10. Tracking Down a Threat

It was lunchtime on a Friday at FormChem, a bustling chemical company on the West Coast. Scientists and engineers crowded into the cafeteria for their daily ingestion of sandwiches and pizza. The CEO of FormChem, Jim NoKloo, decided to pop into the cafeteria and chat with his employees. As he left one table and headed for another, his BlackBerry buzzed. He saw an email that read, “If you do not follow my instructions, I will steal the company formulas and take down your operation completely.”

At first NoKloo thought it was a joke or some deranged form of spam. Later that day, he received another email on his BlackBerry with an equally threatening statement. NoKloo quickly returned to his office and re-read the emails. Who could have sent these? Were these threats legitimate? If any of his clients, all major players in the biotech industry, got wind of this threat, he would lose his business. As his mind raced, he called the general counsel of his firm, who in turn called us.

With a team of computer forensic experts, we traveled to FormChem’s offices. The email appeared to have been sent from the account of an employee who no longer worked for FormChem. We were quickly able to determine that the sender of the threats must have been someone who currently worked for the company, and was in FormChem offices or was on its network at the time the email was sent. To avoid any disruption at FormChem and to ensure the threats were not leaked to the press, remote access to the network was suspended, and our team imaged company computers after the offices were closed, when no employees were present. Through imaging certain computers and reviewing employee schedules and referencing the information with employee alibis, we were able to narrow down the list of possible suspects to six individuals, all members of the IT department at FormChem. The next day, we conducted interviews of these six individuals. We gave them “Upjohn” warnings (the civil version of Miranda rights; informs employees they are the subject of an investigation) and asked for their cooperation. Based on the information gleaned from these interviews, we were able to further narrow the list to three possible suspects.

Executives receive anonymous threatening correspondence more often than you would think. Behind every one of these emails or letters is a person with a motive and a desire. The trick is tracking down the origin of the threat.

Our next logical step was to do some fact-gathering on these three members of FormChem’s IT department. Information on two of these individuals did not reap anything of substance for the investigation. However, our research on the third suspect, Kevin Axtagrinde, found that his wife, Layla, owned a temp agency that previously had a contract with FormChem to provide data entry employees, most of whom were nondocumented workers. After speaking with NoKloo, we learned that FormChem had terminated its relationship with Layla’s company. Apparently, FormChem was not happy with her services and refused to pay several invoices totaling in excess of $100,000.

Your Computer’s Memory Is Better Than Yours

Imaging a computer is when a team of forensic computer experts takes a mirror image “(forensic image)” of the computer’s hard drive. This process is designed to withstand scrutiny in a legal proceeding. The forensic experts then retrieve all documents, emails, and pictures from the computer, which can then be reviewed for anything troublesome, potentially damaging, or threatening. Just because you press “delete” on an email or document does not necessarily mean it no longer exists. Unless the computer has written over that document/email (which happens after an extended length of time) or the computer has specific software that does, indeed, delete the text from the hard drive’s memory, then the text is not really deleted.

We also found out that Kevin Axtagrinde owned a few rundown apartments near FormChem offices and rented these apartments to the data entry employees who worked for his wife’s temp agency.

With money coming to Layla for providing the temporary employees and money coming to Kevin for housing them, for a while the situation had been a win-win for the Axtagrinde household. But now that the FormChem cash flow was stymied for the Axtagrindes, it seemed they had a motive for sending the emails to NoKloo.

Our computer forensics team returned to Kevin’s office and imaged his computer. We found that not only did Kevin have an extra hard drive on his computer that was not authorized by the company, but that he had also installed “Trojan software” that was enabling him to access Jim NoKloo’s computer without NoKloo’s knowledge.

With all of this evidence, it was apparent that Kevin Axtagrinde was the culprit. With the approval of the general counsel for FormChem, we approached Kevin and apprised him of the results of our investigation, and he fessed up. In exchange for Kevin’s cooperation, FormChem had Kevin sign a document stating he resigned from FormChem, and he agreed not to leak the information to anyone, including the press. In turn, FormChem agreed not to press charges against him. Since Kevin left, things have been operating smoothly, and Jim NoKloo is no longer apprehensive when checking his emails on his BlackBerry.

