Cryptocurrencies are an electronic money movement and payment system. While available since at least 2009, cryptocurrencies, led by huge increases in value, really broke into the eye of the public in 2017. The 2017 cryptocurrency movement was grounded in ICOs (Initial Coin Offerings). ICOs are a means of funding a business venture by issuing a cryptocurrency rather than traditional angel, venture, or some other form of investment capital.
In general, the investment process is as follows: the cryptocurrency is issued to the investor and the issuer collects cash for operations and investment. Such an approach to raising money allows the issuer to avoid regulations and the processes required to register investments. In 2017, ICOs went from being a relatively unknown fundraising method used in the blockchain community, to raising over $4 billion. Because investors hold currency rather than ownership shares, the issuer has little (legal) obligations to those receiving the cryptocurrency.1
Jordan Underhill, ACFE Research Specialist, J.D., CFE, likens some of the smaller cryptocurrency offerings to being similar to “penny stocks.” As such, they are subject to abuse via schemes similar to pump and dump. While the funded organization gets its cash flow, the holders of the cryptocurrency are left with little to no legal protection. According to Underhill, forensic accountants and fraud examiners need to have some sense of how cryptocurrencies and ICOs work. Underhill suggests that rather than the professional perceiving cryptocurrency as a new scheme, it is better understood as a new tool to perpetrate old schemes.
Over time, blockchain, the technology underlying Bitcoin and other cryptocurrencies, could potentially have many uses and may even help to prevent fraud by better tracking the flow of money. As such, antifraud and forensic accounting professionals should expect to encounter them during their career.2
The role of technology as it relates to fraud, financial crime, and other bad acts can seem a bit overwhelming. At the same time, technology offers additional tools such as big data, financial analytics, robotic process automation, and artificial intelligence that can facilitate efficient and effective prevention, detection, and deterrence. Further, it is important for FAFE professionals to understand current technology, cyber threats, and antifraud efforts in this complex and dynamic space.
In this chapter, we examine these topics across several modules. Those modules, along with the learning objectives, include the following:
Nick Tranto, Headquarters Excise Tax Policy Manager for the Internal Revenue Service (retired), describes three eras of fraudulent activity. He refers to the first era as the “Paleolithic Era.” In this era, fraudulent criminal activity centered on cash, laundering cash, and evading taxes. Organized criminal activities and creative fraud schemes also usually involved other illegal activities, such as alcohol, gambling, prostitution, guns, and drugs. These activities became large scale in the 1920s and 1930s due to prohibition of the distribution and sale of alcoholic beverages. Many were orchestrated by individuals ranging from small- time thugs to “the mob” and invoke images of Al Capone and Hollywood characters, such as those in The Godfather, Goodfellas, and The Untouchables. The primary problem was the need to handle large amounts of cash generated from the illicit and illegal activities, as well as bribes and kickbacks to keep elected officials and law enforcement from scrutinizing the activities too carefully. Some of the early and more creative money laundering schemes were developed during this time and a fundamental goal was to evade taxes.
The second major era started in the 1960s, and Tranto describes this period as the “Neolithic Era” of organized criminal operations and the sophisticated predator fraudster. At this point in time, bad actors discovered that “an accountant with a sharp pencil could steal more than twenty criminals armed with guns.” Many of the perpetrators were first-generation college graduates and sons of mobsters (SMOB). Tax evasion and money laundering continued to be the major focus of the organized criminal activities. The structure, however, included more traditional organizational forms, such as legitimate casino businesses, other cash-heavy businesses, and the interaction between legitimate and illegitimate business activities. The proceeds from these activities could be concealed and then made available for the perpetrators to use openly because of seemingly legitimate business fronts. This arrangement was, to some degree, a reaction by the bad actors to more sophisticated law enforcement investigation methods, improvements in the judicial system, and a greater intolerance by society for blatant deviant behavior. These changes put pressure on individuals with bad intentions to better conceal their illegal activities so they could fit into society as “upstanding citizens.”
Mr. Tranto describes the third period as the “Geek-olithic Era.” In the third era, cash generated from illegal activities is still a primary problem. But in the Geek-olithic era, smart individuals with questionable ethics became significant fraud perpetrators. The bad actors now include computer specialists, attorneys, MBAs, Wall Street professionals, and others who use tools and techniques, such as offshore bank accounts, Internet servers, jurisdictional barriers to enforcement, and technology to move and hide billions of dollars. Once money appears to be legitimate (laundered), it is then able to be moved and used, as if it came from legitimate sources. In addition, more creative fraud schemes were created, and the use of technology often became integral to the act, the concealment, and the conversion. In the Geek-olithic era, investigators need to use digital tools and techniques for data extraction and analysis to catch the crooks. The complexity of the schemes often demands the ability to connect seemingly disparate activities and financial transactions to businesses and organizations located around the world. Without technological resources, the investigator’s effectiveness can be greatly diminished. In short, because the bad actors have made computers integral to their crimes, investigators need to arm themselves with the same tools to level the playing field.
Assume, for example, that a drug dealer on a neighborhood street corner hands over drugs to a customer and the customer pays for the contraband by “zapping” money from his Internet-connected cell phone to the dealer’s cell phone. The police observe the transaction and approach the dealer. The dealer, perceiving the approach of the police, ejects a memory card from his phone and drops the useless cell phone in the closest sewer, tucking the tiny memory card into his pocket. By the time the police grab the suspect, all evidence is gone except for a tiny memory card that the police have confiscated but have no idea what it contains and cannot access it because of encryption. The Geek-olithic perpetrator—from the small-time but electronically savvy neighborhood to the well-organized, international Internet scammer—presents new and challenging problems for law enforcement and other investigators. In our tech-savvy world, data exists in many forms and places, but it requires a targeted approach and an embrace of technologically based investigative solutions.
Cybercrime, in the “Geek-olithic Era,” usually describes criminal activities in which a computer or network of computers is an integral part of the crime. Examples include spamming, theft of electronic intellectual property, unauthorized access (e.g., defeating access controls), malicious code (e.g., computer viruses), denial-of-service attacks, theft of service (e.g., telecom fraud), and computer-based investment and other financial frauds. Some cybercrime, such as the Nigerian cash transfer e-mails and other e-mail scams, are grounded in the gullibility (social engineering) of the victim. Other cybercrimes include hacking, “phishing,” identity theft, child pornography, online gambling, securities fraud, cyberstalking, theft of trade secrets, and industrial or economic espionage. Some cybercrimes, such as “information warfare,” have national security implications. Thus, cybercrime includes a blend of traditional crimes and newer derivations in which computers or networks are used to facilitate, conceal, and generate benefits to the perpetrator of the illicit activity.
As an example of the use of cyberspace to advance nefarious activities, according to Gangbangers Invade Cyberspace, by Steve Macko, ENN Editor, cyberspace is now
a place for gang members to exchange ideas on how to improve drug sales, what’s the best gun to use to shoot your business rivals and what are the best drugs to use in your spare time? … all of that and more can be found on the Glock3 website. This site is said to link members of street gangs from around the world, from ’Lil Shorty’s Click in London to the Gangster Disciples in Chicago to the West Side Crips in Phoenix. Experts say that the site provides a virtual “how-to” for wannabe street gang members.
Another way to describe cybercrime is criminal activity involving information technology infrastructure, including unauthorized asset destruction, file and software deletion, service attacks that result in deterioration, alteration, or suppression of computer data, and unauthorized use of devices. Personal computers, computer systems and digital devices that capture and process electronic data are powerful, small, inexpensive, and user-friendly. As computers and digital technology have advanced, electronic devices have proliferated in society, businesses, and in our everyday lives. Modern business, government, and other organizations, including criminal enterprises, depend on computer systems to support their operations.
