Hacking Exposed
Page 48
MONEY LAUNDERING
Once the hacking has generated profits for the criminals, they generally cannot use the money as it comes in. Because of the traceability of assets, some form of money laundering usually occurs before the money is dispersed. This laundering can take several forms: shell companies set up to make the money transfers look legitimate, individuals used as fronts who don’t know about the underlying criminal activity, and even moving the money to banks with dubious jurisdictional status. All of these are efforts either to shield the true origins of the money or block authorities from freezing the assets.
Anti-Money Laundering Software
Some software packages out there can assist banks and other financial institutions with anti-money laundering (AML) compliance and money laundering detection. For instance, in the United States, the Bank Secrecy Act requires all financial institutions to report any cash transactions greater than $10,000.01. This software will automatically detect these transactions and report them to the appropriate authorities. In addition, the software can perform historical analyses and other types of statistical reviews of accounts to determine whether the patterns match that of potential money laundering. If you are lucky enough to be working with a financial institution that is mandated to use this type of software, the data it provides can go a long way toward helping with the investigation. Unfortunately, most of the cases where laundering becomes an issue will involve international institutions, who purposefully do not use these tools.
The Mechanics of Laundering
Let’s take a step back and discuss the different ways that money laundering can be set up and run. It can be as simple as moving money from one bank to the other, or it can be a multinational network of individuals and shell companies designed to make asset tracing as difficult as possible. A few of the different ways that money can be laundered are discussed here.
Resale of Non-traceable Assets
This sounds a lot more complex than it is. Say you have stolen 1000 iPods. You then turn to eBay or Craigslist and sell them off, 5 to 10 at a time, at a discounted rate; the only requirement is that you accept only cash. You have now effectively laundered the theft of the iPods into usable cash that would be extremely difficult to trace. This is most commonly employed on smaller scale situations in which a petty thief has stolen a few high-value items such as electronics or computers.
Use of Fake Identities
In the anti-money laundering circles, there exists a term “KYC,” or Know Your Customer. What this means is the banks are required to validate the identity of the individual who owns the account. The reason for this is as follows: If an organization can find an institution that doesn’t adhere to these standards, the organization can use false identities to create accounts in which to place the misbegotten money. Using these fake identities, the money can then be withdrawn in the form of cash, clean of the transactions prior. When investigators try to find the person who withdrew the money, the trail ends when they realize that the credentials used by the person opening the account were falsified and there is no way to find them.
Shell Companies
According to the Financial Crimes Enforcement Network (FinCEN), the term “shell company” refers to non-publicly traded corporations, limited liability companies (LLCs), and trusts that typically have no physical presence (other than a mailing address) and generate little to no independent economic value. These organizations are generally used to make the financial transactions look legitimate.
Suppose you have a shell company that purports to provide software services. The criminals will pay this company for services rendered, usually in transactions structured to avoid detection (this is known as “smurfing”). The shell company will then pay the ultimate recipient of the money, creating a buffer between the recipient and the crime conducted to gain the money. While most of these shell organizations are internationally based, there are domestic examples as well. For instance, shell companies and shell nonprofits are commonly used by terrorist organizations to get money to terrorist cells in western countries without the transactions that would alert counter-terrorism forces.
Foreign Banks
Foreign banks generally go hand in hand with shell companies. Some banks in various jurisdictions focus on account privacy above all else. These banks will fight tooth and nail against any kind of subpoena or request for account information. If a shell company deposits money into one of these banks and then disperses the money from the bank to individuals, it can be almost impossible using traditional financial asset tracing methods to determine where the money flowed.
The Role of Computer Forensics
Traditional money laundering investigations have focused on asset tracing by way of financial transaction records. Computer forensics offers a new dimension for these reviews. Now, investigators can look not only at the financial transactions, but also the activities of the criminals on a larger scale. Let’s look at several ways that computer forensics can assist with money laundering investigations.
Finding Evidence of Non-traceable Assets
We have all heard the stories about criminals using eBay and Craigslist to launder stolen goods. What used to occur in back alleys and in flea markets now occurs online. The good news is that if you get access to the computers the criminals used, you can use computer forensic techniques to look for the ways in which this money was laundered.
Web Site Analysis
Using the web history forensics we have discussed throughout this book, you can reconstruct the transactions that were undertaken by the criminals. Once they are reconstructed, you can look for evidence of large numbers of transactions online. If they have placed hundreds of items on an online auction site, that may be a clue. In addition, look for other, non-obvious things. One case we worked involved the purchase of rare jewels and precious metals with the intent of laundering the money. If something catches your eye and seems out of place, run it by the financial investigators or counsel with which you are working.
