TRACKING CRYPTO WHAT’S THAT LEBANON’S CORRUPT THIRD PARTIES AND ENCRYPTED MOST SCANDALOUS

FRAUD P. 8 SMELL? P. 24 CENTRAL BANK CHIEF P. 34 EMAIL SERVICES P. 44 FRAUDS OF 2023 P. 52

VOL. 39 | NO. 1 | JANUARY/FEBRUARY 2024

Fraud-Magazine.com

FRAUD FOR SALE

How cyber criminals are adapting
business techniques to flaunt their wares

See P. 14
 FROM THE PRESIDENT CONNECT WITH US

FM

MANY PROFESSIONS UNITE Read more Fraud

Magazine content online
at Fraud-Magazine.com.

TO FIGHT FRAUD
O
FM
ne important distinction of the Associa-
tion of Certified Fraud Examiners (ACFE) Download the Fraud
from other associations is the diversity of Magazine app for
our professional base. Most members of accounting iPhone or Android.
organizations, of course, are accountants. Internal audi-
tors have a group dedicated just to them. Bar associations
are comprised of attorneys. Physicians fill the rosters of
medical associations. Like the ACFE on
But ACFE members don’t have a single occupation Facebook for the latest
that unites us. We work in dozens of different profes- news, photos, videos and
sions, including accounting, consulting, law enforce- exclusive online content.
ment, cybersecurity, and banking and law, to name a
few. What does bind us together is the single ideology of
detecting and preventing fraudsters from taking advan-
tage of honest, hard-working people in more than 160 Follow @TheACFE
countries from Asia to the Americas to Europe. on Twitter and keep
I’ve been an enthusiastic fraud fighter for over 30 informed on break-
years, starting as a young lawyer working consumer ing news and industry
trends.
fraud cases until now as the president of the ACFE. And part of my passion centers around that
basic sense of fairness, which for me comes from my upbringing.
My parents grew up in small towns in southern Arkansas and had few advantages. They
couldn’t afford college, so they both started working for the largest employer in the area — a Make connections with
paper mill, where they earned a living for over 40 years before retiring. Their salaries were modest, fellow fraud fighters in
and they earned every cent they made. They were a wonderful example of doing things the right the ACFE Community at
way. You work hard and you earn what you make. You follow the rules because that’s the right Connect.ACFE.com.
thing to do.
We come in every day and work hard for what we earn. How dare someone try to “skip the line”
and get the rewards without doing the work to get them! That makes me mad. Talking with mem-
bers, I hear that sentiment echoed. View stories and photos
A good fraud examiner is someone who believes it’s wrong to ignore the rules and steal. Nor on Instagram and never
is it right when someone enriches themself at the expense of other employees who are following miss exclusive Fraud
Magazine content.
the rules and thinking of others. I’m so proud to meet and talk with like-minded souls online and
at events all over the world.
Fighting fraud is everyone’s responsibility, and I thank all of you, our members, for rising to
the challenge. Thank you also for finding and rooting out those people who try to grab the rewards CONTRIBUTE
without putting in the hard work. That passion for fairness and justice is the glue that binds us and
makes us stronger — regardless of our professional titles. I’m proud we’re part of the solution and Share your expertise
not the problem. n FM and earn up to 10 CPE
credits annually for your
published work. Visit
Fraud-Magazine.com/
John D. Gill, J.D., CFE, is president of the ACFE. Contact him at [email protected]. getpublished.

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 3

 Contents Volume 39, No. 1, January/February 2024

COVER STORY
Fraud for sale
By Rihonna Scoggins
14
For many, the dark web conjures up images
of poorly lit rooms where lone fraudsters
scam victims behind the veil of encrypted
messaging. But the reality is more akin
to an open marketplace, like an Amazon
for criminals — where they sell multiple
fraud products and focus on branding,
marketing and the bottom line. That may
be frightening, but it also presents an
14 FRAUD FOR SALE opportunity for law enforcement.

FEATURES

44 ENCRYPTED EMAILS

5 MOST SCANDALOUS FRAUD

24 WHAT’S THAT SMELL? 34 CORRUPT CENTRAL BANK GOVERNOR 52 CASES OF 2023

Is a third party’s use of encrypted email

What’s that smell? services a safeguard or a red flag?
by Donn LeVie Jr., CFE
24 by Antonio Rossi, CFE, and Lucrezia Tunesi
44
Corrupt central bank governor
allegedly helped push Lebanon’s 5 most scandalous fraud cases
economy off the cliff of 2023
by Fadi Makdessi and Rayan Mohamed, CFE
34 by Jennifer Liebman, CFE
52
4 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM
 Publisher Andi McNeal, CFE, CPA

Editor-in-chief Paul Kilby, CFE

Editor-in-chief emeritus Dick Carozza, CFE

Assistant Editor Jennifer Liebman, CFE

COLUMNS AND DEPARTMENTS Editorial Assistant Anna Brahce

Contributing Editor Scott H. Patterson

FROM THE PRESIDENT
Contributing Writer Donn LeVie Jr., CFE
Many professions unite
Legal Editor Ron Cresswell, J.D., CFE
to fight fraud
Art Director Victoria St. Germain
John D. Gill, J.D., CFE 3 Designers Daryl Smith, Sallie Yeager, Stephanie Weil,
Maria Nastasi, Brittany Fahres
FRAUD IN THE NEWS Circulation Manager Matt Kinsey, CFE
‘Cryptoqueen’ associate pleads Account Executive Nathalie Sterling
guilty to money laundering Contact: (800) 245-3321 | [email protected]
Compiled by Anna Brahce 6 6 FRAUD IN THE NEWS Editorial Advisory Committee
Jonathan E. Turner, CFE, CII, chair; Jane Amling, CFE, FCA;
Emmanuel A. Appiah, CFE, CPA, CGMA, CFF; Keith Bova, J.D.,
INVESTIGATE THIS CFE; Richard Brody, Ph.D., CFE, CPA; Jeimy J. Cano, Ph.D., CFE,
Tracking crypto fraud with CAS, CFF; Chris Dogas, CFE, CPA; James C. Dey, CFE, CPA;

unspent transaction outputs Jennifer K. Gray, MAcc, CFE; Dunia Haddad, CFE; Robert
Holtfreter, Ph.D., CFE; Sezer Bozkus Kahyaoglu, CFE; Thomas
By Sean Tweed, CFE, CCAS, CCI 8 Cheney Lawson, CFE, CII; Philip C. Levi, CFE, CPA, FCA; Larry
Marks, CFE, CISA, PMP, CISSP, CSTE; Kevin Roach, CFE, MBA;
Elizabeth Rossen, CFE; Daniel Semick, MPA, CFE, CGFM; Iryna
Shkraba, CFE, ACCA, CIA; Sheryl L. Szeinbach, Ph.D., CFE;
GLOBAL FRAUD FOOTPRINT
Stéphane Vuille, CFE, PCI; Jessica Yohe, CFE, CPA
Balancing the benefits and 2023-2024 Board of Regents
risks of member-owned credit John D. Gill, J.D., CFE; Jeanette LeVie, CFE;
cooperatives Thomas A. Caulfield, CFE; Wendy Evans, CFE;

By Durgesh Pandey, Ph.D., CFE, FCA, and

12 TAKING BACK THE ID Natalie S. Lewis, CFE; Collins Wanderi, CFE;
John Warren, J.D., CFE; Chrysti Ziegler, CFE
Collins Wanderi, MBA, CFE, PGD (HRM) 10 Fraud Magazine (ISSN 1553-6645) is published bimonthly
by the Association of Certified Fraud Examiners, 716 West
Avenue, Austin, TX 78701-2727, USA. Periodical postage
TAKING BACK THE ID paid at Austin, TX 78701 and at additional mailing offices.

Identity theft and Postmaster — Please send address changes to:

Fraud Magazine | ACFE Global Headquarters
cybersecurity analysis 716 West Avenue | Austin, TX 78701-2727, USA
(800) 245-3321 | +1 (512) 478-9000
By Robert E. Holtfreter, Ph.D., CFE 12 Fax: +1 (512) 478-9297
Subscriptions
ACFE members: annual membership dues include a
DIVERSITY & INCLUSION regular one-year subscription. Printed subscription rates
Case studies in culture for libraries and organizations are available upon request.
Membership information can be obtained by visiting
By Lourdes C. Miranda, CFE 60 63 ACFE NEWS ACFE.com, emailing [email protected] or by
calling (800) 245-3321, or +1 (512) 478-9000. Change
of address notices and subscriptions should be directed
to Fraud Magazine. Although Fraud Magazine may be
ACFE NEWS 63 quoted with proper attribution, no portion of this publica-
tion may be reproduced unless written permission has
been obtained from the editor. The views expressed in
INNOVATION UPDATE Fraud Magazine are those of the authors and might not
Breaking down data silos reflect the official policies of the Association of Certified
Fraud Examiners. The editors assume no responsibility for
By Vincent M. Walden, CFE, CPA 64 unsolicited manuscripts but will consider all submissions.
Contributors’ guidelines are available at Fraud-Magazine.
com. Fraud Magazine is a double-blind, peer-reviewed
publication. To order reprints, visit Fraud-Magazine.com/
I’M A CFE reprint or email [email protected].
Rasha Kassem, Ph.D., CFE © 2024 Association of Certified Fraud Examiners, Inc. “ACFE,” “CFE,” “Certified

By Jennifer Liebman, CFE 68 Fraud Examiner,” “CFE Exam Prep Course,” “Fraud Magazine,” “Association of
Certified Fraud Examiners,” “Report to the Nations,” the ACFE Seal, the ACFE
Logo and related trademarks, names and logos are the property of the As-

CPE QUIZ 70
68 RASHA KASSEM, PH.D., CFE sociation of Certified Fraud Examiners, Inc., and are registered and/or used in
the U.S. and countries around the world.