Initially, transactions captured and processed by computer systems had hard copy supporting documentation. In the absence or destruction of computer storage where data was damaged, transactions could be reconstructed from physical forms and documents. In today’s environment, the computer is integrally embedded in most business and government processes and less hard copy backup exists. Computers have invaded almost every aspect of our lives, including tax return processing, electronic calendars and contact lists, cooking recipes, robotics, budgeting, automobile operations, weapons systems, law enforcement systems, and automated teller machines (ATM). More and more people around the globe rely on computers and digital devices in their everyday lives. As businesses, government agencies, and individuals become increasingly dependent on digital devices, so do those with criminal intentions. Individual criminals and criminal enterprises use computers to support their illegal operations for everything from facilitating the movement of cash around the world to real-time communications through e-mail, text messaging, and disposable cell phones. Cybercrime and computer and Internet frauds are increasing in frequency and size, and this trend is likely to continue. More computers, and thus criminals, are networked internationally, giving global access to cybercriminals.
Computer crime is an illegal offense that is committed where the computer or electronic data device is integral to the criminal act. In this context, “computer” has a broad definition and can mean personal computer, notebook, tablet, iPad, smartphone, or any other digital device that has software installed. Consider the Internet of Things (IoT): Even home appliances, HVAC controls, and other smart home devices have software and computer-like characteristics and can be operationalized for bad acts. The computer, no matter how it is defined, has several roles in high-tech crime, both as a tool and a target. According to Donn B. Parker, a cybercrime authority and author, the function of the computer in crime is fourfold, as an object, a subject, a tool, and a symbol.
Some common examples of computer crimes include:
Two terms that are commonly used interchangeably are computer fraud (and financial crimes) and computer crime, yet substantial differences exist between them. First, computer-based fraud and financial crimes are any defalcation, fraud, or financial crime accomplished by tampering with computer programs, data files, operations, equipment, or media, and resulting in losses sustained by the organization whose computer system was compromised. One of the distinguishing characteristics of computer-based fraud is that access occurs with the intent to execute a fraudulent scheme or financial criminal act.
Historically, in the early 1980s, law enforcement agencies faced the dawn of the computer age with growing concern about the lack of criminal laws available to fight emerging computer crimes. Although wire and mail fraud provisions of the federal criminal code were capable of addressing some aspects of computer-related criminal activity, neither entirely addressed the new computer-based crimes. In response, Congress included provisions in the Comprehensive Crime Control Act of 1984 to address unauthorized access and use of computers and computer networks.3 The Act made it a felony to access classified information in a computer without authorization and a misdemeanor to access financial records or credit histories stored in a financial institution or to trespass into a government computer. The 1984 Act was updated and improved in 1986 when Congress enacted the Computer Fraud and Abuse Act (CFAA). In the CFAA, Congress limited federal jurisdiction to cases with a compelling federal interest—that is, where computers of the federal government or certain financial institutions were involved, or where the crime itself is interstate in nature. Some of the other provisions included those:
These Acts have been regularly updated into the 2000s to ensure that the statutes continue to respond to current trends and techniques of computer-based criminal acts and give law enforcement the tools necessary to fight computer-based crimes, fraud, and financial crimes.4 Computer-based fraud statutes and laws have established two very important principles:
In short, most jurisdictions have defined computer fraud as an “attempt crime.” By viewing the computer as a protected asset, the protection is independent of the actual loss to the owner as a result of the intrusion.
In contrast to computer fraud, computer crime is defined as an act where the computer hardware, software, or data is altered, destroyed, manipulated, or compromised due to acts that are not intended. Generally, computer crime differs from computer fraud in at least three major ways:
As a result of the preceding discussion, computer-based fraud and financial crimes are technically not “computer crimes” but often involve the use of computers as a means to break the law. In some cases, traditionally illegal acts can yield more ill-gotten gains by utilizing the speed, power, and global access of computers, other digital devices, and their users. A more apt term may be computer-assisted crimes. In such cases where traditional frauds and financial crimes are facilitated through the incorporation of electronic devices, existing criminal laws can be applied to the acts. The main benefit of the computer fraud and computer crime statutes, however, is derived when proving traditional crimes is difficult because the evidence of such acts have been destroyed electronically. In such cases, computer fraud and computer crime laws are invaluable as an alternative method of prosecution.
The most common types of losses associated with computer crimes are economic. Economic losses may include:
Nevertheless, the economic losses generally do not include costs associated with assisting law enforcement. Of the various losses, the most common definition of economic loss is any reasonable cost to any victim, including the cost of responding to the illegal act, conducting a damage assessment, and restoring data, programs, systems, or information to its original condition and any revenue and incremental profits lost, incremental costs incurred, or other consequential damages incurred.
Costs to make a system better or more secure than it was prior to the intrusion may not qualify as “reasonable” in many cases. In general, the cost of installing completely new security measures “unrelated to preventing further damage resulting from [the offender’s] conduct” should not be included in the loss total. Thus, the types of losses considered by the courts “have generally been limited to those costs necessary to assess the damage caused to the plaintiff’s computer system or to restore the system.” Losses also include, for example, lost advertising revenue or lost sales and profits due to an electronic interference and the payroll of company employees who are unable to work due to a computer shutdown. Fraud and forensic accounting professionals need to think critically and creatively about what types of harm in a particular situation meet this standard, and work with victims to measure and document the losses. At least one court has held that damage to a company’s reputation and goodwill as a consequence of an intrusion might properly be considered a loss for purposes of alleging harm.
In addition, federal statutes also address four cases of “special losses”:
The first special loss is related to the “modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment or care of one or more individuals.”5 This provision provides strong protection to the computer networks of hospitals, clinics, and other medical facilities because of the importance of those systems and the sensitive data that they contain. This type of special harm does not require the victim to show any financial loss. The evidence only has to show that at least one patient’s medical care was at least potentially affected as a consequence of the intrusion.
The second special loss occurs when the damage to a computer causes “physical injury to any person.”6 Computer networks control many vital systems in our society. Examples include traffic signals, air traffic control, and 911 emergency telephone services. The disruption of these computers could directly result in physical injury. Generally, so long as there is a reasonable connection between the damaged computer and the physical injury, the perpetrator can be held accountable for those physical injuries that result from their illegal actions associated with computer access or other computer crime.
The third special loss includes threats to public health or safety, a concept that closely aligns to physical harm discussed above. The key word is “threat” to public health or safety. In these cases, the prosecution is not required to demonstrate actual physical harm, only the threat to a person or persons. This aspect of loss addresses a wider array of government-type services such as electricity transmission, gas distribution, water purification, nuclear power, and transportation systems. Damage to the computers that operate and control these systems and associated safety mechanisms can create a threat to the safety of many persons. Such statutes have broad implications for perpetrators who disrupt services to the general public.
The final special loss category addresses computer compromises that affect “a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security.”7 The “administration of justice” aspect includes courthouse computers and systems operated by federal, state, and local law enforcement, prosecutors, and probation officers. Similarly, computers used “in furtherance of national defense or national security” are generally operated by the armed services and the Department of Defense. Normally, the statute is broad enough so that computers owned and operated by a defense contractor, for example, could arguably involve national security implications.
