frauds. Learning from past cases means you can help protect your clients, employers and the general public from similar schemes in the future.

WorldCom
In 2002, the WorldCom scandal became one of the largest accounting frauds in history when the company revealed its wrongdoing and was subsequently forced to file bankruptcy and write off $50 billion in losses. The scandal began when WorldCom CEO Bernie Ebbers employed a business strategy of achieving growth through acquisitions. He acquired MCI Communications and then proposed a merger with Sprint, but was forced to abandon the Sprint merger in 2000. Determined to show increased revenue despite a slow-down in mergers and acquisitions, Ebbers manipulated the books to satisfy Wall Street’s expectations. The scheme was detected when a capital expenditures audit revealed suspicious journal entries. WorldCom’s internal audit team discovered improper accounting in expenses over five quarters. The WorldCom accounting scandal was a situation in which corporate governance failed and the board of directors were caught unaware. WorldCom’s accounting system was faulty and Ebbers’ close relationship with external accounting firm Arthur Andersen presented a conflict of interest in which the auditors were unable to exercise professional skepticism when performing their audits.

FIFA
High-profile sports are big business in many countries. Unfortunately for the International Federation of Association Football (FIFA), alleged corruption and money laundering means its big business operated with little or no oversight. The FIFA scandal involved the collusion between FIFA executives, sports marketing executives and officials of continental football bodies. The scandal erupted in May 2015 when Swiss authorities raided a hotel in Zurich and several FIFA executives were arrested. The U.S. Department of Justice (DOJ) has cited more than 40 defendants in the FIFA scandal. Some charges involved bids for World Cups and for marketing and broadcast deals that amounted to nearly $150 million. Future World Cups are now in question — the scandal has caused the bidding process for the 2026 World Cup to be suspended. Proposed changes have been made, but only time will tell in an organization that has historically dealt with bribery and corruption.

GlaxoSmithKline
In 2012, British pharmaceutical company GlaxoSmithKline (GSK) was at the center of the largest health care fraud settlement in history when the company agreed to pay $3 billion in fines to U.S. regulators. The crime? According to the U.S. Justice Department, GSK unlawfully promoted certain prescription drugs, failed to report safety data, paid kickbacks to health care professionals and engaged in fraudulent pricing practices. The settlement arose from a number of GSK policies and practices that largely involved the promotion of prescription drugs, like Paxil and Wellbutrin, for off-label use. While doctors may prescribe drugs for off-label use, it’s illegal for pharmaceutical companies to promote or market off-label uses. The U.S. government also claimed that GSK paid unlawful kickbacks to health care professionals to encourage them to prescribe certain drugs. Although much of GSK’s misconduct was unique to the pharmaceutical and health care industries, the case contains broad lessons. A company’s culture should stress compliance and ethical conduct. The nature and prevalence of GSK’s misconduct suggest that its culture rewarded profit rather than compliance and patient safety. That type of culture is a recipe for fraud. 

Target
The Target data breach in late 2013 was the largest in U.S. retail history and resulted in the exposure of approximately 40 million credit card numbers and the personal information of 70 million customers. Unidentified hackers — thought to be from Eastern Europe or Russia — surreptitiously installed malware into Target’s computer networks. The hackers accessed Target’s systems using the credentials of a third-party heating and air conditioning contractor.

Before the company was hacked, Target had installed a security system that caught five instances of malware graded at the highest severity. Members of corporate headquarters were notified, but apparently ignored the alerts. In this day and age when cybersecurity has become a hot topic thanks to the increasing advancements in technology, the Target debacle shows that companies need a strong response plan to deal with alerts of possible network intrusions.