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 5

FRAUD in the news Read more news at Fraud-Magazine.com

SHIPPING FRAUD
The U.S. Department of Justice
charged a 21-year-old University of
Miami student with mail fraud for
running a scheme that bilked a mul-
tinational shipping, receiving and
supply chain management company
out of $3.5 million.
According to prosecutors,

‘CRYPTOQUEEN’ ASSOCIATE PLEADS Matthew Bergwall and his co-

conspirators gained unauthorized

GUILTY TO MONEY LAUNDERING access to the employee accounts of

an undisclosed shipping company
and then used those accounts to
In November, Irina Dilkinska, the and Karl Sebastian Greenwood. In 2017,
enter fraudulent tracking informa-
former head of legal and compliance for the U.S. government accused OneCoin
tion for merchandise transported
cryptocurrency issuer OneCoin, pleaded executives of operating a multilevel-
guilty to wire fraud and money laundering marketing scheme in which members by the shipping company. The
for her role in a pyramid scheme that received commission for recruiting co-conspirators were then able to
scammed investors out of $4 billion. others to purchase crypto packages. get full refunds from retailers while
According to U.S. prosecutors, Dilkinska Over three million people invested in keeping the merchandise. Bergwall
wasn’t doing much compliance work for the packages. Ignatova remains at large and his co-conspirators allegedly
OneCoin. Instead, she allegedly laundered and is on the FBI’s most wanted list. offered this service for sale and
money for the crypto company and set up Greenwood was sentenced to 20 years in called it fraudulent tracking ID or
the transfer of $110 million of OneCoin prison in September 2023. (See “OneCoin’s FTID. (See “Florida college student
proceeds to a Cayman Islands entity. She’s Compliance Head Pleads Guilty in $4 charged with orchestrating multi-
now facing 10 years in prison. Billion Crypto Fraud Case,” by Mengqi million dollar mail fraud scheme,”
OneCoin was founded in 2014 in Sun, The Wall Street Journal, Nov. 9, 2023, by Skyler Shepard, CBS Austin, Nov.
Bulgaria by “Cryptoqueen” Ruja Ignatova tinyurl.com/2byaepx5.) 11, 2023, tinyurl.com/ycxane2b.)

RAISE A GLASS FOR AWARENESS

In honor of International Fraud Awareness Week in November, British media company
Virgin Media 02 launched a beer to get people talking about fraud prevention. The
limited-edition beer, Crafty Lager 7726, provides tips on how to fight fraud on its labels
with reminders not to share one-time passcodes over the phone and advice for how to
report spam calls and texts. Anyone who ordered the 7726 in select pubs across the U.K.
got two free beers or a nonalcoholic option to share with a friend.
Ross Kemp, who starred in England’s long-running soap opera, EastEnders, and
helped launch the beer with Virgin Media 02, said that the more people talk about
fraud, the better they’ll become at spotting it. “Whether it’s a beer or a brew, what-
ever your choice of beverage, why not take the chance to have a chat over a drink and
break the taboo,” he said. (See “Free beer designed to help people talk about fraud,”
by Neil Shaw, Wales Online, Nov. 16, 2023, tinyurl.com/bdejwjru.)

— Compiled by Anna Brahce

6 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

Streamline your audit process
A buyer’s guide to audit analytics software

Analytics and control monitoring software

can automate manual processes and Audit technology
provide real-time access to critical data, can make your
life easier.
allowing you to not only track financial A buyer’s guide to audit
analytics software

and IT controls but also gain valuable

insights into overall risk management.

Download our comprehensive guide to

help ensure you ask the right questions
about key features when selecting the
right technology:

Continuous monitoring
Easy integration with data sources
Pre-built, automated tasks
Data visualizations and dashboards

Download the guide

 INVESTIGATE THIS Interviewing, data analysis and more

TRACKING CRYPTO FRAUD WITH UNSPENT TRANSACTION OUTPUTS

The author uses real-life examples from his fraud investigations to dispel a major myth about
bitcoin’s anonymity, showing just how traceable the digital currency is. Unspent transaction outputs are
one mechanism to track payments on the blockchain and ultimately discover who’s behind any illicit activity.

W hen the enigmatic inventor

of bitcoin, Satoshi Naka-
moto, published the white
paper, “Bitcoin: A Peer-to-Peer Electronic
COLUMNIST
SEAN TWEED, CFE,
CCAS, CCI
CRYPTOCURRENCY
future transactions. Ultimately, UTXOs
keep track of where coins are at any given
time. [See “Unspent Transaction Output
(UTXO),” by Binance Academy, glossary
Cash System” in 2008, it introduced the tinyurl.com/32cczj9v.]
INVESTIGATOR, PRESTON
world to the now-famous digital currency. MATTHEWS GROUP The UTXO system operates much like
Nakamoto described bitcoin as a peer-to- cash. Say you’re at a store buying some-
peer version of electronic cash that would thing for $5, but you only have a $10 bill.
circumvent financial institutions through output (UTXO) system, makes it highly You wouldn’t rip the bill in half; rather,
a decentralized system, allowing people traceable and how it can facilitate fraud you’d give the cashier the $10 bill, and the
to wrest control from financial elites. investigations. cashier returns $5. This is how bitcoin’s
Privacy was central to Nakamoto’s vision, UTXO system works. If I previously re-
and transactions appeared anonymous Tracing the ‘untraceable’ ceived 0.9 bitcoin and then attempted to
because they involved addresses that with UTXOs send 0.4 bitcoin to my friend, my bitcoin
concealed users’ real identities. Two Instead of using personally identifiable
address is not debited 0.4. Instead, the
anonymous parties could establish trust information like bank account numbers or
entire 0.9 bitcoin UTXO is added to the
through a “cryptographic proof,” known names, bitcoin uses addresses for transac-
“input” of the transaction. On the “out-
as proof-of-work, that verified the validity tions. These addresses are digital public
put” side, 0.4 bitcoin is sent to my friend’s
of their transactions. And while bitcoin’s identifiers that allow users to receive
cryptocurrency address, and 0.5 bitcoin is
cryptographic proof might’ve helped fuel bitcoins. While a real identity might not
returned to me in a new address, known
the idea in the public that users’ identi- be connected to a bitcoin address, every
as a “change address.” If someone makes
ties were cloaked in secrecy and difficult transaction that occurs is permanently
numerous fractional transactions — trans-
to trace, thus providing security to those logged on bitcoin’s blockchain, and anyone
actions in which only a portion of the
looking to hide illicit activity, the reality who views the information on the block-
funds in the UTXO held by an address are
is that bitcoin isn’t anonymous. Rather, chain can trace those transactions. Once a
sent — they can accumulate numerous
it’s pseudonymous, much like authors use transaction is recorded on the blockchain,
change addresses within the same wallet.
pseudonyms to hide their identities. (See it remains there forever, giving investiga-
This accumulation of addresses within
“Bitcoin: A Peer-to-Peer Electronic Cash tors a history to trace. Investigators can
the same wallet is bitcoin’s transactional-
System,” by Satoshi Nakamoto, Bitcoin. then trace bitcoin to a cryptocurrency
exchange like Coinbase or Binance, which tracing advantage.
org, 2008, tinyurl.com/sw58j63u; “Who
can be subpoenaed for the accountholder’s A user could have three addresses in
is the mysterious Bitcoin creator Satoshi
identity. This is the goal of most cryptocur- a single wallet, each with a UTXO storing
Nakamoto?” by Cointeligraph, tinyurl.
com/3zyw7scy; “Cryptocurrency’s Myth rency fraud investigations. (See “Why Is 0.1, 0.2 and 0.3 bitcoin respectively. But
of Anonymity,” Wired Gadget Lab pod- Bitcoin Referred To As A Pseudonymous if the user wishes to send an outgoing
cast, Feb. 9, 2023, tinyurl.com/5a9kbnfm; Network?” by Editorial Team, doubloin. transaction worth 0.6 bitcoin, each address
and “How ‘Trustless’ Is Bitcoin, Really?” com, July 22, 2023, tinyurl.com/3sas493t.) on its own is not enough to complete the
by Siobhan Roberts, The New York Times, Moreover, bitcoin’s transactional transaction. All three addresses must be
June 22, 2022, tinyurl.com/2p9v7a4h.) properties make it a far more transparent combined as inputs in the same transac-
That pseudonymous nature might and more traceable version of cash. One of tion, providing the user with enough
provide a certain level of privacy to its those properties is the UTXO, a transaction funds. When the user tries to complete this
users, but it doesn’t mean that fraud output that can be used as an input in a transaction, the wallet combines these ad-
examiners can’t trace the movement of new transaction. Every input in a transac- dresses as inputs in the same transaction.
bitcoin and discover its users’ identities. tion was an output in a previous transac- This function constitutes one of the stron-
Indeed, some of bitcoin’s most important tion. Bitcoin’s UTXOs define where each gest and most valuable rules in blockchain
features and functions provide a wealth blockchain transaction starts and finishes; forensics — the common input ownership
of data that investigators can use to track anytime a transaction is made, a user takes heuristic. According to this heuristic, if
bitcoin transactions and crack fraud cases one or more UTXOs to serve as inputs and a transaction has multiple inputs, those
in which cryptocurrency is involved. Here, provides their digital signature, confirm- distinct addresses are all contained within
I’ll demonstrate how one such mecha- ing ownership of the inputs. Outputs from the same wallet and controlled by the same
nism of bitcoin, its unspent transaction the transaction become new UTXOs for individual. This allows investigators and