With the explosive growth of computer, digital, and mobile use around the globe and more people gaining access to and using the World Wide Web, technologically based frauds and financial crimes are increasingly likely to have international dimensions. In most cases, the legal environment for digitally based crimes is different in every country. Consequently, identifying, locating, and extraditing suspects from another country poses additional challenges. Finally, due to differing privacy rights of individuals in the various jurisdictions of the world, securing electronic evidence of digitally based frauds, financial crimes, and other criminal acts is very difficult. Essentially, jurisdictional complexities arise at every step in the process: prevention, deterrence, detection, and investigation. In the United States, the Department of Justice and the Federal Bureau of Investigation work with foreign governments through many channels to address global threats related to computer-based crimes. The FBI’s approach reflects the increase in cybercrime worldwide, as well as the networking of local criminals with those located around the globe. In 2016, complaints to the FBI’s Internet Crime Complaint Center increased by less than 5% to 298,728; however, losses associated with those crimes totaled more than $1.33 billion compared to $198.4 million in 2006.
Perhaps more importantly, criminals are following principles outlined in Freidman’s book, The World Is Flat. Increasingly, cybercriminals are extremely well-organized and have access to every corner of the globe. Members of cyber fraud networks share profits and carry out crimes utilizing the various specialties of the participants. For example, one member of a criminal consortium may send out millions of spam e-mails. The e-mail responses may be handled by another member, or even another criminal organization that specializes in electronically harvesting and exploiting credit card numbers. The proceeds from the crime may then be laundered by a third individual or organization that then distributes the “profits” according to previously outlined agreements. The perpetrators may never meet, physically see one another, or even speak on the phone. Despite the physical distance between them, the groups are highly organized and effective. In response to threats to U.S. citizens within its borders and territories, the FBI has agents in sixty countries investigating cybercrimes.
On November 23, 2001, in Budapest, Hungary, the United States, and twenty-nine other countries signed the Council of Europe Cybercrime Convention. The Cybercrime Convention is the first multilateral instrument designed to begin to address the problems posed by the spread of criminal activity on dispersed computer networks around the globe. The Convention requires the parties to establish laws against cybercrime, to ensure that law enforcement officials have procedural authority to examine and prosecute cybercrime offenses, and to provide international cooperation to other signatories in the their fight against computer-based criminals. On August 3, 2006, the United States Senate voted to ratify the Cybercrime Convention and on September 22, 2006, the President signed the United States instrument of ratification for the Council of Europe Convention on Cybercrime.
Now that wholesale payments have been caught in the full tide of the electronic revolution, traditional commercial banks will face stronger competition from non-banks and from ‘dis-intermediation’ as lenders and borrowers can deal more easily directly with each other without needing a financial intermediary. Central Banker’s tasks, in attempting to define, measure, monitor, control and supervise their own countries’ changing forms of money and monetary instruments, will become much more complex as the old boundaries between national and regional monetary domains will be broken down by new forms of competitive currencies.8
As an example of this trend, according to Zlati Meyer of USA Today, more restaurants are no longer accepting cash as a form of payment.9 The author cites Tender Greens, with twenty-eight restaurants on the East and West coasts, as one of a growing number of eateries that are only accepting credit and debit cards and contactless payment systems, like Apple Pay. Meyer noted a 2016 Federal Reserve study that stated that the number of noncash payments—including credit and debit cards—totaled 144 billion in 2015, having grown 5.3% annually between 2012 and 2015. Other examples according to the article:
Where does value lie? In the electronic world of the 2000s, value is often stored on computer servers of service providers and financial institutions. The server does not have to exist in the jurisdiction of activity or where the account holder resides. Transfers of money from one party to another take place anywhere in digital space. As a result, digital financial activity and account balance examination can become more complicated—evidence, search and seizure, forfeiture, and asset sharing. Related to these trends, anti-money laundering efforts also become more challenging. For example, peer-to-peer transfers that avoid central banks and the international banking system make transfers among bad actors more anonymous or, at least, harder to identify. Even for those individuals operating in the regulated monetary systems, how do you enforce “know your customer” (KYC) requirements when a customer completes all his or her account application documents digitally, and the customer is never seen in person?
Another interesting trend is nonbanks offering banking services. Consider Walmart Canada Bank. While in the United States, customers are used to seeing banking services offered in most Walmart stores; Walmart also has its own MasterCard with reward points. In Canada, Walmart is a bank!
According to Bloomberg, Walmart Canada Bank provides low-cost financial services while providing its vendors access to low-cost loans.10 Further, Walmart Financial offers insurance, product protection for purchases, and Western Union Money Transfers.11 Even for those not residing in Canada, Walmart has teamed up with Green Dot to create a reloadable prepaid card. Walmart’s check cashing service can be used to load payroll, government, or other checks directly to customer’s Green Dot card, providing immediate access to those funds without carrying any currency.
Walmart is not alone in its effort to expand from traditional retail to banking. In the United Kingdom, Tesco PLC, a retailer with almost 7,000 locations around the world, owns Tesco Bank, a 1997 50/50 joint venture that in 2008, became fully owned by Tesco PLC. This is consistent with the Glyn Davies’ notion of disintermediation—reducing the use of intermediaries between producers and consumers—by investing directly in the securities market rather than through a bank, as noted in the introduction to this chapter. The disintermediation of financial services is grounded, at least to some degree, by basic cost–benefit considerations. According to a 2013 McKinsey & Company report titled “McKinsey on Payments,” almost 30% of the productivity gap between the Russian and the North American banking systems can be attributed to the low percentage of electronic payments in Russia.
Of interest to forensic accountants and fraud examiners, cash is associated with the prevalence of an “informal” or “shadow” economy; one that is not taxed nor monitored by governments. According to the McKinsey report, the shadow economy represents about 12% of GDP in developed countries like those in North America; in less developed countries, the shadow economy accounts for 32% of GPD. Certain countries are estimated to have a much larger shadow economy, namely Nigeria 63%, Russia 42%, Tunisia 41%, and Brazil 38%. Further, the drag on the economy from cash-based payments may exceed 1% of GDP, while electronic transfers cost less than 1%.
Consider some of the many ways that cash moves:
Digital (“crypto”) currencies include Bitcoin, Litecoin, Ethereum, Zcash, Dash, Ripple, and Monero. According to Investopedia, “Bitcoin continues to lead the pack of cryptocurrencies, in terms of market capitalization, user base, and popularity. Nevertheless, virtual currencies, such as Ethereum and Ripple, which are used more for enterprise solutions, are becoming popular; while some altcoins are endorsed for superior or advanced features, vis-à-vis Bitcoins. Going by current trends, cryptocurrencies are here to stay, but how many of them will emerge leaders amid the growing competition within the space will only be revealed with time.”12 In an interesting turn of events, a federal judge ruled in March 2018 that virtual currencies like Bitcoin can be regulated as commodities by the U.S. Commodity Futures Trading Commission.13 Further, some proponents of digital currencies believe they should have the anonymity feature, as seen in the case of physical cash. This is ironic, because one reason for encouraging the use of digital money is that it will help to keep track of one’s income and expenses and trace illegitimate activity.
So how do digital currencies work? Most are grounded in “blockchain” technology. Blockchain is the world’s leading software platform for digital assets, offering what the technology sector believes is a better financial system. Jonathan Hassell states that “Blockchain is a shared distributed ledger technology in which each transaction is digitally signed to ensure its authenticity and integrity … Blockchain technology backs up Bitcoin and other cryptocurrencies to this day, but there’s been a recent groundswell of interest from a variety of industries in making distributed ledger technology work, especially in business.”