Detecting a Slumlord

Our review of property records found the buildings owned by Kevin Axtagrinde. We knew these apartments were being rented because we found a few civil eviction lawsuits filed by the landlord, Kevin Axtagrinde, against tenants of his.

The Tactic: Three Principles of Wrongdoing

People responsible for wrongdoing usually have motive, access, and the knowledge to commit the fraud. In this case, Kevin Axtagrinde’s motive was that his wife got stiffed for $100,000, he was no longer able to play slumlord to the FormChem temporary workers from her agency, and we later learned Kevin had hoped to be promoted to a senior position, but he never got the promotion. Because of Kevin’s role in the company, he had the capacity to tamper with FormChem’s internal and external computer systems and could potentially follow through with the threat.

Spyware

Trojan software, also known as spyware, are programs that are surreptitiously installed on someone’s computer and monitors the actions on that computer without the owner’s knowledge. There are ways to detect and remove spyware on a computer.

You Have an Internal Problem: Now What?

We have found that no matter what the circumstances are, when conducting a proper corporate investigation, it is beneficial to follow some fundamental steps. When trying to find your most logical suspect or figure out “whodunit,” consider who had the knowledge, access, and motivation to commit the crime. For these purposes, “knowledge” refers to information or data protected by a company’s policies of the information in the email or correspondence. Kevin Axtagrinde had knowledge about the way FormChem’s IT department worked and the intricacies of the information held on the company network. “Access” applies to an individual’s ability to have a means of entry into a company’s physical offices, accounting records, personnel files, or, in the case of Kevin Axtagrinde, a company’s computer network. And “motivation” is defined by a person’s motive, inclination, or desire to initiate the fraud.

Because identifying the proper suspect can be complex, we always recommend that appropriate outside experts conduct the investigation and be retained through counsel to conduct an independent and thorough investigation. If you handle the situation yourself, you may end up causing more damage to you and your company. For instance, if you wrongfully accuse an employee of wrongdoing, you risk being sued. Always try to assume the employee is innocent until proven otherwise. It is critical to know the facts.

We also strongly urge you to limit your company’s exposure to the incident. Be discreet. Try not to tell too many people about the situation and avoid any publicity or media attention. The fewer people involved in the investigation, the better for your company, the morale of the employees, and the sanctity of the evidence. And, last, identify and segregate potential evidence. Even turning on an employee’s computer could compromise the evidence. Allow the investigators to determine what is or could be evidence. Do not assume employees can be trusted with the information.

The information gathered in the investigation must stand up to legal scrutiny. You can only do the investigation once—and it must be executed properly.

Another thing to consider when faced with internal problems is that corporate crimes often have accomplices. Yes, some individuals will act alone. But we have found that it is always common for a fraud to have been executed or created by more than one person. In the case of Kevin Axtagrinde, because we expanded the scope of our investigative research to include his wife, Layla, we were able to get the whole picture of what was going on. The accomplice can be someone who works for (or previously worked for) the company, or can be an independent friend or associate of the perpetrator (sometimes someone has unknowingly become an accomplice). When conducting an investigation, you need to examine telephone calls and independent email accounts to see if the person suspected of causing the fraud is having communications with a possible accomplice or an insider who may be feeding confidential information. In all of our research steps, we never limit our work to just the subject’s name, and Axtagrinde is just one example why.

Last, do not overlook your information technology (IT) department personnel. When conducting background checks, clients often focus on the executives and do not look at IT, but these people play a critical role in your operation and intrinsically have direct access to all of your proprietary information. The IT guy has the keys to your kingdom: We have seen many instances where IT staff have secretly monitored the emails of CEOs. You need to make sure your IT staff are as reliable as your executives and will not be tempted to use the information they posses to your detriment.

Diploma Mills

We have seen situations where the person in charge of the IT department claims to have a degree in computer science or technology. Yet we have found that these degrees were awarded from either online “schools” or diploma mills. Always make sure the school is an accredited college or university. The website of the U.S. Department of Education, www.ed.gov, has detailed lists of accepted accrediting agencies to contact to verify a school is legitimate.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.140.78