8 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

analysts to cluster addresses together to were likely the same person.
determine ownership. According to the common
input ownership heuristic,
The common input ownership all three seemingly unrelated
heuristic at work addresses were controlled
The common input ownership heuristic through the same wallet,
has numerous practical uses in cryptocur- supporting the idea that one
rency fraud investigations. An embezzle- person owned the addresses.
ment case involving a digital asset broker-
age company that my firm investigated Using inputs Figure 2: We traced the 202.99 UTXO because the 5.0843
perfectly demonstrates the UTXO system’s and outputs bitcoins were inside them. Image created with QLUE by the Block-
value for tracking fraudsters’ identities. Just like the common input chain Intelligence Group.
In this case, a digital asset brokerage ownership heuristic facilitates
company bought and sold digital assets bitcoin tracing so too does the our client, to the high-volume address
and frequently received payments in cryp- cash-like nature of bitcoin. Because the en- mentioned above. If this address wanted
tocurrency. The brokerage performed an tire bitcoin UTXO must be sent as the input to transact the 5.0843 bitcoins it received,
audit and discovered that it hadn’t received in a transaction, you can trace specific in- it must send that amount in its entirety,
digital assets in exchange for the bitcoins puts and outputs more easily than tracing which allowed us to focus our investiga-
it sent. Because the transactions occurred money through traditional online banking.
tion on this amount.
completely online, the company concluded So, if an individual received two incoming
Thanks to the transparency of the bit-
that one of their brokers embezzled com- transactions, one worth 0.5 bitcoin and the
coin blockchain, we quickly identified the
pany funds by creating fake customers and other 0.6 bitcoin, we know that those en-
sending bitcoins to their personal crypto- outgoing transaction. In this transaction
tire UTXOs must be the inputs in a future
currency addresses. (see Figure 2), the high-volume address
transaction. Using information recorded
We analyzed three cryptocurrency combined UTXOs from previous transac-
on the blockchain, we can determine when
transactions between the broker and tions for a large outgoing transaction of
each UTXO is sent in a corresponding
three supposed customers. After receiv- 202.99 bitcoins. Even though the input
outgoing transaction. In the account-based
ing bitcoins from the brokerage, all three (5.0843) wasn’t equivalent to the output
model system, you only know the debits
addresses then sent a large proportion of and credits moving through an account. (202.99), we determined when the UTXO
funds to the same address. The remaining If someone with an account balance of was sent as it appeared in the transactional
bitcoins (the “change”) were transacted $1,000 receives $300, and then sends data. As mentioned, multiple UTXOs con-
into three new change addresses. We could $200 to another account, you can’t know tained within a single wallet are combined
deduce that the “input,” or sender of the whether that $300 was used for the outgo- if the transactional request is too large for
original transactions, had the bitcoins in ing $200 transaction. This is not the case a single UTXO to be the input. In this case,
these change addresses as this “change” with bitcoin’s UTXO system. the 202.99 bitcoins were significantly more
was returned to the owner. These three Connecting inputs and outputs is than the value of each UTXO the wallet
change addresses were then combined crucial in a fraud investigation, especially stored, and therefore, numerous UTXOs —
as inputs in the same transaction to send when an address has many incoming 20 in this case — were combined, includ-
funds to a new address. (See Figure 1.) This transactions. This was central to a case my ing the 5.0843 UTXO.
discovery was vital to our investigation. firm investigated that involved tracing sto- Many people think of bitcoin trans-
We couldn’t confirm if the broker con- len funds from an investment scam. In this actions as a sort of black box and the
trolled these addresses, but our evidence case, our client sent bitcoins to an address anonymity of address ownership means
suggested that these three “customers”
that he thought was associated that investigations are futile. But as we’ve
with a legitimate investment shown, bitcoin’s cash-like transactions
platform. However, the platform have created a system far more transpar-
was fraudulent and the client ent than many people give it credit for. It’s
lost access to his bitcoins. We an improved version of cash for follow-
analyzed the transactional infor- ing funds across multiple entities, and its
mation on the blockchain and UTXO system allows for deductions not
traced the funds to an address possible in traditional online methods of
with more than 22,000 transac- transactions. n FM
tions and 61,000 bitcoins (more
than $1 billion as of November
2023). Since we traced specific Sean Tweed, CFE, CCAS, CCI, is a
Figure 1: Three change addresses combine as inputs in the inputs and outputs, we located cryptocurrency investigator for the Preston
same transaction. These three addresses are in the same wallet the client’s stolen funds through Matthews Group in Vancouver, British
and are likely controlled by one person. Image created with
QLUE by the Blockchain Intelligence Group. this address. The fraudsters had Columbia, Canada. You can contact him at
sent 5.0843 bitcoins, stolen from [email protected].

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 9

 GLOBAL FRAUD FOOTPRINT Examining cross-border issues

BALANCING THE BENEFITS AND RISKS OF

MEMBER-OWNED CREDIT COOPERATIVES
Credit cooperative societies across the developing world have helped local communities
gain vital access to financial systems. But this access comes with a downside. Fraud and
other financial vulnerabilities can put members at risk. This is where fraud examiners step in
and help protect these cooperatives against such risks.

I
n late 2021, India’s Enforcement informal sector that helps to enhance their
Directorate, a law enforcement agency COLUMNIST bargaining power, and their ability to ad-
focused on economic crimes, arrested DURGESH PANDEY, vocate for better working conditions and
two people in connection to a scam at the PH.D., CFE, FCA social protections. As the Kenyan economy
Navjeevan Credit Co-operative Society that MANAGING PARTNER AT reopened in 2022 following the COVID-19
diverted funds out of the financial institu- DKMS & ASSOCIATES pandemic, Saccos experienced renewed
tion and into the pockets of its chairman growth, with a 4% annual increase in as-
COLUMNIST
and relatives. sets driven by gross loans. (See Figure 1 on
COLLINS WANDERI,
The chairman and his accomplices page 11.)
MBA, CFE, PGD (HRM)
had allegedly opened 200 branches of the CHAIR OF THE LSK SACCO There are two sides to the Sacco coin,
credit cooperative, luring depositors with SUPERVISORY COMMITTEE however. These cooperatives have inherent
promises of unrealistic returns on their vulnerabilities, including credit, liquidity
investment. The perpetrators then diverted and operational risks. In this context, it’s
depositors’ money to entities controlled (See “Sacco fraud: Nine arrested after
essential to recognize the significance of
by them. Board members were also later NIS Sacco loses Sh160 million,” by Esther
Saccos in promoting economic develop-
accused of taking interest-free advances Nyambura, The Standard, Sept. 25, 2023,
ment and financial inclusion in Kenya,
from the Navjeevan Credit Co-operative tinyurl.com/mr44mxvz and “Vet staff,
while also addressing the vulnerabilities
Society, one of several such institutions Kinoti warns banks, saccos over rising
that a cooperative model faces in the digi-
set up to help facilitate financial transac- fraud cases,” by Augustine Sang, Nation,
tal era — and where fraud fighters can lend
tions in the local community. (See “2 ar- Aug. 19, 2018, tinyurl.com/42sf2z9j.)
their skills and expertise to help shore up
rested in Navjeevan Credit Co-operative The credit cooperatives in the cases
Saccos’ defenses.
Society scam case,” The Statesman, Dec. above have become an important part
12, 2021, tinyurl.com/2eht85dt; “Navjeevan of the informal sectors in developing Bridging the inclusion gap
society scam: SOG arrests 2,” by The countries. But they’re also vulnerable to A cooperative’s main goal is to benefit
Times of India, May 24, 2023, tinyurl. fraud. In Kenya, for example, a significant the local communities where it operates.
com/36epx29d; and “Credit Cooperative proportion of the workforce operates in Since co-ops are nonprofit organizations,
Society,” by Dinesh Mishra, Legal Service India the largely unmonitored informal sector, the bulk of their revenue is used to meet
E-Journal, tinyurl.com/5da37ysa.) which often lacks the social security ben- the social, economic and cultural require-
And similar stories are playing out efits provided to formal-sector employees, ments of the community. As a result, the
in other parts of the world. Take Kenya, such as health and disability insurance and entire community benefits when a co-op
where nine employees of the National retirement benefits. Formal financial insti- succeeds. A successful and efficient coop-
Intelligence Services Sacco, a type of credit tutions, such as banks, only provide finan- erative model can, among other benefits,
cooperative, were arrested after Sh160 cial services to a small number of people, offer employment, investment opportuni-
million (over $1 million USD) allegedly particularly in rural areas. ties, collective growth and even income
disappeared. The arrested included the This is where savings and credit equality. India’s Amul Cooperative is a
Sacco’s internal auditor, loans manager, cooperative societies (Saccos as they are prime example of the success that can be
an accountant, two system analysts and an called in Kenya) enter the picture. Saccos, achieved through a cooperative model.
NIS officer. In 2018, the director of crimi- which are member-owned, play a vital Owned by members who are mainly small-
nal investigations (DCI) in Kenya, George role by bridging the gap and providing an scale dairy farmers, Amul was established
Kinoti, warned banks and mobile service inclusive measure of financial security with the aim of providing a sustainable
providers about the risk of fraud at the to individuals in the informal sector who source of income for them in the Gujarat
hands of their own employees, including may need access to formal financial insti- region of India. Like a Sacco, Amul is also a
an alleged case of theft against Harambee tutions. They also serve as a platform for member-owned cooperative that achieves
Sacco Limited as an example of the threat. collective action among workers in the economies of scale and is a testament to