Hassell provides a primer on how blockchain works: “Each transaction is digitally signed to ensure its authenticity and that no one tampers with it, so the ledger itself and the existing transactions within it are assumed to be of high integrity. The real magic comes, however, from these digital ledger entries being distributed among a deployment or infrastructure. These additional nodes and layers in the infrastructure serve the purpose of providing a consensus about the state of a transaction at any given second; they all have copies of the existing authenticated ledger distributed amongst them. When a new transaction or an edit to an existing transaction comes in to a blockchain, generally a majority of the nodes within a blockchain implementation must execute algorithms to evaluate and verify the history of the individual blockchain block that is proposed. If a majority of the nodes come to a consensus that the history and signature is valid, the new block of transactions is accepted into the ledger and a new block is added to the chain of transactions. If a majority does not concede to the addition or modification of the ledger entry, it is denied and not added to the chain. This distributed consensus model is what allows blockchain to run as a distributed ledger without the need for some central, unifying authority saying what transactions are valid and (perhaps more importantly) which ones are not.”14
There are more than seven billion cell phones in the world—more cell phones than people.15 At the same time, only 62% of persons have a bank account and an estimated two billion persons are unbanked.16 As such, it makes sense that mobile financial and payment systems are gaining traction. According to Popular Science, “Most of us leave the house carrying three essentials: keys, wallet, and smartphone. But over the past few years, more and more people are combining the latter two objects. No, we’re not talking about phone cases that also hold cash. Your smartphone can store your financial details and use them to make secure, instant payments in the store. It may feel vaguely futuristic, but you can check out with a wave of your mobile—as long as the place you’re shopping has the necessary hardware.” Leading mobile payment systems include Apple Pay, Android Pay, Samsung Pay, Square Cash, PayPal, and Venmo.17 However, the list of mobile payment providers is extensive including:
Over time, forensic accountants and fraud examiners are going to see transactions that have fewer intermediaries and are hard to identify and track. Further, getting legal access to transactions via warrant or subpoena may become more complicated. At the same time, technologies like blockchain may serve to follow the money more easily, lowering levels of anonymity, once the transactions are identified.
Using Technology to Fight Back. According to a recent article in ITAUDITSECURITY, auditing may incorporate Robotics Process Automation (RPA).18 An RPA is analogous to a virtual robot and can be programmed to log into multiple systems, navigate programs, enter commands, add, update, and download data, and perform most other functions a person can do. According to the article, some of the benefits include the following:
RPA does come, however, with certain risks. When a programming error occurs, those mistakes are made at much faster rates than humans. Because of such speeds, a critical error can lead to catastrophic outcomes. While RPAs can be designed with no changes to current processes and programs, many adopters reengineer those processes and programs as part of automation and implementation; this activity creates new control risks and may inadvertently eliminate critical controls. RPA access is extensive and such access should be approved, managed, and monitored closely.
As with all technology implementations, successful RPA requires compliance with standards and policies and decentralized RPA installations need to be carefully implemented. Controls over displaced worker access need to be eliminated in a timely manner, and while RPA changes access and authority, it needs to be carefully managed. RPA holds tremendous opportunity for internal and external auditors and will likely be part of technological innovation in the future of the profession. As such, it’s something that forensic accountants and fraud examiners need to understand and embrace. Further, RPA might assist antifraud professionals in their efforts to minimize risk, identify issues, and assist in examination and remediation efforts.
One of the greatest threats to information systems, in terms of digital crime, comes from employees inside an organization. It is not uncommon for operators, media librarians, hardware technicians, and other staff members to find themselves in positions of high levels of access privilege in relation to the key functions and assets of their organizations. A consequence of this situation is the probability that such individuals have the opportunity to commit fraud—one of the three elements of the fraud triangle. When combined with pressure, such as a nonsharable financial need, and the ability to rationalize their actions, such opportunity can be costly for an organization. As such, computer operations should have, at a minimum and where appropriate, an effective separation of duties. Even separation of duties, however, will not prevent all electronically based frauds and crimes perpetrated from within. To address the possibility of collusive frauds, detection controls need to support and supplement prevention controls. In addition, an environment where deterrence is also emphasized (e.g., high ethical standards, an organizational commitment to prosecute fraudsters) also helps to minimize the risk of collusive fraud.
A further complication is the tendency on the part of management to tolerate less stringent supervisory controls over information system personnel. The premise is that the work is not only highly technical and specialized, but difficult to understand and control. As an example, systems software support is often entrusted to a single programmer who generates the version of the operating system in use, establishes password or other control lists, and determines the logging and accounting features to be used. In addition, such personnel are often permitted, and sometimes encouraged, to perform these duties during nonprime shift periods, when demands on computer time are light. As a result, many of the most critical software development and maintenance functions are performed in an unsupervised environment. It is also clear that operators, software librarians, and information system technicians often enjoy a degree of freedom quite different from that which would be considered normal in a more traditional employment area.
Insiders are typically aware of the “holes” in the system of internal controls in the digital environment and often exploit weaknesses “just to see if they can get away with it.” The most prevalent method of committing computer fraud is alteration or falsification of input transactions (and/or documents), including:
The characteristics of the insider computer fraudster are very similar to those of the traditional fraudster: intelligent, hard-working, minimal absences (the appearance of dedication), bored with “the routine,” confident, and egotistical. Computer fraudsters often demonstrate greater loyalty to technology than to their employer. This technology loyalty can create an attitude that any behavior is acceptable if it is in the name of technology.
The following are indicators of insider computer fraud that suggest increased risk and require additional scrutiny:
Although the term “hacker” was originally used to describe a computer enthusiast, the term has now grown to mean someone seeking unauthorized access to computer systems and the information contained therein. Hackers can include employees, individuals operating alone, hacker gangs, and entrepreneurial hackers who seek financial reward for their illegal acts. Motives vary according to the targeted system, information desired, and the perpetrator. While hacking was once commonly thought of as a precocious teenager’s hobby, it has changed dramatically in the last twenty years to encompass a large and diverse group.
Hacking entails breaking into computer systems by determining the vulnerabilities of the hardware and software components. Then the hacker uses technology to systematically “guess” the authorized user’s access codes.
Hackers generally use various “rogue” software applications to penetrate a system. Sometimes they surreptitiously incorporate unsuspecting digital device owners into their schemes by installing programs that are downloaded via an e-mail or by visiting a website. These programs operate in the background of the infected digital device and can disable security settings and capture information that is then sent back to the hacker.
The most direct way of gaining access to a digital device is to use someone else’s user identification and password, or generate (without authorization) a system-acceptable user name and password. The user name and password combination is designed to keep digital devices safe from unauthorized use. Without inputting this security information, the device won’t operate. Most users choose passwords that follow predictable patterns. Digital device users often choose user names and passwords that are familiar and easy to remember. For example, a deep-sea fisherman might choose the word “marlin” as a password, or the man’s secretary, who received a mug about “soaring with the eagles and working with turkeys” from her boss last Christmas, might use “turkey” as her password.
If the hacker knows or can develop a profile about a target, his or her ability to crack a user name/password combination may be enhanced. Information about the target’s family, children’s names and birthdays, parents’ names, maiden names, anniversaries, and similar data are often used as passwords. User names are often some derivation or abbreviation of a person’s name or e-mail address. A simple lesson here: real-word passwords, even in variation, are not secure. The safest passwords are more than eight characters and combine letters, numbers, and nonalphanumeric characters, such as punctuation.
Another means of gaining access to information or a digital system involves simple deception. The hacker uses some known information, his or her alleged authority, and verbal skills to deceive victims into disclosing information they ought not to divulge, or to commit acts that facilitate the hacker’s scheme. The victim believes that sharing the information or following the bad guy’s instructions is the “right thing” to do. Social engineers have been known to pose as an employee or someone hired by the organization. Based on their alleged purpose and authority, the hacker easily deceives real employees into revealing private, trusted, and confidential information.