Olympus
The Olympus financial scandal exploded in late 2011 when then president and CEO Michael Woodford came forward with information exposing fraudulent accounting practices in the organization. Woodford had only served as CEO for two weeks when he revealed the financial malfeasance. The fraud is one of the most significant corporate corruption scandals in the history of Japan. In 2000, standards in Japan changed significantly after the failure of Yamaguchi Securities in 1997. The new accounting standards required losses on certain assets to be noted at the end of each accounting period. Rather than comply with the standards and disclose mounting losses, Olympus constructed a complicated system of hiding its bad assets. The company began selling bad assets for exorbitant prices to newly created entities under its control without recognizing losses from the sales. The Olympus fraud shows that tone at the top matters. Woodford wrote letters to the board about his concerns and was subsequently fired. This exemplified the company’s unethical culture. C-level executives must act according to the principles expected of employees at all levels and across the enterprise.

Learning by Example
These are just five of the 10 cases covered, and here we only scratch the surface of what can be learned from these schemes. 10 Infamous Fraud Cases of the 21st Century contains analysis from experts and experienced fraud fighters. It dives deep into each case to interactively explore the pressures, opportunities and rationalizations of the fraudsters, and how fraud examiners can take these lessons into the field.

Find more products and events in the latest ACFE Resource Guide


For Credit Card Security, U.S. Banks Need to Rethink PINs

FROM THE PRESIDENT

James D. Ratley, CFE
ACFE President and CEO

Verifying a credit card purchase with a signature is less burdensome to a consumer than having to remember a four-digit personal identification number (PIN). Unfortunately, it is also considerably less secure. According to a recent CFO article, the Association for Finance Professionals found in its 2015 Payments Fraud and Control Survey that 61 percent of respondents believe chip and PIN will be the most effective authentication method for mitigating fraud, while only 7 percent saw chip and signature as most effective.

In the coming weeks and months, several major U.S. banks will roll out new credit cards with embedded computer chips for added security. Rather than combining this technology with a PIN, as implemented in countries in Europe, Latin America, the Asia-Pacific region and elsewhere, they have decided (for now) to use the more familiar and traditional verification method of a signature as a matter of convenience for customers.

U.S. credit cardholders must ask themselves which is more of a burden: completing their purchase using a PIN; or dealing with the fallout from a compromised account, stolen identity or damaged credit history? Most people would agree that the latter are frustrating and potentially life-changing burdens that far outweigh convenience.

Chip and PIN security measures combine to substantially decrease the risk of fraud. The technology is not new – European banks introduced it in 2002, and experts predicted then that it would become the global standard. Chip-and-signature authentication, by comparison, comes up short. Signatures can be copied or forged and do not offer the same level of security as a unique PIN known to the legitimate card holder.

Merchant groups agree. In a December 29th letter to the president and CEO of the Independent Community Bankers of America (ICBA), leaders of seven prominent U.S. merchant groups stated that “ignoring PIN technology leaves us all more vulnerable.” The letter goes on to explain: “’Chip-and-PIN’ has already shown success throughout the world and could reduce fraud losses in the U.S. by as much as 40 percent, according to the Federal Reserve Bank of Kansas City. The added security provided when each customer is given a unique personal identification number or PIN has already been shown to make debit card transactions 700 percent safer. Alternatives such as ‘chip-and-signature’ do not provide this level of security. Furthermore, PINs would also make ‘card-not-present’ transactions safer by adding another layer of authentication.”

The message to J.P. Morgan Chase, Discover, Bank of America Corp., Citigroup Inc. and other large banks is clear: consumer protection is paramount. After the massive data breaches involving Target Corp., Home Depot and other large retailers, Americans are looking for reassurance that their personal and financial information is secure. According to a Unysis Security Index, “the top three threats most worrisome in the United States in 2012 were identity theft, bankcard fraud and national security as it relates to terrorism.” More than half of Americans surveyed were seriously concerned about someone obtaining and using their credit or debit card information.

It is true that in today’s digital age, most individuals must remember a host of passwords and codes for various accounts and online activities, including existing PINs for any debit cards they might use. Having another PIN to remember certainly places a burden on the credit card holder. But it is not an undue burden when considering the added level of protection.

For its part, Target announced in the wake of its data breach that beginning early this year, all Target-branded credit cards and debit cards will include chip and PIN technology. If customers at nearly 1,800 Target stores across the U.S. can become accustomed to using a PIN to complete their credit card purchase, fellow Americans can follow suit. In fact, consumers will likely embrace the two-factor security as they have in Europe, knowing it is providing an increased level of protection from credit card fraud.