10 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

FIGURE 1: SACCOS SEE ASSET BASE GROW anti-money laundering, data protection
and financial reporting can result in legal
ANNUAL
INDICATOR 2016 2017 2018 2019 2020 2021 and reputational consequences, under-
CHANGE (%)
Total Assets 393,499 440,248 495,246 556,715 673,306 700,258 4.0
mining a Sacco’s credibility and leading
to loss of members’ trust. The Financial
Gross Loans 297,604 313,212 374,286 419,547 508,862 523,018 2.8
Sector Stability Report suggests Saccos
Total Deposits 272,579 305,305 341,910 380,440 464,217 473,302 2.0
also face compliance risks emanating from
Core Capital 54,943 64,254 74,375 79,204 113,786 119,557 5.1
current and new legislation, which directly
Institutional Capital 30,120 35,920 41,905 58,983 69,294 120,303 73.6 affects their business operations. As a
External Borrowings 20,136 21,384 20,363 21,600 25,817 24,765 -4.1 preventive measure, the Sacco Societies
Earning Assets 320,016 357,885 409,342 465,834 553,742 567,413 2.5 Regulatory Authority (SASRA) in Kenya
Liquid Assets 61,216 72,327 83,757 97,553 96,503 105,927 9.8 has signed a memorandum of under-
Non-Performing Loans 15,565 20,336 23,580 25,802 37,651 35,607 -5.4 standing with the country’s Directorate
Loan Loss Provisions 2,208 2,329 3,642 4,654 2,642 2,945 11.5 of Criminal Investigations to establish
the Saccos Societies Fraud Investigation
Gross Income 55,258 63,045 63,601 79,879 70,316 96,905 37.8
Unit (SSFIU) to combat financial crime in
Operating Expenses 20,266 23,206 22,900 26,431 22,808 31,502 38.1
Saccos. It’s also important that these co-
Net Interest Margin 24,060 28,780 31,032 36,847 42,286 43,296 2.4
operatives adopt robust risk management
Short-Term Liabilities 85,050 96,874 110,635 127,040 125,196 138,561 10.7
systems, including IT systems and data
Net Financial Income 30,936 35,968 38,311 45,716 45,063 59,355 31.7 security measures, to protect them from
Source: SASRA
data breaches that compromise sensitive
member information — breaches that
the power of the cooperative model in Some unfortunate members have learned
ultimately erode trust in the system. (See
promoting economic development and painful lessons that illustrate these types
“SASRA forms Fraud Investigation Unit
improving the livelihoods of members. of cooperatives’ vulnerability to fraud.
to quell theft in Saccos,” by Roy Hezron,
Amul is, to a large extent, responsible for More recently, Saccos have faced
Sacco Review, tinyurl.com/cpzwvwd8.)
the “White Revolution” that made India increased high-tech risks. According to a
one of the world’s leading milk producers. recent news article, a 22-year-old was able Strengthening the Saccos:
(See “White Revolution in India, Objective, to breach a Sacco’s IT systems and transfer The role of fraud examiners
Impact, Phases & History,” by Lisa Roy, PW, Sh 900,000 (or $9,560 USD) to six M-Pesa At this juncture, fraud examiners have a
Oct. 7, 2023, tinyurl.com/34ynb5bc.) accounts, a mobile-based financial service unique opportunity to step up and help
belonging to him. While the amount may Saccos and other credit cooperatives iden-
A threat in waiting? not be huge by fraud fighters’ standards,
tify and mitigate vulnerabilities through
While Saccos have shown post-pandemic the fraud demonstrates Saccos’ vulnerabil-
regular audits, training on data security
signs of recovery, they’re sometimes de- ity to high-tech swindles, which has re-
and technology integration, and guidance
scribed darkly as “ticking time bombs” sulted in significant financial loss for their
on regulatory compliance. By working
because of the potential inherent risks that members. (See “Man accesses sacco’s IT
with management and regulatory authori-
they face. One of these is credit risk, which systems, transfers Sh 900K to his MPESA,”
ties, we, as the advocates of fraud manage-
arises when members default on loans, by Magdaline Saya, The Star, Jan. 21, 2023,
ment, can help strengthen credit coop-
which can lead to significant losses that tinyurl.com/msnfyh7c.)
eratives’ governance and management
Saccos can’t absorb. Another factor is the It’s important to note that the issue
practices, enhancing their ability to pro-
liquidity risk the Sacco model faces when of cybersecurity and fraud prevention has
vide accessible, affordable and customized
it’s unable to meet its financial obliga- become more critical than ever with the
financial services to their members. n FM
tions as they fall due. This happens when rise of financial technology and the in-
members withdraw their savings in large creasing adoption of digital financial ser-
numbers or the Sacco is unable to access vices, particularly for Saccos. According to Durgesh Pandey, Ph.D., CFE, FCA, is a
funding from other sources, as exempli- the Kenya Financial Sector Stability Report managing partner at DKMS & Associates,
fied by the liquidity crisis that Stima Sacco 2022, Saccos face technological and regula- Chartered Accountants in India. Contact
members faced due to a technical issue. tory vulnerabilities that may affect their him at [email protected].
(See “Stima Sacco customers locked out of operations. (See tinyurl.com/3tmj3rz7.)
mobile platforms over system outage,” by The rapid adoption of digital financial Collins Wanderi, MBA, CFE, PGD
Bonface Otieno, Business Daily, March 10, solutions has introduced cybersecurity (HRM), is global vice chair for the
2023, tinyurl.com/3vctz68u.) risks and frauds, leading to financial losses Association of Certified Fraud Examiners
Operational risks, such as fraud and among some Saccos. (ACFE) Board of Regents and chair of
embezzlement, can also undermine In terms of regulatory issues, failure the LSK SACCO Supervisory Committee.
Saccos’ financial stability and reputation. to comply with regulations related to Contact him at [email protected].

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 11

 TAKING BACK THE ID Identity theft and cybersecurity analysis

FRAUDSTERS STEAL PANDEMIC CASH IN YOUR NAME,

INFECT BUSINESS WEB GATEWAYS, AND PILFER
CHILDREN’S HEALTH INSURANCE MONEY AND PII
Fraudsters stole billions from U.S. federal COVID-19 loan programs. Now unsuspecting
victims, who never applied for those loans, are receiving bills. Plus, business ‘NetScaler
Gateways’ are attacked, and Medicaid children’s health insurance recipients are scammed.

S
uzie Johnson recently received a • Write down whom you spoke with and
mailed bill that said she had to COLUMNIST when. You may need to contact the
ROBERT HOLTFRETER,
start paying back her COVID-19 lender again.
PH.D., CFE
Economic Injury Disaster Loan (EIDL). DISTINGUISHED PROFES- • Know that the lender may require a
Suzie was befuddled because she knew SOR OF ACCOUNTING
copy of your FTC identity theft report
AND RESEARCH
nothing about the EIDL program and and other documents. Here’s a sample
never applied for one of its loans. She letter that can help you get started:
talked to her federal representative, and Save a copy of your report because
tinyurl.com/3mrfd9dp.
he advised her to contact the Small Busi- you’ll need to submit it to the SBA.
(See “What to do if you’re billed for
ness Administration (SBA) agency to • Follow the personal recovery plan to an SBA EIDL or PPP loan you don’t owe,”
report the problem, which told her that stop further misuse of your PII and by Rosario Méndez, FTC, Sept. 26, 2023,
someone had stolen her identity and help repair the damage the identity tinyurl.com/ym4jn9me.)
used it to apply for the loan. SBA then theft caused.
canceled the fraudulent loan, and Suzie’s Step 2. Visit the SBA’s website at Fraudsters target unpatched
problem was resolved. This fictitious sba.gov/idtheft. NetScaler Gateways to steal
case is representative of the recent SBA • Follow the steps to report the identity users’ credentials
EIDL and PPP loan scam. theft to the SBA, which is required to Here’s a warning to all organizations
If you’ve received a bill for an SBA start the review process. that offer customers all-in-one apps.
Paycheck Protection Program (PPP) Step 3. If the identity theft involved (Think of apps for your bank or airline
a PPP loan and you know the private on your phone.) Fraudsters are continu-
or EIDL loan you never applied for, an
ing to attack a crucial “9.8 vulnerability”
identity thief probably has stolen your lender that issued the loan, also contact
in unpatched “NetScaler Gateways,”
personally identifiable information that lender.
according to an SC Media article. The
(PII) to get the government loan in your • Explain that an identity thief used
NetScaler Gateway system appliance,
name. your PII to get the PPP loan without
sold to organizations, allows customers
Here’s what to do to report the scam your knowledge or authorization. Tell
to access any app via the cloud from any
and initiate the SBA review process to them the loan is fraudulent. device through a single URL, according
help you resolve any credit problems: • Ask the lender to release you from the to Citrix Systems, Inc. It consolidates
Step 1. Report the identity theft to the loan and to take all the steps needed “remote access infrastructure” to pro-
Federal Trade Commission (FTC) at to remove information about the loan vide customers a single sign-on across
IdentityTheft.gov. from your credit files and to send you all applications whether in a data center,
• You’ll receive an FTC identity theft a letter explaining the actions it’s in the cloud or if the apps are delivered
report and a personal recovery plan. taken. as SaaS (software as a service), which