The hacker may assume a number of different disguises to accomplish this deception. He or she may pose as a new or temporary worker and ask information systems employees for a password so that he or she can begin work. They may pose as someone in a position of authority and intimidate employees into revealing confidential information. Sometimes overt deception is not required. In large corporations, hackers can take advantage of the anonymity among employees. By donning office attire, they can blend into the crowd and peruse the premises, perhaps gaining a password written down at an employee’s desk in the process.
To improve his or her chances of compelling the victim to assist the perpetrator, he or she may retrieve documents from the company dumpster, such as internal telephone directories and correspondence. Such knowledge provides an illusion of being on the inside, being on the team, being one of the good guys, who plans to make life better for the victim, other employees, and the organization.
Hackers may use a variety of methods to invade digital systems including those described below.
Examples include forging or counterfeiting documents used for data entry and replacing valid disks and tapes with modified replacements.
Properly designed and implemented encryption techniques can be used to minimize the risk that any intercepted data can be used for nefarious purposes.
Network Weaving. This technique, also known as “looping,” involves using numerous networks in an attempt to avoid detection. For example, a hacker might dial into Company A’s PBX system to obtain an outside line that can be used to dial into Company B’s network. If Company B can track the origin of the hacker’s call, it will lead them to Company A, not to the hacker. Hackers have been known to “loop” through fifteen or twenty different networks before arriving at their final destination.
Altering Password Generation. Some user names and passwords are generated by a digital system’s “randomizer” function. For example, some Internet-based retailers (ISPs) give first-time users a randomly generated password (and sometimes a random user name as well), which allows the person online access. Subsequent to the first visit, the user may change the log on information to his or her preference. By learning how a system’s randomizer works, the hacker can imitate the generation of user names, passwords, or even alter how the system operates.
Buffer Overflow Exploits. Buffer overflow exploits are a significant problem in digital security.
In application programs, buffer storage areas temporarily hold data. These buffers have a fixed size. A hacker can execute a data “overflow” program and then initiate a data overload; he or she overflows a program and then siphons off data generated by the system that cannot be stored in the buffer storage. The buffer overflow program may execute any number of tasks, from sending captured passwords to Russia, to altering system files, installing backdoors, etc., depending on what instructions the attacker sent to the buffer.
These attacks are very common and are growing in popularity because firewalls typically block most traffic from the Internet to keep it away from corporate servers. HTTP traffic used for Web browsing, however, is almost always allowed to pass through firewalls unhindered.
Adequate hacker detection programs contain three primary components:
Viruses are hidden software programs that use computer resources or other computer activities in such a way as to shut down the system or slow it down significantly. Viruses typically use the infected device’s resources to replicate itself and spread the infection to other software systems on a network or through the Internet via e-mail, text messages, or other electronic medium. Viruses range from those that are relatively harmless (displaying a message or greeting) to those that shut down entire networks for extended periods, ruin data, or destroy the ability of the digital device to function properly.
A virus attacks software. Many digital viruses can replicate themselves on other computers. This replication ability can affect large networks. In recent years, viruses have cost millions of dollars in staff and machine hours to remove these viruses and restore normal operations.
Viruses have also garnered significant media attention in recent years. The fear of being infected with a virus has even resulted in virus “scares” that are nothing more than hoaxes. Although it is fortunate when the threat is not real, these phony warnings cause harm of their own. They slow down transmission of information and have been known to cause overloads of organizational e-mail networks. Some of these fraudulent warnings urge recipients to “forward this to everyone you know.” Before forwarding a questionable warning, it is wise to consult a few of the authorities that track viruses.
Any document on that device that uses the same application can then become infected. If the infected device is on a network, the infection may spread to other machines on the network. Moreover, if a copy of an infected file is passed to anyone else (e.g., by e-mail or disk), the virus can spread to that recipient’s device as well; from there, the recipient’s device will be used as a staging point for the virus to replicate itself on that device’s network, and so on, and so on. This process of infection will end only when the virus is noticed and all viral macros are eradicated.
Macro viruses are the most common type of viruses. Macro viruses can be written with very little specialist knowledge, and these viruses can spread to any platform on which the application is running. However, the main reason for their success is that documents are exchanged far more frequently than executable files or physical storage devices such as disks, a direct result of e-mail’s popularity and Web use. The ease of use and convenience of “stick” or “thumb” drives may cause such media to be used more regularly in the future.
The “I Love You” (also known as LoveLetter) virus is an example of a macro virus. LoveLetter is a Win32-based email worm. It overwrites certain files on hard drives and then sends itself out to everyone in the email address book. LoveLetter arrives as an email attachment named LOVE-LETTER- FOR-YOU.TXT.VBS, though new variants have different names including Very Funny.vbs, virus_warn- ing.jpg.vbs, and protect.vbs. The subject of the message containing the infected attachment varies as well. Opening the attachment infects your machine. This attachment will most likely come from someone you know. As a rule of thumb, do not open any attachment unless you are certain that it is virus free. If you’re unsure, ask for the sender to confirm that the attachment was intended for you.
The Tequila virus is a type of multi-partite virus. Tequila is a memory resident master boot sector (partition table) and .EXE file infector. It uses a complex encryption method and garbling to avoid detection. When a program infected with Tequila is executed, the virus will modify the hard disk master boot sector, if it is not already infected. The virus also copies itself to the last six sectors of the system hard disk. When the workstation is later rebooted from the system hard disk, Tequila will become memory resident. Once Tequila is memory resident, it infects .EXE files when they are executed.
The 4096 virus is an example of a stealth virus. It increases the file size by 4096 bytes and decreases the memory by approximately 6 kb. The message “FRODO LIVES” might appear in the middle of the screen. If the infected file is run on September 21, it causes the system to crash.
At least two NetWare-specific viruses have been discovered in Europe. One is the GP1 (Get Password 1) virus. It was allegedly created to penetrate Novell security features and then spread throughout the network. The second was CZ2986 virus, developed in Czechoslovakia. This virus places itself in memory and intercepts NetWare function calls when the workstations log into the server. After it collects fifteen user name/password combinations, it saves them in an infected file and uses them to gain access to the network.
An example of a worm is the SQL Slammer, which raced across the globe and wreaked havoc on the Internet in January 2003. This worm doubled the number of devices it infected every 8.5 seconds in the first minute of its appearance. The worm, which exploited a flaw in Microsoft Corporation’s SQL Server database software, caused damage by rapidly replicating itself and clogging the pipelines of the global data network. The worm did not erase or cause damage to desktop computers, but was designed to replicate itself so quickly and so effectively that no other traffic could get through networks.
Viruses can infect a device’s systems from many sources. Some of the more common virus carriers are:
The following are some of the indicators that a device might be infected:
Effective computer security ensures the availability of accurate and timely data provided at a cost, including security that meets traditional cost–benefit considerations. Such a position suggests that all threats are not eliminated, but that threats are managed in such a way that the hardware, software, and data have reasonable protection given the threats and costs associated with addressing those threats. In general, technology security includes protecting data and programs from unauthorized or accidental alteration or destruction. Furthermore, the data must be protected so as to maintain confidentiality, integrity, and availability. Hardware, software, and data must be secure from physical threats such as water, storm, and fire damage. Information technology departments must also have the ability to restore data center operations in the event that a disaster causes complete destruction.
The most effective components of internal security are education, reporting facilities, and vigorous disciplinary action against offenders, including prosecution of illegal acts. An enterprise-wide employee awareness program should be combined with formal training in the area of information security. For employees to fulfill their security responsibilities, they should know what information needs to be kept confidential, how to recognize threats to security, and how to use backups and other aids for their computers and other digital devices.