Evidence of Shell Companies
The traditional picture of a shell company is an empty office sitting on an island in the Caribbean, with money hidden in an offshore bank. While such organizations still exist, increased globalization has changed the structure and location of these companies. Finding their names and locations is now harder than ever. However, by performing a forensic review of the individuals believed to be involved, you can look at a few things to help determine the names and structures of these companies.
Finding Shell Companies
In addition to traditional asset tracing, general user activities can serve as tip-offs to finding shell companies. Take a look at the e-mail of the individuals believed to be involved. We have experienced situations in which shell companies have been discovered because the person embezzling money sent the company information in an e-mail to an accomplice.
Laundering Accounting Ledgers
Organizations or individuals who engage in money laundering on a widespread basis will generally need some method for tracking the money as it flows through the laundering process. Just as with embezzlement and fraud, it is common for the criminals to maintain an alternate ledger that monitors this flow of money through the process.
Finding the Ledgers
Chapter 17 covered how to find these alternate ledgers. The thing to remember here is that the criminal may not anticipate the need to hide the ledger, as he may not believe he will get caught. Before going through the process of deep diving on any file that appears to be a ledger, you should do a basic search for any non-hidden financials. Also, remember to look at the web history as well. This can provide a tip-off that may denote that the criminal is actually using an online service to manage the money laundering, even something as simple as online banking.
Finding Fake Identities
I remember distinctly one of the first cases I ever worked had a laundering component. The individual gave fake Social Security numbers to his friends to use when withdrawin
g funds. They would then go on to forge identification documents to satisfy the banks, and they were off to the races. This matter was blown wide open when we found the forged ID documents and detailed e-mails describing the SSNs that the friends were supposed to use when they would transfer the money.
Things to Look For
The standard computer forensic techniques we have discussed throughout the book all come into play here. Look for communications that can denote mechanisms to carry out the fake IDs. For instance, as discussed above, we found false SSNs in e-mails addressed to friends, along with instructions on how to move money. While these days you’d be hard pressed to find that in an e-mail, such information may exist in cell phone records or chat logs. Also, look for evidence of document forgery. This will generally come in the form of modified scans of pictures or modifications of the types of documents required for obtaining a government ID.
CHAPTER 21
CONSUMER FRAUD
Fraud perpetrated against everyday individuals or consumers continues to rise in the United States and throughout the rest of the world. The digital age and the prolific use of e-mails and the Internet have both depersonalized fraudulent scams against consumers and significantly enhanced the ability of individuals to commit frauds on a mass scale, especially frauds perpetrated primarily through the Internet or e-mail. In the not too distant past, many frauds were committed by skilled con artists who would draw people into their confidence to get in on a “once-in-a-lifetime” opportunity. Today, however, con artists rely on the Internet and mass e-mails to reach a broad audience of individuals all over the world in an effort to get people to part with sensitive information about their lives, bank accounts, and other private information, as well as to part with their hard-earned dollars.
Most people have experienced, or at least heard of someone receiving, the now infamous e-mail from a Nigerian doctor, lawyer, or some other individual needing help to transfer money into the United States. For a limited amount of assistance, and a small amount of the consumer’s money, the e-mail promises significant risk-free returns. Unfortunately, this was a scam. Countless Americans fall prey to such “too good to be true” type frauds each year.
If it sounds too good to be true, it probably is. That old saying rings true too often as consumers fall victim to various frauds every day. In reality, frauds are not limited to those gullible victims who fall for the Nigerian e-mail scam, but they can also affect many successful and sophisticated investors who fall for sophisticated and elaborate investment frauds that offer the opportunity to get into a unique venture with the potential for significant or “too good to be true” returns. Unfortunately, it can be easy to turn a blind eye to the details and the obvious risks of these proposed ventures.
As this book is written, Wall Street is embroiled in controversy surrounding the ongoing investigation of Bernard Madoff in what may turn out to be one of the largest investment frauds ever perpetrated. As facts unfold daily regarding the handling of billions of dollars of investments managed by Madoff and his investment company, it is becoming clearer that he may have perpetrated one of the largest Ponzi schemes ever, right under the nose of the SEC, other investment funds that provided capital to him for investment, and many successful, wealthy, and sophisticated individuals who had invested with him for years.
This story, on a smaller scale, is being repeated elsewhere around the country as investors come to grips with not only the realization that their investment portfolios have significantly decreased in value from the downturn in the global economy, but that in reality the funds have been squandered, lost, and/or used for other purposes without their knowledge as part of some ongoing investment fraud. If there is one lesson to be learned, it’s that anyone can fall victim to consumer fraud.