12 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

allows users to connect to and use cloud- used in conjunction with some other
based apps over the internet. (Common technique during the post-exploitation
SaaS examples are email, calendaring stage.” After a fraudster identifies
and office tools, such as Microsoft vulnerabilities in a network’s systems or
Office 365.) (See “Attacks on NetScaler software, they upload a web shell on the
Gateways aim for user credentials,” by victim’s network, which allows them to
Steve Zurier, SC Media, Oct. 10, 2023, perform discovery on the victim’s “ac-
tinyurl.com/2s3w4hyt; “NetScaler tive directory” (AD) so they can create,
Gateway,” by Hema Malina, Citrix staff delete, modify, download and steal files.
and Subbendu Majumder, NetScaler, An AD provides the methods to store
Aug. 18, 2023, tinyurl.com/bddx462m; information about user accounts, in-
and “What is SaaS?” Azure, Microsoft, cluding passwords, telephone numbers
tinyurl.com/3f797uun.) and other PII, and allows authorized
The 9.8 level (out of 10) is part of the users on the same network to access this
Common Vulnerabilities and Exposures information.
(CVE) list, which the nonprofit MITRE Fraudsters can use stolen PII and
corporation launched in 1999 to identify other information to commit more
representing the Medicaid Children’s
and categorize vulnerabilities in soft- fraud or sell it to other malicious actors
Health Insurance Program (CHIP), are
ware and firmware. CVE is sponsored for fraudulent purposes, including
calling potential victims and asking
by the U.S. Department of Homeland ransomware.
them for their PII or demanding that
Security Cybersecurity and Infrastruc- Irfan Asrar, director of threat
they pay to renew their family coverage.
ture Security Agency (CISA) and the U.S. research at Qualys, and Joseph Carson,
Medicaid and CHIP are joint federal/
Computer Emergency Readiness Team chief security scientist and advisory
(US-CERT). (See “What is a CVE? Com- state programs. Each state is responsible
chief information security officer at soft-
mon Vulnerabilities and Exposures Ex- ware company Delinea, provide advice for governing all aspects of the admin-
plained,” by Abi Tyas Tunggal, UpGuard, in an SC Media article to protect PII and istration and operation of its Medicaid
April 6, 2023, tinyurl.com/3wbvr495.) other valuable information: and CHIP programs.
During an attack, a fraudster inserts The FTC offers advice to protect
• Once a victim organization has
a malicious script, or “bug,” into the families from this scam:
discovered a vulnerability, administra-
HTML content of the authentication web tors should immediately patch it and 1. CHIP won’t charge you to renew or
page to steal user credentials. Techni- check for any signs of a breach. enroll. CHIP may reach out to you
cally speaking, they do this by using the by email, phone or text messages to
• Employ strong passwords.
bug as a “zero day” to drop a “web shell” renew your coverage, but they won’t
on a device that a customer is using. A • Ensure strong controls, such as multi-
ask you to pay. They also won’t ask for
zero-day attack happens when hackers factor authentication and privileged
your PII, such as your bank account
or other malicious actors take advantage access security, are in place.
and credit card numbers.
of a software or network vulnerability • Never reuse credentials for multiple
2. Don’t click on links in text or email
that’s unknown to developers. In other applications because one compro-
messages even if it looks like the
words, the developers have known mised account could open the doors
message is from your state’s Medicaid
about the vulnerability for zero days. Of to other accounts. (See “Attacks on
agency. That’s a scam. Find your state’s
course, it’s no longer considered a zero- NetScaler Gateways aim for user cre-
Medicaid agency on Medicaid.gov.
day attack after it’s discovered. dentials,” by Steve Zurier, SC Media,
Oct. 10, 2023, tinyurl.com/2s3w4hyt.) Then contact that agency to get more
According to “What are Web
information.
Shells?” on the Geeks for Geeks website
(tinyurl.com/2en4z33p), “A web shell Children’s health 3. Start at HealthCare.gov to compare in-
is a malicious program [or script] that insurance scam surance plans, coverage and eligibility.
is used to access a web server remotely According to the FTC, fraudsters, The site requires information about
during cyberattacks … [and] is always who are masquerading as officials your monthly income and age to give

CONTINUED ON PAGE 71

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 13

 FRAUD FOR SALE
How dark-web criminals have turned fraud into a business
like any other — and what this means for CFEs

For many, the dark web conjures up images of poorly lit

rooms where lone fraudsters scam victims behind the veil of
encrypted messaging. But the reality is more akin to an open
marketplace, like an Amazon for criminals — where they sell
multiple fraud products and focus on branding, marketing
and the bottom line. That may be frightening, but it also
presents an opportunity for law enforcement. Here’s why.

By Rihonna Scoggins

14 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

I
n 2022, law enforcement officials in ings. They understood the need for a seam- leaping from $9.4 million in 2016 to $1.37
Germany seized and took control less and secure platform where people billion in 2020, according to threat in-
of “Hydra,” the world’s largest and could effortlessly trade a wide variety of il- telligence company Flashpoint. (See
longest-running dark-web market- legal goods. This focus on user experience “Investigating Hydra: Where Crypto-
place that primarily catered to Russian- and security contributed to the platform’s currency Roads All Lead to Russia and
speaking consumers. This virtual bazaar rapid growth. (See “Justice Department Go Dark,” Flashpoint, May 25, 2021,
allowed individuals to anonymously trade Investigation Leads to Shutdown of Larg- tinyurl.com/57v87mnx.)
in contraband such as narcotics, pilfered est Online Darknet Marketplace,” U.S. De- Hydra’s success soon had fraudsters
financial data, counterfeit IDs and servic- partment of Justice, April 5, 2022, tinyurl. and other criminals looking at similar
es for obscuring the origins of ill-gotten com/3sf5unru and “German Police Take business models to hawk their wares much
money. For some time, all of this occurred Down Hydra Market, a Major Dark Web in the same way that any legitimate busi-
beyond the grasp of legal authorities, so Marketplace,” by Michael Kan, PC Maga- ness sells its products. Indeed, the stereo-
Hydra’s closure, albeit with few arrests, zine , April 5, 2022, tinyurl.com/4ns5taur.) types of dark-web marketplaces — soli-
was significant. In its formative years, Hydra priori- tary fraudsters sitting in dark basements
Like most dark-web sites, Hydra re- tized building a strong reputation within in front of a computer — may have been
lied on the so-called Tor browser, which the dark-web ecosystem. As news of its true in the past, but the reality is now very
hides IP addresses and browsing activity dependability and diverse product range different.
from law enforcement, and on what were spread, the platform grew its product “It’s not dark, it’s not deep. It’s actu-
thought to be untraceable cryptocurren- mix from narcotics to providing fraud- ally really well organized, this cybercrime
cies to facilitate these under-the-table sters and other customers with stolen data underground,” says Michael DeBolt, chief
deals. In turn, Hydra took a percentage- from credit cards and SIM cards, as well intelligence officer of cyber threat intelli-
based fee for each exchange that occurred as counterfeit documents and IDs. It also gence company Intel 471, in an interview
on its platform. (See “What is the dark offered money laundering and cyberattack with Chainalysis.
web? How to use Tor to access the dark services. (See “Russian dark web market- “I would say the best way to conceptu-
web,” by Nicole Kobie, Wired, May 19, 2019, place Hydra cryptocurrency transactions alize the cyber underground is by looking
tinyurl.com/2wcy86em.) reached $1.37bn in 2020,” by Charlie at it through a business lens. … So, if you
But what distinguished Hydra most Osborne, ZDNET, May 25, 2021, tinyurl. think about it from a business lens and this
from earlier darknet marketplaces was com/3y54e3ah and “How Hydra, a Russian whole supply and demand reality that we
its advanced infrastructure and focus on dark net market, made more than $1 bil- live in, this comes with go-to-market com-
user-friendly experiences. The creators of lion in 2020,” by Tim Starks, Cyberscoop, petition, it comes with the need for brand
Hydra followed brand and reputation man- May 25, 2021, tinyurl.com/theaxrjc.) recognition and innovation and partner-
agement fundamentals to grow their Attracted by the potential for signifi- ships and quality assurance, the types of
business, taking a “business cant earnings and a large, ready-made cus- goods and services offered on darknet
first” approach to tomer base, sellers were drawn to Hydra in customer service.” (See “Examining The
their dark droves. And business boomed, with
deal- transaction volumes