Passwords are the predominant form of authenticating valid users, though dual and secondary authentication through e-mail and mobile devices is becoming more common. Effective password administration is essential for maintaining security. Passwords should be of sufficient length (usually a minimum of eight characters) and a combination of letters, numbers, and other characters such as punctuation marks to avoid vulnerability to guessing. Group passwords and sharing of passwords should be prohibited to maintain individual accountability. Passwords of all terminated employees should be revoked immediately. Security administration often coordinates the notification of terminated employees with the personnel function. Employees who have changed job functions or transferred should have their old password canceled and a new one issued, if appropriate.
Securing a computer network by means of logical controls is a difficult but necessary requirement for ensuring the safety of an operating system from attacks by outsiders. Logical controls include management security policies, user authentication systems, data access controls, network firewalls, security awareness training, encryption algorithms, penetration testing, intrusion detection software, and incident response plans.
Network security also can be provided by a combination of design, hardware devices, and software. Data encryption is carried out by a combination of hardware and software. Encrypted data is scrambled by a formula using a unique key and can only be unscrambled with the same formula and key at the receiving end. The decision to use encryption should be made in light of the risks and after a cost–benefit analysis. Drawbacks to encryption are the cost of the hardware and software, the cost of the administration, and the inherent delays incurred by the extra steps required for processing.
Digital signatures are becoming more common, in part because Congress and many states have passed legislation to legitimize the electronic “signing” of documents. On October 1, 2000, the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) became effective. This federal statute basically provides a mechanism whereby any document that is required to be signed can be signed “electronically.” The E-SIGN Act does not require a party to use or accept electronic signatures, electronic contracts, or electronic records, but rather seeks to facilitate the use of electronic signatures and documents by upholding their legality regardless of the type or method of execution selected by the parties. The E-SIGN Act is also technology-neutral and does not require a specific type or method that businesses and consumers must use or accept to conduct electronic transactions. The Act regulates any transactions involving interstate or foreign commerce. Many states, however, have enacted their own digital signature laws, which regulate purely intrastate transactions. Additionally, many state and federal agencies, including the Internal Revenue Service and the Securities and Exchange Commission, are encouraging the use of electronic filing and digital signatures as a means to speed up the collection and processing of information. Biological access verification, also known as biometrics, is now available. This verification technique includes fingerprints, palm prints, voice prints, signatures, retina scans, and facial recognition.
Profiling software authenticates users by monitoring their statistical characteristics, such as typing speed and keystroke touch. Smartcard access devices are similar to an ATM card; like ATM cards, they are susceptible to loss and forgery.
Protecting the network from external threats requires some additional considerations. The less an external perpetrator knows about the technology environment (e.g., type of hardware and software packages used), the harder it is to obtain fraudulent access. Part of the security policy should address how much and what kind of information regarding the technology of an organization should be made public.
Organizations should set appropriate safeguards when providing access to third parties. There is pressure to establish connectivity by marketing, purchasing, research, and other branches. Connectivity should be granted only after it has been established that the benefits outweigh the risks and costs.
Computer and digital device users should take measures to protect against viruses. Some precautions include the following:
There are several techniques that may be used by antivirus software to help detect computer viruses and other malware. In some cases, more than one method may be used.
The effectiveness of antivirus software has decreased over the years, primarily because of the intent of the virus authors. Years ago, it was much more immediately apparent when a device had been infected. Today’s viruses are often well hidden and used to steal information without the user’s knowledge.
Virus infections can be examined by taking the following action:
A booming segment of computer fraud and cyber fraud has become a growing concern to the law enforcement community. This type of fraud has proliferated and will continue to grow because of the ripe conditions that exist on the World Wide Web for fraudulent activities. The Internet is still a developing technology for much of international business and has not been subjected to much litigation or policing. Laws that currently apply to the Internet are difficult to enforce, because the Internet crosses international borders. The lack of a common set of international laws and the difficulty related to jurisdiction in enforcing existing laws give cyber fraudsters a better-than-average chance of avoiding capture and punishment.
The Internet has also risen to become a major means of conducting business globally. As of May 2015, there were over 3.2 billion users, or approximately 45% of the world’s population, on the Internet. In the United States alone, more than 81% of the population was online, which equated to approximately 284 million users.
For consumers to retain confidence in Internet transactions, the perception that the Internet is a safe way to shop and do business must be fostered. Consumer awareness of cyber fraud must be raised without causing a loss of consumer confidence. This difficult endeavor may require an unprecedented effort by the private sector in conjunction with law enforcement.
According to the National Consumers League’s Internet Fraud Watch, the top ten Internet schemes in 2017 were as follows:
“More people are online and more people are getting scammed,” according to Susan Grant, Director of the Internet Fraud Watch (IFW). “Consumers need to remember that con artists are everywhere, even in cyberspace.” Grant says the safest way of paying for goods and services online is with a credit card: if there are problems with billing, the charges can be disputed. Businesses that ask for cash or money orders should be avoided, according to Internet Fraud Watch. “Requesting cash is a clear sign of fraud,” says Grant. For those businesses that are not equipped to take credit card payments, IFW recommends escrow services.
According to the 2017 Identity Fraud Survey conducted by Javelin Strategy and Research, identity fraud in the United States increased by 16% in 2016 from 5.3% to 6.15% of consumers. Some of the key findings of the survey were as follows:
E-commerce is generally thought to describe retailing, marketing, advertising, and interpersonal communications taking place on the Internet. Such electronic activity generally includes authentication for participant identification and some form of “electronic signature” to ensure that participants initiating transactions cannot deny that the transaction occurred. Efforts to secure e-commerce transactions are described below.
Earlier in the decade, the media often cautioned about the dangers of sending credit card numbers through the Internet. For good reason, many businesses and individuals had apprehensions concerning Internet commerce; the Internet is an impersonal form of communication. While much has been done to create and maintain trust, some precautions are appropriate before purchasing online items. As a result, conducting financial transactions on the Internet is usually as safe as making an order from a legitimate company for legitimate products and service via the telephone. Nevertheless, the careless and unsuspecting can become victims. In addition, scams and schemes similar to conventional frauds have found new and lucrative homes on the Internet, while new scams, such as modem hijacking, are an entirely new breed.
Just about every traditional scam can be facilitated or perpetrated with the use of a digital device or over the Internet. Clever, technologically savvy fraudsters can be quick to take old fraud schemes and adapt them to a digital environment. Computer users and those who rely on digital devices, such as smartphones, iPads, notebooks, personal digital assistances, MP3 players, iPods, and other digital devices with memory and processing capacity can be used in fraud acts and the related concealment and conversion.
Conducting business on the Internet is generally a safe proposition for legitimate persons doing business with legitimate product and service providers. Nevertheless, safety precautions are prudent:
This chapter examines the role of technology, especially digital devices in bad acts. Over time, it’s also possible for technology to help organizations minimize risk, deter bad acts, detect invasions more quickly, and facilitate more effective and efficient examinations and other remediation. One of those technologies is AI—artificial intelligence. According to a 2017 ICAEW report,19 “Accountants have embraced waves of automation over many years to improve the efficiency and effectiveness of their work. But to date, technology has not been able to replace the need for expert knowledge and decision making. Indeed, previous generations of ‘intelligent’ systems have generally demonstrated the continuing power of human expertise and the limits of machines.” While AI has been a vision since the 1950s, “in the coming decades, intelligent systems will take over more and more decision-making tasks from humans.”
“While accountants have been using technology for many years to improve what they do and deliver more value to businesses, this is an opportunity to reimagine and radically improve the quality of business and investment decisions.” Artificial intelligence (AI) systems can be very powerful, are improving quickly, and can be extremely accurate, replacing and, in some cases, far superseding human efforts. As noted earlier with RPA, AI has downside risks as well, so it needs to be managed and monitored closely.