Certified Fraud Examiners (CFEs), the experts who investigate financial crimes around the globe, know the importance of preventing the next fraud before it occurs. In all frauds, including those involving credit cards, recovering the proceeds of the crime is often difficult or impossible. Whether it be the bank, merchant or customer, someone always loses. When a method such as PIN promises to decrease the incidence of fraud, it should be implemented.

Credit card fraud is a harrowing experience for the victim. Just ask those who spend months or years dealing with investigators, their bank, credit reporting agencies and others just to repair their credit history. The technology is here to better protect consumers from having to take such a journey. The sooner we collectively join our neighbors in other parts of the world in providing both chip and PIN technology, the better.

Data Breach: Two Words You Don't Want to Hear

LETTER FROM THE PRESIDENT

Data breach! Stomachs churn, blood pressures rise and knees quiver when organizations hear those two words.

On Dec. 18, 2014, Brian Krebs was the bearer of bad news when he broke the story that credit and debit card accounts stolen in a massive data breach at Target had been flooding underground black markets. The next day, Target confirmed to Krebs, the author of KrebsOnSecurity.com, that cybercriminals had stolen more than 40 million debit and credit cards from the retailer's stores throughout the U.S.

Management at Home Depot, Kmart, P.F. Chang's and many others also reached for the Pepto-Bismol when Krebs revealed that they were data breach victims, too.

Why do these huge breaches keep happening? Well, first of all, the largest ones make the splashiest news, no doubt. But any organization that's connected to the Internet is at risk. Cybercriminals can creep into companies via outside vendors (like the Target breach), email attachments, bogus websites or some adept social engineering.

"Stolen credentials and passwords, in particular, are some of the most intractable problems in cybersecurity today," Krebs, an award-winning investigative journalist, says in the cover article of the March/April issue of Fraud Magazine. "It's bad enough that many banks do not even offer their customers the ability to authenticate themselves with anything more than a user name and password which, when phished, lost or stolen, can be used to impersonate that person. However, the lack of two-factor authentication within organizations for employees with access to sensitive customer and employer data is a recipe for disaster."

Krebs says that most companies spend "ridiculous percentages" of their security budgets on hardware, software and services that alert them when suspicious activity occurs on their networks that might indicate breaches. "Unfortunately, these systems generate so much noise and false alarms that it becomes a challenge whittling down the alerts to a few that you really need to read and act on," Krebs says. "This is a constant struggle because organizations are producing lots more data each day, and more devices are being added that generate alerts."

Read Krebs' interview so you can help your organizations (plus family and friends) protect themselves against breaches and data theft. Better yet, come to the 26th Annual ACFE Global Fraud ConferenceJune 14-19 in Baltimore, Maryland, to hear Krebs, a keynoter speaker, in person.

I'm looking forward to seeing all of you as we compare notes on the latest fraud-fighting techniques. See you in Baltimore!

Target Uses Corporate Alliance Program to Connect Faster and More Genuinely

PARTNER PROFILE

Today the ability to connect with people at any time and from any place seems easier than ever. A tap of a finger makes the time it takes to reach someone almost instantaneous. However, reaching someone is only half the battle. The dreaded blocked-out day on an Outlook calendar, family obligations and the ding of a new email can sometimes get in the way of many attempted connections. But, the investigative team at Target is using partnerships like the ACFE’s Corporate Alliance programs to become connected to others in their industry and get the insight they need to stay ahead of the curve.

“To be successful in fighting fraud, you need to have broad knowledge and have a diverse network both inside and outside of your organization,” said Gregg Patyk, CFE, Senior Manager of Target’s Global & Information Security Investigations. “The Corporate Alliance helps us attain those goals. It enables us to connect faster and more genuinely with other companies that have similar goals and mindsets.”