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 15

 FRAUD FOR SALE

Crypto Dark Web And Cyber Underground: intelligence, FaaS can now provide tools “The foremost issue is the pervasive
Podcast Ep. 74,” Chainalysis, Sept. 19, 2023, to fraudsters who in the past lacked any anonymity maintained by users through
tinyurl.com/2phrc4cr.) computer know-how at all, a trend that tools like Tor, making it exceptionally
some are calling the “democratization of difficult to trace and identify individuals
Fraud as a commodity fraud.” (See “Ambitious Cybercriminals involved in illicit activities,” says Bhatia.
are Going Big with FaaS: Fraud as a Ser- “Encrypted communications further ex-
The dark web has long been a haven for
vice,” Chargeback Gurus, June 16, 2021, acerbate this problem, as intercepting
illicit activities, from drug trafficking to
tinyurl.com/35z9jz9s and “What is the de- and deciphering messages becomes an
illegal arms dealing. However, in recent
mocratization of fraud?” Security Boule- intricate task ... Investigating dark-web
years there’s been a noticeable shift in mar-
vard, Aug. 10, 2023, tinyurl.com/bdykcc4k.) platforms with advanced infrastructure
kets. While narcotics and weapons still
For Certified Fraud Examiners (CFEs), demands a high level of technical profi-
have their place, a new breed of cybercrime
this evolution presents both challenges
— Fraud-as-a-Service (FaaS) — is rapidly ciency and poses a range of formidable
and opportunities. On one hand, the ac-
gaining ground. FaaS represents a bur- challenges.”
cessibility of FaaS means a broader range
geoning sector within the dark web, where
of individuals can engage in sophisticated
cyber criminals offer ready-made tools and The commercialization of fraud
fraud without needing advanced technical
services to facilitate various fraudulent ac- skills. On the other hand, the standard- In the past, fraud was often considered the
tivities. Much like legitimate Software-as- ized nature of these services can offer work of lone wolves or small groups oper-
a-Service (SaaS) models, FaaS provides cus- patterns and vulnerabilities that, when ating in the shadows. However, the land-
tomers with easy access to resources such recognized, can aid in detection and pre- scape has dramatically changed. Today,
as phishing kits, credit card cloning soft- vention of fraud. As FaaS continues to fraud has become a highly commercialized
ware and ransomware deployment tools, grow, it’s imperative for fraud examiners industry, complete with customer service,
often accompanied by customer support to stay abreast of these services, adapting marketing strategies and even subscrip-
a d regular
and l updates.
d t Th The rise
i off F
FaaSS on the
th th investigative techniques
their h to the
h ever- t
tion models.
dels.
d k web
dark b underscores
d the
h commercializa-
l evolving
l llandscape
d of cyberfraud.
b d. Th business-like operations of dark-
The
t
tion of cybercrime, with fraud now being g “Investigating
g g dark-web platforms web b marketplaces
rketplaces have led to a level of
packagedg and sold as standardized ser-- that
h employ l advanced
d d infrastructure pres-- p onalism among fraudsters that
professionalism
vices.
ces And d combined
co b ed with t newe technolo-
tec o o- ents severall daunting
d technical
h l challeng-
h ll - p
parallels s legitimate industries. There’s
g
gies, suchh as artificiall es,” Ritesh h Bhatia,
h CFE, cybercrime
b and
d h
a hierarchychy and specialization within
f
forensics investigator and d founder
d off h
these llicit organizations, with roles
illicit
V
V4WEB Cybersecurity,
y y tells F
Fraud
aud r
ranging from developers and hackers to
Magazine.
i e. c
customer er service representatives, each
a
aimed d att maximizing the efficiency and
profitability
ility of their fraudulent endeav-
o And
ors. d like any job market, there are
p
postingsgs for a wide range of positions
for cyber
b r criminals seeking individuals
The business-like operations of with difffferent
erent skill sets. (See “Exploring

dark-web marketplaces have

led to a level of professionalism
among fraudsters that parallels
legitimate industries.

16 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

the Dark Web Job Market,” SOCRadar, June 28, 2023, otherwise treacher-
tinyurl.com/mpcwd3b7.) ous dark-web market-
The commercialization of fraud is further showcased in places. The assurance of
the marketing strategies employed by dark-web vendors. Using quality often accompanies
tactics such as search engine optimization (SEO), digital adver- a recognized brand, where ven-
tising, and even social media marketing to promote their illicit dors are perceived to offer superior
services, these fraudsters are able to attract a broader customer or more reliable products and services.
base and present a façade of legitimacy. This level of marketing Whether selling illicit drugs or fraudulent
sophistication is indicative of a mature, organized industry. (See services, maintaining a level of quality and cus-
“The Digital Economy of Disinformation on the Darknet: Control- tomer satisfaction is paramount for these vendors to uphold
ling the Narrative,” DarkOwl, tinyurl.com/3vzayx2b.) their brand reputation. (“What is the dark web? How to access
In a bid to ensure steady revenue streams, some fraudsters it and what you’ll find,” by Darren Guccione, CSO, July 1, 2021,
have adopted subscription models for their services. Much like tinyurl.com/2k4et7dj.)
Software-as-a-Service (SaaS) models, these subscription-based To truly grasp the significance of these branding efforts,
fraud services provide continuous access to tools, data or plat- one must understand the competitive
competiti landscape
l these dark-web
ark-web
forms necessary for conducting various types of fraud. This model
also provides fraudsters with a more predictable income, enabling
them to further invest in and expand their operations. (See
(S “Mal-
ware For Sale: Analyzing Malware-as-a-Service On Dark Da Web
Markets,” BrightTALK, June 8, 2023, tinyurl.com/v4zf6hy7
tinyurl.com/v4zf6h and
“Cybercrime black markets: Dark web services and their prices,”
p
by Matías Porolli, Jan. 31, 2019, tinyurl.com/mwcy3msc.)

Bringing branding to the dark web

Brand recognition is also important for fraudsters. When you
make a purchase online, say from Amazon, you rarely doubt do
that you’ll get your item. Sure, things get lost in the mail,
but they have processes in place to try to mitigate that, and
if all else fails, they refund you, and you just place a new
order. This comfort comes partly from brand recognition
(along with protections we have due to agencies like the U.S.
Federal Trade Commission). You know you’ll get your package
because it’s Amazon — of course you’ll get it. It isn’t a great leap
for dark-web consumers to be worried that the scammers will
scam them. So, they also rely on brand recognition of their own.
Much like mainstream e-commerce platforms, dark-web market-
places have developed their own systems of vendor verification,
albeit unofficial. Forums and review platforms exist where users
vet and verify different vendors, akin to customer reviews on
clear-web marketplaces. This peer-based vetting process helps
build a reputation for vendors, which is crucial for attracting and
retaining customers. (See “Dark Web Vendors: Who They Are and
Who They Serve,” ZeroFox, Jan. 21, 2022, tinyurl.com/mr2babvc.)
In a realm filled with scammers ready to exploit the un-
informed, a recognized brand serves as a beacon of relativ relative
trustworthiness. This allure of familiarity in the unknown is a
psychological tether, offering a semblance of assurance in the