Human decision making is challenged by at least three major biases: availability and recency effects, confirmation bias, and anchoring conclusions to prior belief. Machine learning, a notion dear to AI systems, is that the system bases decisions grounded in the data. Perhaps more importantly, AI and machine learning have the ability to sort through complex data and ambiguous situations. By continuously examining outcomes compared to the underlying data that influence that outcome, AI systems continuously “learn” and improve decision making. While just becoming available to forensic accounting, fraud examination, and compliance issues, the future is likely to be interesting. Stay tuned!
In the late twentieth century, the emergence of transnational criminal organizations introduced a significant challenge for law enforcement worldwide. The challenges arose from many sources, including the anonymity of technology, the speed of information and money movement worldwide, jurisdictional issues, the challenges of effective and efficient law enforcement communication, as well as others. Complex criminal organizational structure offers the ability to utilize a large labor force, synchronize the labor force, and carry out large-scale criminal operations with multiple criminal enterprises. Such structures are also amenable to cyberspace. Essentially, organized cybercriminal organizations blend combinations of the tools and techniques discussed above with traditional fraud schemes and financial crimes in a large-scale, organized fashion. The organized cybercriminal is interested in operating in cyberspace the way traditional organized criminals, drug traffickers, and terrorists operate in the physical world. Large-scale, business-like applications of fraud and financial schemes in cyberspace yield large sums of cash to those who control the organized cybercriminal organization.
Organized cybercriminal enterprises profit from exploiting computer vulnerabilities. Hackers, who previously wreaked havoc for the fun of it or as a means of making political statements, are now organized, professional, and cash flow oriented, and some are associated with traditional organized crime groups. Cybercriminals include skilled programmers who design and operationalize sophisticated phishing attacks and other techniques to harvest consumer personal, financial, and log in information. As an example, cybercriminals have used “malware” to steal millions of credit and debit card numbers, Social Security numbers, and financial account user IDs and passwords; once this data is harvested, it can be used to commit identity theft and online fraud. Another example of potential damage by hackers occurs when distribution systems are compromised and freight deliveries are redirected to criminal-controlled warehouses. Organized cybercriminals have management structure, functional responsibility, and a support labor force that enables them to traffic in stolen information using many of the same business practices employed by corporate America.
Organized cybercriminal enterprises have created “botnets,” collections of tens of thousands of computers to launch Distributed Denial of Service (DDoS) attacks on enterprise websites, DNS servers, email systems, and VoIP services. Botnets can be used to extort companies, especially those dependent on e-commerce. Even if a legitimate business does not become a blackmail victim, it’s possible that if left unprotected, many of its own computers can become part of a botnet. Cybercriminals use the botnets to distribute spam, child pornography, and malware in mass quantity to accomplish their nefarious goals.
In a 2005 article called Shadowcrew: Web Mobs, Deborah Gage, the author, described the activities of Andrew Mantovani, David Appleyard, Brandon Monchamp, and more than a dozen other members of the Shadowcrew. The group auctions off stolen and counterfeit credit and identification cards, and according to Gage, business was booming. Shadowcrew has more than 4,000 members, and according to the U.S. Secret Service, ran a worldwide marketplace in which 1.5 million credit card numbers, 18 million email accounts, and scores of identification documents (e.g., passports, driver’s licenses, student IDs, etc.) were offered to the highest bidder.
According to the article, many of the credit card numbers sold on the site were subsequently used by Shadowcrew’s customers, who had no intention of paying for what they bought. The result was more than $4 million in losses suffered by card issuers and banks, says the Secret Service, which is charged by the U.S. government to investigate counterfeiting, credit card fraud, and some computer crimes.
Gage goes on to state that Shadowcrew is a Web mob: a highly organized group of criminals. Unlike the American Mafia or the Russian syndicates, however, these Web mobs work solely in the online world. Members know each other only by computer aliases, interact with each other through the Internet, and commit their crimes in the darkness of cyberspace. The electronic marketplaces they establish to trade their illicit wares can be set up and later disbanded with little more than keystrokes. “They basically can pop up anytime and anywhere,” says Secret Service Special Agent Larry Johnson. The Secret Service says they operate under names such as Carderplanet, Stealthdivision, and Darkprofits.
These cybermobs are designed to foster more crime and criminals on the Web. Much like La Cosa Nostra, members of Web mobs don’t have to break into a bank to rob it. Instead, they provide a framework and services for criminals to trade in their chosen stock—stolen credit cards and identity documents. And their efforts, including the “commerce” sites where they trade in stolen merchandise, will only accelerate what is already a thriving trade in numbers that are regarded on the Web as currency.
Several attributes of the Internet make it an attractive operational location for criminal enterprises. First, individuals and businesses have come to realize that information is power. Likewise, criminals have determined that they can profit by stealing and selling information. Others can then exploit the value of that private information for their own profit.
Second, cyberspace gives the criminal a worldwide reach. In the old days, organized crime might be restricted to a few city blocks, a city, a geographical region, etc. With the World Wide Web, criminals can be located anywhere and can exploit victims located anywhere in the world, provided that they are using the Internet and demonstrate the vulnerabilities exploited by these criminal groups. Thus, criminals with the proper skill set may be located in the former Soviet Union, Eastern Europe, South America, or other distant countries, and target victims through fraudulent or illegal Internet commerce in relatively wealthy countries in Europe, Canada, and the United States with little fear of retaliation by law enforcement.
Third, the World Wide Web is relatively anonymous. Persons online have no face; their existence is only a user name and password that may have no logical, physical, or legal connection to the digital identity. In addition, a cybercriminal can create any number of identities on the Web, none of which may be tied together or tied to the person’s real identity. Members of organized crime groups communicate using their various digital identities. They are also computer savvy enough to know to encrypt their digital transmissions and transactions, and often float their communications through networks of servers and anonymous “re-mailers” that conceal the IP address of their computers. They can also route traffic through proxy servers, making it almost impossible to trace electronic transmission to their source.
Fourth, beyond the difficulty of catching cybercriminals is successfully prosecuting them. Determining the proper jurisdiction is often a difficult task. Once jurisdictional issues are resolved, applying traditional laws to online activity presents further challenges. More problematic is the location of many cybercriminals. Many of these individuals locate in countries that do not cooperate with law enforcement officials in nations seeking extradition; the choice of locale by the cybercriminal is deliberate. Organized crime groups operating in places such as countries formerly part of the Soviet Union, Eastern Europe, South America, and Russia are virtually immune from prosecution.
Gains from criminal activity can be readily laundered through money transfers using a series of Internet bank accounts, wagering on Internet gaming sites, artificial purchases on auction sites, and the traditional organized crime practice of using legitimate businesses to hide illegal transactions. Since the beginning of criminal enterprise, the bad guys have used banks as a means to launder money gained through illegal activities. However, the creation of Internet banking makes following the money more difficult than ever.
The following example illustrates the practice of money laundering in cyberspace.
Alexandra is the head of an international identity theft operation, specializing in the mass sale of stolen Social Security numbers, with matching names and dates of birth. Having the big three pieces of identifying data makes her a triple threat.
Alexandra is known around the underworld as a ruthless and vicious operator and yet, she has a problem: she has tons of currency, the profits from her illegal activities that she cannot spend without attracting the attention of law enforcement. More problematic is that if the identity theft ring is busted and prosecuted, without some sort of money laundering operation, the funds can be tied directly to her. She has the ability to pay her employees, contractors, suppliers, and vendors through the organization’s bank accounts, but not herself.
Alexandra needs to get this currency from her organization’s offshore bank account into the legitimate U.S. economy so that she can safely draw on these ill-gotten gains without attracting attention. Alexandra is a true patriot—she has even gone so far as to faithfully and completely pay her U.S. income taxes. Maybe she’s not such a patriot—if she is ever caught, she can avoid being prosecuted for tax evasion.
To gain anonymity, Alexandra uses her money to buy e-currency, a relatively anonymous and unregulated currency she then moves in varying amounts, small and large, across a series of e-currency accounts and ultimately transfers the money into her own bank.20 From there she loans money to herself in the United States and pays a consulting fee to an international company (controlled by her) for services rendered to her real estate company, where she receives cash distributions both as an employee and as an owner. Now she is free to use that money for loans, salary, and dividends as she chooses with little risk to her freedom.
Money laundering, which involves disguising the origins of illegally generated cash flow to give it the appearance of legitimate income, is enhanced on the Internet due to the near anonymity that can be achieved. Furthermore, Internet banks provide access to accounts anywhere in the world from anywhere. As a result, it is often not clear whether an account is accessed from a country other than the one where the money is held. In addition, monitoring the activity of individual account holders is nearly impossible.
In addition to financial institutions, other businesses, such as Internet-based gambling operations, can also be hijacked for money laundering purposes. Online casino operations further complicate the identification of transactions that might be illegal because the entire operation—including all gambling records—are housed in electronic formats and located offshore in jurisdictions where access is extremely limited. Criminals can facilitate money laundering by “gambling” dirty money at the cybercasinos, converting winnings into cybercash, and then requesting the remittance of seemingly clean money through various cyberpayment and other fund transfer systems. Transactions are quick and may be completed from a computer located anywhere—from the privacy of their own home to the local public library or cybercafé. The borderless nature of the Internet makes it possible for users to play at any casino around the world, often in jurisdictions with minimal or unenforced money laundering laws. Work completed by Forrester Research suggests that there are more than 1,400 Internet gambling sites, most of which are based outside of the United States.21
According to a 1996 study, global Internet money laundering accounted for about $500 billion annually.22 Given the exponential growth of the Internet, that number is likely far greater today. The working paper by Kellerman suggests four models for payment in cyberspace23:
In response, worldwide efforts, often led by U.S. law enforcement, the International Monetary Fund (IMF), and the World Bank, have tried multiple approaches to combat money laundering in cyberspace, including those described below.24
The primary federal law enforcement agencies that investigate domestic crime on the Internet include the Federal Bureau of Investigation (FBI), the United States Secret Service, the United States Immigration and Customs Enforcement (ICE), the United States Postal Inspection Service, and the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF).
In addition, the Internet Crime Complaint Center (IC3) was established as a partnership between the Federal Bureau of Investigation (FBI) and the NW3C (formerly the National White Collar Crime Center) to serve as a means to receive Internet-related criminal complaints and to further research, develop, and refer criminal complaints to federal, state, local, or international law enforcement and/or regulatory agencies. The IC3 emphasizes serving the broader law enforcement community to include federal, state, local, and international agencies that are combating Internet crime and, in many cases, participating in the Cyber Crime Task Forces around the world. Since its inception, the IC3 has received complaints across the spectrum of cybercrime, including online fraud in its many forms, such as computer intrusions (hacking), economic espionage, identity theft, intellectual property rights violations, international money laundering, online extortion, theft of trade secrets, as well as Internet-facilitated crimes.
IC3 serves as a repository organization to receive, develop, and refer criminal complaints regarding cybercrime. The IC3 provides a convenient and easy-to-use reporting mechanism for victims. Based on the data provided by victims, the IC3 alerts authorities to suspected criminal or civil violations. For law enforcement and regulatory agencies at the federal, state, local, and international level, IC3 provides a central referral mechanism for complaints involving Internet-related crimes. In addition to partnering with law enforcement and regulatory agencies, IC3 also works to establish effective alliances with industry. Such alliances enable the IC3 and their law enforcement partners to leverage intelligence and subject matter expertise of their industry partners. The goal is to be proactive and aggressive as well as responsive to cybercrime.
We have eight types of assignments for instructors to choose from:
Read the following article or other related articles regarding the NetWare case and then answer the questions below:
Byron Acohido, “Meet A-Z: The computer hacker behind a cybercrime wave,” USA TODAY, August 5, 2008.
1. From what country is A-Z believed to live?
2. From what country(ies) is(are) his accomplices?
3. From what country(ies) is(are) A-Z’s victims?
4. What is the name of the software program that tracks a PC user’s keystroke activity and alerts the cyber-gang each time the PC user logs into their bank account?
5. How much money did the A-Z scheme net in total?
6. Where was the computer server holding key instructions discovered?
1. Why is a threat such as the one allegedly perpetrated by A-Z so difficult to investigate and prosecute?
2. What are the means by which cybercriminals meet and agree to participate in such an activity?
3. Can society expect more or fewer crimes similar to that allegedly perpetrated by A-Z? Why?
Brief cases 1–4 are based on the following information.
Your client, Virus-Victim, Inc. (VVI), has suffered an attack. The company sells popular retail items only via the Internet to customers all over the world. The perpetrator has been identified and local law enforcement and the county prosecutor are handling the criminal action.
VVI believes that the perpetrator has the deep pockets to compensate VVI for its losses associated with the attack. The perpetrator committed the act at 12:01 am Saturday, July 4th and the retail website was down for 8 hours. At 12:01 am, alarms triggered and the Director of Information Technology (IT) and 10 IT programmers worked all weekend long, 20 hours, to restore and remediate the attack.
1. and 2. VVI’s supervisor from information technology and an accounting clerk have assembled the following lists of costs:
The variable warehouse and distribution costs average $400 per hour; annual warehouse and distribution fixed costs average $250 per hour. The warehouse maintained full operational capability during the outage and restoration period. Estimate lost productivity to VVI.
Sales | Annual | July |
Total | 96,000,000 | 10,000,000 |
Per Month | 8,000,000 | 10,000,000 |
Per Day | 263,014 | 322,580 |
Per Hour | 10,959 | 13,441 |
VVI sells generic low-cost groceries with lots of competition. When customers cannot buy from VVI, they typically do not return, but rather purchase from a competitor. VVI’s historical gross margin is 45%; incremental profit margin is 20% and net profit margin is 7%. Estimate lost (a) sales and (b) profits to VVI.
The following is the “inventory” of items received to continue the examination at Johnson Real Estate. The goal is to focus on the missing deposits: who, what, when, where, and how.
These items will be provided by the course instructor.
Assignment: Continuing to focus on evidence associated with the act, concealment, and conversion, use the evidentiary material to continue the examination.
In terms of the missing JRE deposits:
Your primary assignment is to re-examine all of the information, evidence, and activities received for this case.
Case Background: See Chapter 1.
Question: The HR (human resources) department has requested some assistance. They would like to identify all employees who are not withholding the maximum savings amount for the 401K retirement plan of 6% to invite them to some retirement planning training sessions.
Student task: Students should (a) examine the listing of employees and note the “E_RetPCT” percentage for the employees whose 401K withholding percentage is less than 6% and (b) discuss the finding and recommend investigative next steps.
Student Material for step-by-step screenshots for completing the assignment are available from your instructor.
Case Tableau Background: See Chapter 1.
The forensic audit has identified ghost employee with disbursements in the payroll system for which clients may have been inappropriately billed: Theresa Angelina. The forensic audit did not reveal which clients may have been affected.
Question: Can you graphically present the total billings by client and a grand total for Theresa Angelina for the time period after termination?
Student task: Students should (a) graphically present the total billings (to clients) by client for Theresa Angelina for the time period 1/5/2019 to 6/30/2019 and (b) discuss the finding and recommend investigative next steps.
Student Material for step-by-step screenshots for completing the assignment are available from your instructor.
18.119.192.110