USA Choice Payments, Inc., a privately held company based out of Greenwood Village, Colorado, specialized in payment systems providing an alternative to traditional brick-and-mortar banking by offering complete payroll services for businesses entirely through the Internet. The company was created in the early 1980s and was a pioneer in the alternative payment industry. Unfortunately, as management found out, there were a few unpredictable threats lurking in USA Choice's business model that would jeopardize its reputation as innovators in the arena of fraudulent activity prevention and detection. Today, USA Choice Payments remains a leader in alternative payments; however, managers are much quicker to admit that, at times, the fraudsters appear to be one step ahead. Hence, the company developed a greater focus on surpassing compliance by placing the emphasis on total fraud-lifecycle management.

Rhiannon, a young and hip mother in her twenties, was juggling family, work and school. Financially, things were very tough, and many times she and her husband went without dinner so their children could have a special treat instead. When their computer's antivirus software came up for renewal, Rhiannon said to her husband, "Let's wait to renew that next month. What can happen in a month?"

Mark Andrew was heavily involved in the Christian music industry, traveled frequently, and often logged onto his laptop to do a little online banking at his favorite coffee shop that provided free wireless Internet access. He was a long-time customer at People's Bank of North America. Mark traveled the United States as well as Canada and Central America for his ministry work. While on the road, Mark sang and played music for many poor communities. One of his favorite sayings was, "Authority is granted by God. You must be very careful not to give your God-given authority to the devil, who will constantly try to trick you into giving it up." Little did Mark know that the same principle rang true for online banking passwords and unsecured, public Internet connections.

Zoe and Damon were entrepreneurs in the holistic-medicine business and contemplated starting a Web site to sell their merchandise. Damon said to Zoe one night over dinner, "I found some great webmaster options, but a large number appear to be overseas. What do you think — is it safe?"

How were all of these individuals connected to USA Choice Payments, Inc.? None of them had ever heard of the company, let alone employed its online payroll services. But they quickly became acquainted with the downside of the Internet world, and with the name USA Choice Payments.

Most people have at least dabbled in online banking for their personal or business needs. Many fraud investigators are familiar with online account takeovers and have read case studies on the use of shell companies to embezzle money. Rarely do we find connections to account takeovers and shell companies where embezzlement is not part of the fraud equation. The case presented here involves a less-publicized way shell companies can play a part in fraudulent account takeovers.

Imagine this: You grab your coffee one Saturday morning and settle in to pay some bills online. You log in to your bank account and see your balance is short by close to $1,500. After a frantic review of your account history, you see an online transfer to an unknown bank account with the note "Payroll — George Smith." This is your personal bank account, you do not know anyone named George Smith, and you certainly did not perform an automated clearing house (ACH) transaction to him. What do you do now?

This situation has occurred in some form or fashion to online banking users throughout the world. Financial institutions first detected the scheme when account holders called them to dispute outbound ACH transactions on their personal or business checking accounts; the institutions, in turn, sent out requests to the numerous receiving banks to pull back the funds. USA Choice Payments, Inc., was the end recipient of a few such requests, which prompted a review of the account holders' activities. At the time, nothing seemed out of the ordinary to the personnel examining the transactions, so no further action took place. But when I joined the company a few months later and received a phone call regarding a possible fraud scheme, I decided to take the review of our accounts a few steps farther.

Now, let us find out what ruined those cups of coffee.

I have always been an advocate of information sharing. This case highlighted how working together with other investigators who may potentially have valuable pieces of the fraud puzzle can streamline your investigation and improve the quality of your company's fraud-management lifecycle as a whole. My examination began when an investigator from a large traditional bank called me regarding complaints he had received from customers, which he managed to trace back to an account managed by USA Choice Payments, Inc. This investigator, Wu Lee — with People's Bank of North America — indicated that he had numerous customers who were startled by abnormal transactions while reviewing their account history. These customers claimed they did not share their passwords with anyone and did not know Johnny Smith, George Smith, Rita McDonald, or Colin Gonzales — all supposed employees to whom Lee's customers made payroll transactions using USA Choice Payment, Inc.'s alternative payment system. Lee informed me that in each case, the same IP address was used to initiate the funds transfer, but only some of the money was sent to accounts with USA Choice Payments, Inc. I began to get the idea that this case was larger than first thought.

After a complete review, I was able to connect a number of additional accounts to the same group of individuals. I said to myself, "Surely this is not fraud; the activity appears normal and these are lower-risk accounts." But something did not seem entirely right, so I decided to do some extra digging and called an investigator at another financial institution, 1st Loan & Trust Bank, to ask about some ACH deposits going to a few of the accounts under review at USA Choice Payments, Inc. I was shocked to find out that the 1st Loan & Trust fraud investigator, Tina Drew, was working a case that fit the exact profile, except that the majority of the funds were sent to another payment-services company. I gave Drew some of the information shared by Lee, and she exclaimed, "We have lost more than $100,000 so far to this Johnny Smith!" From there, Drew, Lee and I shared what we knew and helped each other complete our cases more quickly than we could have dreamed had we been working alone.

After discussing my findings with my new contacts, I was absolutely convinced that I was onto something. I continued to dig. A major breakthrough in the case was the discovery of Web site logins from the same IP address on a large group of USA Choice Payments, Inc.'s accounts. While this IP was different from the one supplied by Lee, the activity still seemed odd — particularly because the IP pointed to a small town in Virginia. This was strange because the account holders had addresses on record all over the United States. I sent off multiple requests to the Internet service provider to obtain more information or a contact in their fraud department but had no luck. Since the case was going nowhere, I felt strongly that the accounts and the IP address had to be clues to the case Drew, Lee and I were discussing. It was time to reach out again to my new contacts.

Drew was excited to hear of my IP connections because she had found transactions made by the same address in her case. Drew told me she had spoken with local police investigators in Virginia who were very interested in Drew's IP connections and said they already had two suspects identified. The suspects were both young men with possible connections to organized crime in Miami. My ears perked up with the mention of a Florida-based mob because the activity I was seeing on our accounts was in Miami. I said to myself, "Surely this is no coincidence." According to Drew, one of the young men in question, Buzz, was allegedly running a money-laundering ring that included almost all of the nightclubs in Walden and the surrounding area. The local investigators were under the impression that Buzz's friend, Felix, was not aware of all of the activities going on but that he was involved in a small way and, at the very least, benefiting from the fraudulent activity. Now it was time to call Lee and share what we had learned.

Lee had spoken with one of his victims, Mark Andrew, and learned that he had responded to a phishing e-mail, inadvertently giving away his online banking password. Rhiannon, subsequently, called Drew at 1st Loan & Trust to report that her and her husband's life savings of $1,396 had vanished from their bank account with a memo "Payroll — George Smith." "I was saving that for my children's vacation to Disney after my graduation this spring," Rhiannon wailed. Rhiannon told her story to Zoe, a lifelong friend, over coffee. Zoe, who never banked online but did use 1st Loan & Trust, vowed to check her account history via the bank's 800 phone number when she returned home that morning. When she called, Zoe discovered that the business checking account she shared with her partner, Damon, had a large transaction that she did not recognize. Zoe visited the bank branch the next morning and spoke with the branch manager, who explained that the transaction was a payroll disbursement to a Rita McDonald. "Rita McDonald. Who is that?" cried Zoe. "Well, it says here that this transfer was made by your partner, Damon," said the branch manager. She assured Zoe they would look into the transaction and get back to her as soon as possible. The branch manager then passed this information to Drew. When Drew followed up on the complaint, Zoe denied responding to an e-mail asking for login information. "I could not have done it, especially because I have never even used online banking." Zoe quickly called Damon who swore he did not make the transaction but said he did have an online login. In fact, Damon said, "I just confirmed my login information via an e-mail the other day." Zoe and Damon's funds went to an account at another alternative payment provider; however, I suspected the pattern of withdrawals would prove an obvious connection to this scheme, as well, and our friends Buzz and Felix would be on the receiving end.

Government investigators began to put together cases, and at the time of this writing, a grand jury hearing was pending for one of the perpetrators. The scheme totaled more than $250,000 for USA Choice Payments, Inc., alone. There were elements of identity theft, shell company usage, debit card fraud, connections to organized crime and Internet fraud in this intriguing case. While it is impossible to be sure that all victims have been accounted for, the last dollar amount I heard involved in this scheme was upward of one million dollars in losses to individuals and businesses. These losses — absorbed by the financial intuitions, ultimately, and not the victims in this case — are just a small piece of the total fraud costs every year.

Our investigation revealed that Buzz and Felix had managed to obtain legitimate incorporation papers for a handful of shell companies from a state government office. Each company was set up using multiple stolen identities to complete the first step of the scam. Next, they used these companies as a means to send payroll to their many different employees through alternative payment systems. It was unclear how many parties were involved in the creation of accounts (opened with the names of employees) at multiple organizations, such as USA Choice Payments, Inc., and other smaller alternative payment systems; however, it was quite evident that identity theft was the motive. We suspected that the identities of the victims whose personal details were used to set up the accounts were acquired either by searching Google or a public records database. Their "employers" all had Web Sites making them look like legitimate businesses (perhaps they even were actually selling the items advertised on the sites).

The funds for these payroll transfers were obtained from multiple business and personal checking and savings accounts with large financial institutions in the United States. The victims in this case are just a sample of the types of unsuspecting online banking users who fell prey to what we believed was a phishing scheme; this assumption was later confirmed, thanks to a confession from Felix to law enforcement. It turns out that while Felix was not aware of the money-laundering activities with the nightclubs, he was technically savvy and allegedly was able to develop viruses to capture the online banking passwords of many individuals through a phishing scam. The passwords and user names he obtained were able to sustain him and Buzz for more than two years in a comfortable lifestyle. It appears that the Walden residents were only partially incorrect. Buzz and Felix certainly were no salespeople, but they had managed to sell the townspeople the idea that they were good citizens.

At this writing, Felix is facing multiple felony charges under the Computer Fraud and Abuse Act and multiple identity theft charges. He is expected to obtain a lighter sentence than Buzz, but could still spend up to 20 years in prison for some of his charges. Buzz, the mastermind, is facing conspiracy to commit mail fraud, multiple counts of mail fraud and conspiracy charges, in addition to money laundering and identity theft charges. The charges against Buzz are still mounting as additional victims are uncovered and he will probably be charged with more counts relating to the allegedly forged state incorporation papers.

Andrea Lee Valentin, CFE, has more than 10 years of experience in the financial services industry with a focus on research, investigations and compliance. With a BA in Accounting from the University of Central Florida, Mrs. Valentin went on to obtain an MBA in Economic Crime and Fraud Management from Utica College in New York. Today, Andrea uses her passion for fraud fighting in her role at FSV Payment Systems, Inc., by leading the fraud and operational compliance divisions and is the cofounder of Virtual Fraud Detection Services.