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 17

 FRAUD FOR SALE

vendors operate in. Their primary compe- (See “Criminal

tition? Street dealers, who rely on personal enterprise flaunts
networks and word-of-mouth. Such deal- AI in creepy ‘fraud-
ers seldom face direct comparisons, and for-hire’ commercial
given the challenges in finding alterna- meant for dark web,” by Chris
tives, their clientele often tolerate subpar Eberhart, Fox News, Sept. 5, 2023,
experiences. Against this backdrop, a dark- tinyurl.com/5beeuvej.)
web vendor with a plethora of positive re- With the growth of their opera-
acts of deception;
views and comprehensive safety assurance tions, many fraudsters have recognized
they’re system-
becomes an incredibly enticing option. the need for better customer relations,
atic and method-
(See “Class of 2017: The students turning leading to the establishment of customer
ical. For the trained
to the Dark Web for their drug fix,” by service channels. Yet while they see this
eyes of CFEs, these
Alec Fullerton, Independent, Feb. 14, 2017, as a means to build trust, for CFEs, it’s a
patterns provide valuable
tinyurl.com/3h2ctxcs.) potential goldmine of information, an op-
insights, offering avenues
Furthermore, to stand out and attract portunity to gather intelligence directly
to trace and understand the
a larger clientele, some of these operators from the source.
underlying operations.
have ventured into promotional activities,
Each of these actions offers
engaging in outreach or soliciting feed- Leaving clues for fraud examiners
clues and data points. For CFEs, these
back. Some groups have even taken to The commitment to branding can some- are crucial pieces of a larger puzzle, pro-
creating commercials for their offerings. times border on the absurd, and in turn viding insights into the operations and
David Maimon, criminologist and profes- help law enforcement nab criminals hiding potential vulnerabilities of fraudsters. As
sor at Georgia State University, unearthed behind the encrypted dark web. Take the these operators delve deeper into struc-
last year a video from Mega Darknet Mar- case of Ryan Burchard, for instance. In a tured business practices, they inevitably
ket, a dark-web organization and market- move that blurred the lines between au- leave behind more clues as to where their
place. Mega Darknet Market released the dacity and oversight, Burchard registered marketplaces are hosted, who they may
video with members clad in black suits the trademark for his dark-web drug ven- be and how their services are performed.
and skull masks obscuring their faces. The ture, “Cali Connect,” using his real name. Decoding the psychology of dark-web con-
video focuses on one character, known When authorities descended upon his sumers and understanding the dynamics
as “Sanchez,” who speaks to the camera residence, they discovered merchandise of brand recognition could unlock new
with their voice modulated. “We started emblazoned with his brand. (See “Pro- investigative pathways. By studying how
with my partner four years ago; now we are Tip: If You’re a Suspected Dark Web Drug trust is built and leveraged in the dark
30 people in one office.” They brag about Dealer, Don’t Trademark Your #Brand,” web, CFEs can devise novel strategies to
the scale of their business while looking by Joseph Cox, Vice, March 30, 2016, unmask fraudulent operators hiding be-
down at the camera filming from a grave. tinyurl.com/57f9fvny.) hind the veil of anonymity. This deeper in-
Sanchez walks with the cameraman, ex- Indeed, as fraudsters who once oper- sight into the human element of dark-web
plaining how they and their team had to ated as isolated entities now embrace more transactions can be a crucial asset in law
take a break as they had worked for a year traditional business models that require enforcement’s relentless pursuit to unravel
straight and needed time off. Sanchez as- an open engagement with their customers, and dismantle illicit online marketplaces.
sured his viewers and potential customers there are greater opportunities for law en- The dark web, despite its nefarious nature,
that an “update” with aged Chase bank forcement and fraud examiners to gather holds a mirror to the clear web, especially
accounts will be available in the coming evidence about their criminal activities. in the realm of consumer behavior and
weeks. These bank accounts are com- In the bustling dark-web market- brand trust. This reflection offers a vantage
monly used as mule accounts for money places, as these illicit operators refine point that, if studied closely, could provide
laundering, spending the funds available their methods, they inadvertently estab- a wealth of knowledge in combating fraud
in the account and converting currency. lish patterns. These aren’t mere random and cybercrime in the digital age.

18 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

 “They are unassuming the other hand, it sows the seeds of overconfidence, which can
eventually lead to their downfall.

nerds in their day-to-day The surge in illicit transactions on the dark web hasn’t gone
unnoticed by global authorities. In response, nations are bolster-
lives, but on the dark web, ing their domestic law enforcement capabilities to counteract
these cyber threats. A prime example is the FBI, which has refined
this secret digital world, its tactics to pierce the veil of anonymity that the dark web offers.
One of its notable strategies involves infiltrating the Tor network
they are living lives as by setting up nodes through which web traffic is directed. This
allows the FBI to unveil the identities and locations of certain
kingpins and crime lords concealed Tor-based sites. (See “The Truth About The Dark Web,”
by Aditi Kumar and Eric Rosenbach, International Monetary
and, in some cases, the Fund, September 2019, tinyurl.com/4mta7pcf and “The Dark Web

masterminds of vast Browser: What Is Tor, Is It Safe, and How to Use It,” by Deepan
Ghimiray, Avast, Aug. 4, 2022, tinyurl.com/34antn4p.)
networks of child abuse A landmark moment in this battle against dark-web crimi-
nality was the FBI’s dismantling of “Silk Road,” one of the first
and terrible things like that.” dark-web marketplaces, and its short-lived successor “Silk Road
2.0.” This notorious marketplace became a hub for thousands of
ANDY GREENBERG illegal vendors, peddling vast quantities of illicit drugs and other
prohibited goods to clientele exceeding 100,000. The platform not
The illusion of anonymity only facilitated these transactions but also played a pivotal role in
laundering vast sums, with sales exceeding 9.5 million in bitcoin
and its impact
— equivalent to roughly $1.2 billion at that time. (See “The FBI’s
Behind the cloak of the Tor browser and what was thought to be Plan For The Millions Worth Of Bitcoins Seized From Silk Road,”
untraceable cryptocurrency transactions, dark-web sellers have by Kashmir Hill, Forbes, Oct. 4, 2013, tinyurl.com/2ab7st5e.)
been emboldened to engage in audacious acts of cyberfraud with Filings in 2014 during the trial of Silk Road’s founder Ross Ul-
apparent impunity. The psychology behind this brazenness is bricht, who worked under the pseudonym “Dread Pirate Roberts,”
rooted in the dissociation between actions and consequences. The revealed that the FBI located the platform’s server by playing with
digital realm provides a buffer, distancing perpetrators from their the website’s login page. The agency found its internet protocol
victims and the repercussions of their actions. This detachment (IP) address and the server’s location by typing in “miscellaneous”
often desensitizes them to the moral and ethical implications of characters, according to a Wired magazine report. Ulbricht argued
their deeds, enabling them to rationalize their criminal activities that the FBI had used illegal means, suggesting the National
as merely exploiting the system. Security Agency helped law enforcement. (See “The FBI Finally
“They are people who live double lives,” Andy Greenberg, a Says How It ‘Legally’ Pinpointed Silk Road’s Server,” by Andy
Wired reporter who covers cybercrime, told Fraud Magazine last Greenberg, Wired, Sept. 5, 2014, tinyurl.com/2hxkws3m.)
year. “They are unassuming nerds in their day-to-day lives, but While the FBI and other law enforcement officials have
on the dark web, this secret digital world, they are living lives as been reluctant to reveal all the investigative techniques
kingpins and crime lords and, in some cases, the masterminds they have used in such cases, some old-fashioned
of vast networks of child abuse and terrible things like that.” policing and human error
(See “Sleuths on the cyber trail,” by Paul Kilby, Fraud Magazine, were certainly involved.
March/April 2023, tinyurl.com/4yad3b8m.) For instance, in
Yet this illusion of anonymity is a double-edged sword. On the case of
one hand, it facilitates a thriving marketplace for illegal activities,
from selling stolen financial data to
offering hacking services. On

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 19

 FRAUD FOR SALE

Silk Road 2.0, which emerged after Ul- German police dismantled Russian dark- enforcement. Where do you aim when the
bricht’s arrest, it was an undercover net site,” by Joe Tidy, BBC, April 6, 2022, rats have scattered?
agent who helped uncover the fraud. tinyurl.com/3s5rk2zf.) Maimon analyzes the reconstruction
Once the FBI found the server, they no- And yet, much like the Greek myth of of market networks that displace dark-web
ticed emails were sent to a particular Hydra — the nine-headed water serpent platforms taken down by law enforcement.
Gmail account. The FBI then subpoenaed whose one decapitated head became two And his “findings reveal a highly inter-
Google for the user’s account and found — while law enforcement struck down the connected ecosystem created by vendors’
it was registered to Blake Benthall, who dark-web marketplace of the same name, mobility across digital marketplaces, with
was later convicted for running the site. new ones are likely to emerge or take its nearly all markets being directly or indi-
(See “Silk Road 2.0 Agent Within: How place. After all, there are many such sites, rectly linked,” he tells Fraud Magazine.
The FBI Infiltrated Illegal Drug Website whose administrators are all too happy “Importantly, these network char-
and Shut it Down,” by Alistair Charl- to wel- come Hy- acteristics remain robust even in the af-
ton, International Business Times, Nov. termath of a law enforcement operation,
7, 2014, tinyurl.com/8vnnc9yw; “Key as prior vendor flows can predict sub-
Player in ‘Silk Road 2.0’ Sentenced to sequent vendor movement following
Eight Years in Prison,” United States interdiction.”
Attorney’s Office, June 3, 2016, The need to Even so, law enforcement has
tinyurl.com/y8pc89wc; and had considerable success in tak-
“How the FBI busted Silk Road navigate data privacy ing down these dark-web mar-
2.0 before it even launched,” ketplaces. Following Silk Road
by Kevin Collier, daily dot,
laws and address the 2.0’s demise, two major dark
web marketplaces, AlphaBay
updated May 30, 2021,
tinyurl.com/ycxyz8y5.)
challenge of securing and Hansa, rose to promi-
It’s a similar story with evidence without nence but met a similar fate
in 2017, further underscoring
Hydra, whose downfall
began with a simple tipoff compromising privacy the relentless pursuit of law
enforcement agencies. (See
suggesting its infrastructure
might be located in Germany. further complicates “Justice Department Takes
German authorities, with in- Down AlphaBay ‘Dark Web’
sights from U.S. officials monitor- investigations. Marketplace,” by Tim Ryan, Court-
ing darknet activities, embarked on house News Service, July 20, 2017,
tinyurl.com/3rfcurwn.)
a meticulous investigation starting in
mid-2021. After several months, they pin-
pointed a “bulletproof hosting” company dra’s cus- Tracing cryptocurrencies
in Germany that was hosting Hydra. Such tomer base. A quick Google search That success came in no small measure
measu e
companies are known for their reluctance reveals all sorts of dark-web market- from a group of law enforcement offi-
to cooperate with police requests and for places that specialize in a whole range cials, academics and technologists, who
not auditing the content they host. [See of illicit products and services. (See “The in recent years busted the myth that h
“BulletProof (DMCA ignored) hosting,” unseemly world of Darkweb marketplac- bitcoin was untraceable and showed,
showe in
Hostings.info, tinyurl.com/3rmcp5j2.] es,” by Ryan Francis, CSO, Jan. 17, 2017, fact, that bitcoin movements could
coul be
Armed with this evidence, German inves- tinyurl.com/2fhc7cxa.) The power vacuum traced across the internet. The allure of
o
tigators secured permission from a judge that existed after Hydra’s fall facilitated the cryptocurrencies for dark-web opera-
oper
to approach the server company and is- promotion of low-lying criminals eager tors largely stemmed from their
sue a takedown notice. Prior to Hydra’s to take advantage of the lack of a central- perceived anonymity and untrace-
closing, several other dark-web sites had ized market. While criminals compete to ability. However, this veil of ano-
closed down either voluntarily or because be the next “big thing,” they also benefit nymity is not as impenetrable as it
of police investigations. (See “Hydra: How from the overextended purview of law may seem. As blockchain technology