Since joining the Corporate Alliance program in 2011, Patyk and his team have been able to build relationships with other member companies, especially during face-to-face seminars. At the ACFE Global Fraud Conference in San Antonio, Texas, last June, Target representatives sat down with other members and discussed specific initiatives regarding whistleblowing reporting within large companies.

“Since the conference, we’ve received assistance that we could not have received anywhere else,” Patyk said. “Likewise, we reciprocated and helped another member company resolve some of their issues. In both examples, both of our companies were able to expedite the resolutions of each matter because of partnerships and information sharing. Building partnerships with other companies enables Target to learn what other companies are doing and how they are successful with their anti-fraud programs.”

However, Patyk said that as in any relationship, it isn’t just about sharing the successes and passing along what has worked. There is also value in sharing challenges and having those tough discussions about things that didn’t work. “Being part of a group that shares information freely is conducive to learning. For example, not every program and method we have tried in the past has worked. I think it is equally important to share failures along with the success stories, so we can learn together.”

In addition to building connections with other corporations, Target uses data analytics to remain proactive and forecast potential threats. But Patyk said that there is another crucial step that goes along with that analysis. “I believe using analytics is a secondary step in being proactive. To truly be proactive, you need to be well-informed and have the right skills, knowledge and information. We connect with our internal business partners on a routine basis to have a better understanding of their businesses. By building these connections ahead of time, it really helps when there is an issue because we’ll have at least a cursory, if not better, understanding of that part of the business and be viewed as problem solvers versus adversaries. Building partnerships, staying informed and being well-trained are the first steps in being proactive.”

Read more about how Target is staying one step ahead of fraudsters in the full article on ACFE.com.

Better Online Security: Help Smaller Clients Achieve It

SPECIAL TO THE WEB

Robert Tie, CFE, CFP

Smaller enterprises are increasingly the targets of choice for cybercrooks and no wonder. Their websites and systems might have less to plunder than those of Target and other Fortune 500 giants. But their cyberdefenses are disproportionately weaker than big-company security systems. And that makes them all the more attractive to Internet predators.

The ACFE, in response, is calling attention to the soaring online risk among small-cap businesses.

“As large organizations develop stronger controls over their networks and digital data, attacks on small enterprises have mushroomed,” said ACFE Chairman and founder Dr. Joseph T. Wells, CFE, CPA, at the 24th Annual ACFE Global Fraud Conference. He urged antifraud experts to educate small businesses about this threat and encourage their investment in defensive resources.

EXISTENTIAL RISK

“While a serious attack can significantly harm a large organization, it can force a smaller enterprise completely out of business,” says Joseph Giordano, chairman of cybersecurity programs at Utica College in New York and a former cyber operations specialist in the U.S. Air Force Research Laboratory. 
 
Case in point: CD Universe, one of the first successful online music sellers. In January 2000, a hacker stole up to 300,000 customer credit card numbers from the company’s website and demanded $100,000 in ransom, according to “Thief Reveals Credit Card Data When Web Extortion Plot Fails,” by John Markoff, The New York Times, Jan. 10, 2000. 

When CD Universe’s owner refused to pay, the hacker sold the stolen card numbers over the Internet. As news of the theft spread round the world, consumer confidence in CD Universe’s cybersecurity plummeted, swiftly transforming the once promising e-tailer into a ’Net loser. By year-end, the owner sold CD Universe for a half million less than he had paid for it.

A decade and more afterward, the case’s dynamics remain compellingly relevant but are largely ignored. Why? For the same reason it’s hard to sell insurance: Few people like to spend money on preventing something that might not happen.

And since smaller companies’ cyberattack losses get comparatively little press coverage, their leadership tends to worry more about profitability and other pressing matters than they do about online risk. 

“Cost is the primary criterion many small companies use to evaluate cybersecurity resources,” Giordano says. “Budget limits often force them to view optimal online protection as nice-to-have, rather than must-have.”

For CFEs who serve or seek small-company clients, the challenge is to get them to view online security as a form of catastrophe insurance — something they already embrace as essential protection against enormous losses.

Read the full Special to the Web article on Fraud-Magazine.com.