While much of the focus of this book has been on evaluating the need for computer forensics skills and professionals from the corporate perspective, it is important to point out that frauds are also perpetrated against individuals. While consumer fraud in many cases affects individuals, sometimes the frauds encompass a broad range of consumers. While much computer forensics work focuses on corporate events and occurrences, it is not uncommon for computer forensics specialists to be retained to assist in matters involving both large and small frauds against consumers, especially where the frauds may involve a group of consumers and the potential loss of large sums of money.
WHAT IS CONSUMER FRAUD?
Consumers fall victim to countless types of frauds every year. Although the various fraudulent schemes have changed over time, they all involve the use of deception to separate consumers from their money. The most common, and widespread, of frauds these days involves identity theft, a rampant problem in the United States. Billions are spent each year to protect and secure personal information and data, including Social Security numbers, bank accounts, credit card information, and other personal information that can be used by skilled individuals to take out credit (such as loans, credit cards, and so on) using someone else’s identity.
Consumer fraud is perpetrated by various means. Fraudulent operations typically make prolific use of the telephone and now e-mail and the Internet to perpetrate their schemes. Prior to the rapid expansion of the Internet, the telephone was the primary means of contact in consumer frauds. However, today contact through the Internet and e-mail has far surpassed the use of the telephone. In addition, where fraud perpetrated through the telephone required contacting consumers one-by-one, the use of mass e-mails and Internet sites has vastly increased the number of people exposed to the various types of consumer fraud. Each year, billions of dollars are estimated to be lost due to identity theft, fraudulent telemarketing, various scams through e-mail and the Internet, fraudulent business opportunities, and various forms of mortgage and investment fraud.
Consumer fraud is the primary domain of the Federal Trade Commission (FTC). The FTC’s Bureau of Consumer Protection states, as one of its primary goals, “to protect consumers against unfair, deceptive, or fraudulent practices in the marketplace.” The Bureau of Consumer Protection has the authority to conduct investigations, sue companies and individuals that violate the law, and develop rules aimed at protecting consumers. It also serves as a repository for information collected from complaints about identity theft and other forms of consumer fraud that may be prevalent across the country.
RAMIFICATIONS
The ramifications of consumer fraud are not unlike those of other frauds—they can cost consumers billions of dollars in losses, undermine the public trust in the safety and protections in the marketplace, and cost the government and corporations billions to ensure that adequate protections are in place to guard against the many unlawful practices targeted at consumers.
Impact to Consumers and the Public
In 2007, the FTC received close to a million complaints and disclosed that consumers had reported losses in excess of $1.2 billion. It is important to point out, however, that these were the “reported” losses to the FTC. Many, if not most, consumer frauds happen to individuals who have little to no recourse against the perpetrators. Once the fraud is discovered, little evidence typically exists to track down the suspected perpetrator other than a defunct telephone number or e-mail address.
Education and prevention remain key for numerous organizations to protect consumers from the many forms of consumer fraud. In addition to the FTC, organizations such as the Better Business Bureau, Internet Crime Center, National Consumers League, Social Security Administration, and the US Postal Inspection Service all work to educate consumers about the risks of consumer fraud and preventive steps that consumers can take to guard against falling victim to scams.
Regulatory Environment
As with any area of significant abuse or fraud, once it reaches a certain level or impacts a sufficient number of people, rules and laws are typically enacted in an effort to provide additional protections to consumers. The FTC is responsible for enforcing numerous laws aimed at protecting con
sumers from false advertising and telemarketing scams to an individual’s right to receive a free credit report. However, various law enforcement and regulatory agencies have similar focus in their respective areas. In addition, as concerns unfold regarding the Madoff investment fraud and others like it, the SEC may implement additional rules to provide enhanced protections to individuals and their investments through various types of private investment management companies.
Investigations and Litigation
As described, many consumer frauds go unreported. People quickly realize after they’ve parted with their money and fail to receive anything in return that they may have been had. All too often, they have little recourse against the suspected perpetrators as the true identity of the perpetrators is likely not known. Professional con and scam artists are experts at putting people at ease and convincing them of the veracity of their product offering, investment opportunity, or other ruse underlying the fraudulent scheme. In addition, it is not difficult these days with the help of specialized software to produce professional-looking documents, mailers, forms, and Internet sites that further compel potential victims to inquire about the “too good to be true” opportunity. Unfortunately, once payment has been made, most victims have little chance of getting it back.