20 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

underpins most cryptocurrencies, every compromising privacy further complicates fraudsters adopt more sophisticated eva-
transaction leaves a digital footprint on a investigations.” sion techniques, CFEs must stay updated
public ledger. (See “Tracers in the Dark,” by In the realm of cybersecurity policies, with the latest in cybersecurity and digital
Andy Greenberg, Penguin Random House, nations often find themselves entwined forensics. There’s a growing need for col-
tinyurl.com/38f5vpb2 and “Investigate in a complex web of jurisdictional dilem- laboration with cybersecurity experts, data
This” column on page 8.) mas and international cooperation. Hydra, scientists and even behavioral psycholo-
Recent successful law enforcement while primarily serving Russian-speaking
gists to understand and predict cyber-
operations have demonstrated the effec- consumers, was dismantled by German
criminal behavior. Training in emerging
tiveness of cryptocurrency tracing in com- officials, underscoring the international
technologies, such as quantum computing
bating dark-web fraud. For instance, in the character of dark-web operations and the
and advanced encryption, will also be cru-
takedowns of dark-web marketplaces like consequent necessity for global collabora-
cial as these technologies become more
AlphaBay and Galaxie, blockchain analysis tion in regulatory efforts.
But how does one regulate an entity prevalent in cybercrime.
played a crucial role in tracing the funds
that thrives on anonymity and operates be- The proliferation of dark-web market-
back to the operators, thereby establishing
yond conventional legal boundaries? The places like Hydra and the rise of the FaaS
a vital link between the illicit marketplace
operations and the individuals running answer may lie in a unified, international model signify a new epoch in the realm of
them. However, the cat-and-mouse game approach to cybersecurity policy. A global cybercrime — an era marked by the com-
continues as dark-web operators explore framework that harmonizes legal defini- mercialization of fraud and a business-like
new cryptocurrencies with enhanced pri- tions, establishes cooperative enforcement approach to illicit activities. The sinister
vacy features and employ mixing services mechanisms and facilitates information genius of these dark realms lies in their
to obfuscate their transaction trails. This sharing could potentially disrupt the seem- ability to mimic legitimate marketplaces,
evolving landscape demands continual ingly invulnerable operations of dark-web offering customer-centric services, build-
adaptation and innovation from CFEs and marketplaces. ing brand trust and ensuring a seamless
blockchain analysis platforms. “Governments and regulatory bod-
user experience. This evolution not only
ies can play a significant role in setting
amplifies the threat landscape but also
standards for cybersecurity and privacy,
Taming the beast challenges traditional law enforcement
mandating security measures and penal-
Navigating the shadowy corridors of the methodologies.
izing noncompliance,” Bhatia adds. “These
dark web, one can’t help but consider the The disquieting growth of the dark
frameworks create a strong deterrent
regulatory mechanisms that could poten- against misuse.” web underlines an urgent call for a robust,
tially tether this wild, digital frontier. The Moreover, the role of cryptocurrency global response. The international char-
dark web, with its notorious reputation for in facilitating dark-web transactions can- acter of dark-web operations, as evinced
harboring cyber criminals, necessitates a not be understated. Regulatory bodies by the takedown of Hydra by German
robust global regulatory framework to
robust, worldwide grapple with the dichotomy officials, accentuates the necessity for a
mitigate its multifaceted
l d threats.
h The
h chal-
h l of embracing blockchain technology and unified, cross-border approach to cyber-
l
lenge, however,
h llies in the
h very essence off mitigating its misuse. Striking a balance security policy. The boundless, border-
th internet itself
the l — its b boundless,
dl b
border-
d - between fostering innovation and pre- less nature of the internet demands a
less
ess nature.
atu e. venting illicit financial flows demands a harmonized legal framework, cooperative
“
“Jurisdictional
d l complexities
l come nuanced, informed approach to cryptocur- enforcement mechanisms and a shared
into play as these servers can be scattered rency regulation that many lawmakers ethos of global cybersecurity to effectively
across multiple
l l jurisdictions,
d eachh with
h lack.
combat the burgeoning threat of dark-web
varying g levels of cooperation with inter-- The ACFE was founded based on the
criminality. ■ FM
national law enforcement,” says Bhatia. need to bridge the gap between law en-
“ h need
“The d to navigate d data forcement and accounting, and our pur-
p
privacy y laws and address view must continue to expand as cyber Rihonna Scoggins is the content man-
the
h challenge
h ll of secur- criminals delve into deeper and more com- ager at the ACFE. Contact her at
ing evidence without plex operations and tactics to defraud. As [email protected].

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 21

 SAVE THE DATE
June 23-28, 2024 | Las Vegas, NV and Virtual

VISIT
FRAUDCONFERENCE.COM
TO REGISTER
 REGISTER EARLY AND SAVE
26-27 FEBRUARY 2024 | ABU DHABI

Learn more at FraudConference.com/MiddleEast.

REGISTER EARLY AND SAVE

March 8, 2024
Washington, D.C. and Virtual

Learn more at FraudConference.com/WomensSummit.

WHAT’S
W T S THAT
A
S L?
SMELL?
Perfume and
Perf
fragrance
frag
counterfeiting
cou f g
poses
pos a real
threat to
consumers
consu e s
By Donn
Do LeVie Jr., CFE
CE
 Commercial fragrances and perfumes are big business, and the
multibillion-dollar industry attracts its fair share of dodgy practices
and outright fraudulent activity. Here we look at the difference
between knockoffs and counterfeit products, and why the big
perfume houses have such difficulty protecting their brands.


n the 1990s, a Belgian fragrance manufacturer called Bellure substance.” The Dutch courts regarded the Lancôme fragrance
began producing replica fragrances of several perfumes as a copyrighted work under the law. (See “Perfume makers are
made by French cosmetic giant L’Oreal. The idea was to sell fighting back against an illegal fake scent boom,” by Carly Page,
fragrances that smelled like some of L’Oreal’s top brands Wired.co.uk, Nov. 23, 2020, tinyurl.com/msfy9x8y.)
to consumers who lacked the funds to buy the more luxurious And in 2020, Gucci and other luxury perfumers won a copy-
French names. Bellure marketed the perfumes in supermarkets right infringement case against Spanish company Equivalenza
and discount stores. The company even said they were imitations using results from gas chromatography analysis. Equivalenza
of L’Oreal perfumes and used similar packaging. was found guilty of illegal copying of original perfume, unfair
Unsurprisingly this didn’t sit well with L’Oreal. After all, competition and business reputation abuse for peddling Gucci
while Bellure was upfront about what it was doing, its actions knock-off fragrances. (See tinyurl.com/msfy9x8y.)
virtually replicated what the FBI describes as indicators of coun- Despite those legal victories, copyright protection for fra-
terfeits, such as using similar packaging to the authentic product
grances remains a bit of a gray area and has been dealt with on
and selling it at markedly lower prices at discount stores. In 2003,
a case-by-case and country-by-country basis. Indeed, fragrance
L’Oreal sued Bellure over trademark infringement and won the
manufacturers’ battles to protect their products underscore the
case in the European Court of Justice on the basis that Bellure had
complications of distinguishing between legitimate knockoffs
been “free riding” on L’Oreal’s prestigious trademark. That deci-
and outright fakes. (See “Inside the Complex World of Fragrance
sion was upheld by a U.K. court, though the judge expressed the
Dupes,” by Emily Jensen, allure, March 1, 2023, tinyurl.com/mr3f-
view that “countries with a healthy attitude to competition law
nthe; “Lost and Found: Intellectual Property of the Fragrance
such as the U.S., would not keep a perfectly lawful product off the
Industry; From Trade Secret to Trade Dress,” by Charles Cronin,
market by the use of trademark law to suppress truthful advertis-
NYU Journal of Intellectual Property & Entertainment Law, Feb.
ing.” (See “Perfume makers are fighting back against an illegal
2, 2016, tinyurl.com/5bepdz58; and “Perfume as an Artistic Ex-
fake scent boom,” Wired, Nov. 23, 2020, tinyurl.com/4rns37vp;
“Counterfeit Cosmetics, Fragrances Hazardous to Your Health,” pression: Scope of Intellectual Property Rights in Perfume,” by
FBI, Jan. 2, 2014, tinyurl.com/3dvhvvmx; and “L’Oreal’s Success Yashika Nagpal, Fashion & Law Journal, Oct. 3, 2021, tinyurl.
in Extending Protection for European Community Trademarks is com/bdejnn8z.)
Reluctantly Acknowledged by English Court,” by Hamish Porter, