Founded in a basement in Alberta by two friends eager to break into the online funds-transfer industry, www.OnlineMoney.com quickly became a runaway success. Other service providers were abandoning high-risk merchants and their attendant customers with increasing rapidity. Online-Money was quick to step in and fill this ever-widening gap, and it soon outgrew the basement and opted for more spacious accommodations above a car wash. The sky would prove to be the limit, and quickly OnlineMoney found itself in a multilevel office building with a number of dedicated departments and business units. Eventually, it would move to even more spacious and luxurious locations, both locally and internationally. Before this final move, I would discover Adrian's treachery in our customer database and assist in bringing him to justice.

I was initially employed with OnlineMoney as a customer service representative, aiding customers with the setup and navigation of their accounts and finishing my university homework between calls. Within a few years, I had demonstrated a knack for dealing with difficult customers, pursuing debtors and locating fraudulent or otherwise suspicious accounts. I was promoted to the investigations unit and promptly placed on the night shift, riding the rookie desk as the newest addition to the team.

Despite its somewhat negative effect on my social life, working nights offered the first crack at all the best cases, as this was when the majority of identity theft or other victims notified us of their unfortunate discoveries. It was also the prime time for fraudsters with day jobs to try their luck against our identity and bank verification systems with varying degrees of success.

I was working yet another 3:00–11:00 PM shift, collating data on an active investigation in Broward County, Florida, when my desk phone rang. I lifted the receiver, pressed the queue button, and said, "Thank you for contacting OnlineMoney Investigations. How can I help you?"

"Ummm. Hi, Ryan, " came the reply from our receptionist. "I have an investigator employed with a Marine credit union on hold claiming several bank accounts have been compromised. Can you take the call?"

"Put him through, please."

I began by asking the bank investigator for a brief summary of the issues and how he had come to feel the charges against the accounts were unauthorized. I asked this because we received several calls a day that were simply cases of buyer's remorse. Frequently, these remorseful buyers would involve their banks, and even law enforcement, in an attempt to negate their purchases. Other times, an overzealous bank employee would call us to check up on the products their client was purchasing to ensure they were not controlled or prohibited by the bank. At this point, I thought I had heard it all.

The gentleman proceeded to outline the five Ws (who, what, when, where and why) of the case so far. The evidence supporting his claim that the transactions were not authorized seemed solid; all of the identities used to establish accounts belonged to Marines on active duty in Iraq at the time. Being perhaps the most compelling evidence I had heard up to that point in my career, I quickly dispensed with my usual cynical phone persona and got down to business.

I closed all accounts with a few keystrokes and employed a variety of techniques to isolate a clear trail to the identity of the perpetrator and assess the possibility of criminal proceedings. The majority of OnlineMoney's account products were designed to be as user friendly to increase conversions and decrease abandoned signups. This left the intrepid investigator with a very lean sample of "tombstone" data to work with that typically consisted of:

It helped that the perpetrator had registered multiple linked accounts, leaving a wider trail of unique attributes to investigate. I set about my task, following every lead as far as it would go, and then following the next one.

Investigators in the online space are like investigators anywhere; the case load dwarfs the available resources, the budget isn't written to give you more than last year, and the coffee in the pot is always two hours old. Given that I was not employed by law enforcement, the toolkit that I had access to was limited, to say the least.

Our chief methodology when dealing with a concentrated third-party fraud was affectionately named Search and Destroy. Essentially, it consisted of following links among accounts and running checks on the customer data attributes present on those accounts until a perpetrator was identified. Once that was accomplished, all I had to do was prove that the individual — or someone known to him — was involved in the scheme and lawfully lean on him until he either admitted the wrongdoing or squealed on his friends. Not the most sophisticated approach, but when life gives you lemons, you need to supply your own sugar and water.

The hottest data attributes were typically:

By hottest I simply mean these gave the most useful results when investigated. As a first step, I ran a search of our system for all transactions submitted in the last 30 days, using the credit union routing number in question, and further pared down that list by eliminating accounts that were registered prior to the alleged fraud being reported. In past investigations, I had netted a good line on the perpetrator simply by identifying which account had been signed up and operated first. I can't count the number of times a fraud ring started with one debtor who got to know the system via their initial shady account operating.

This approach bore fruit yet again when I found an account signed up in Adrian's name that did not have any transactions but was linked to several suspect accounts by a telephone number. All accounts registered with OnlineMoney required that a recorded call be placed to the account holder and certain information be verified. I looked up the phone numbers to which verification calls had been placed for every account in the questionable group; several of them were in Adrian's name or surname. Many of the addresses used also turned out to be connected to Adrian. I began to think that either I was incredibly lucky, or my perpetrator was a bit of an amateur.

Doing a computerized search on Adrian's full Social Security number, I was able to confirm his employment with the USMC; tracing several of the IP addresses yielded hits to Marine bases or public libraries near Adrian's home. The net was beginning to tighten, but I still needed more proof. Externally, the investigation was proceeding nicely. The initial complainant at the credit union had forwarded the case to the Naval Criminal Investigative Service (NCIS) for completion, but not before Ted and I compared notes.

I informed Ted of what I would need for an official request to release my findings and wished him well, hoping we would meet under happier circumstances one day. But I still needed more proof to make my implication of Adrian irrefutable and ironclad. Turning to our phone records, I extracted the verification call conducted on every account under investigation. That same old lucky feeling was returning; the voice that confirmed Adrian's initial account sounded the same as every subsequent account. I felt like I was unwrapping presents when every call I extracted yielded the familiar voice I had come to know as that of Adrian Vargas. All that remained was to submit my evidence to NCIS and await the results.

Typically, any progressive service that provides online funds transfers only requires that a formal request for information be submitted by the enforcement agency investigating the case, on official letterhead, before releasing its records. Some circumstances will require a subpoena; however, solid legal precedent does exist for the release of records to the authorities, and most reputable service providers write this directly into their terms of use and privacy policies. (Law enforcement staff dealing with online investigators like me will probably find this information very useful.)

I called my new contact at NCIS to discuss the case and outline my requirements to release information. I learned that in addition to the rogue transactions and purchases made by Adrian within the OnlineMoney system, there were countless wire transfers from the compromised checking accounts to himself and to members of his family. Again, Adrian was earning a reputation as the sloppiest perpetrator I had seen.

The NCIS agent was very interested in the case I had built because there was very little evidence of the fraudulent wire transfers. My key evidence was the recorded phone calls, the account in Adrian's own name, and the IP records captured each time he logged into the fake accounts. These IP records, combined with surveillance video from the public locations from which he logged on, effectively placed Adrian at the scene of the crime. Coupled with his vocal confirmation of each account, including the stolen identity information, the prosecutable crimes were beginning to pile up.

Later that day, I received the official request for information from NCIS, which I stapled to the front of my case folder. After dropping it on the desk of my supervisor, I cut out for an early lunch, thoroughly satisfied with a pending successful collar and confident the approval process would take about as long as a leisurely cheeseburger down the street. Sure enough, on my return to the office, the proverbial rubber stamp had authorized the release of my evidence. I sent an e-mail to the NCIS with my full case attached. Then, I got back to work on other open files. Sadly, they were not all as amateur as Adrian Vargas.

At the time that this case crossed my desk, I had about one hundred open investigations. Some were isolated instances of family members hijacking each other's accounts, some were high-dollar compromises in accounts, some were complex money laundering schemes, and the rest were concentrated fraud efforts, similar to that of Adrian, but with more sophistication. Unfortunately, not all of them were concluded as favorably.

Once all the data was collated from OnlineMoney's database and fully investigated, the identity of the perpetrator in this case was painfully obvious. Some criminals are exceptionally good at covering their tracks; Adrian Vargas was not one such criminal. Nearly every online vendor provided details that confirmed Adrian made the purchases in his own name. Additionally, the NCIS investigator had discovered that Adrian had made several wire transfers from the bank accounts in question using forged identity documents to himself and his family in Texas.

With the addition of the information from the vendors involved, the case against Adrian was as solid as anyone could hope. Having been in custody awaiting trial for a considerable amount of time, Adrian would now get his day in court. I felt a great sense of personal satisfaction about the investigation.

The defendant was indicted and eventually pleaded guilty to one count of conspiracy to commit wire fraud, one count of wire fraud and two counts of identity theft. Obviously, plea-bargaining was involved, as this represents a fraction of the charges originally laid against him. He faced up to 45 years of incarceration and $750,000 in fines. But Adrian was ultimately sentenced to 18 months in prison, five years of probation and ordered to pay restitution equal to the total loss. In this case, the risks and punishment did not justify the reward. The total loss incurred, and thus the total gain that Adrian could have hoped for, was $39,094 — a far cry from the value of a clean record and the possible fines he could have faced.

Ryan W. Mueller has been a fraud investigator for more than seven years, working exclusively in e-commerce and online payment processing. Ryan graduated from the University of Calgary in 2006 and is currently the director of Golden Apple Consultants, a consulting firm focused on online fraud prevention and investigation. E-mail him at [email protected].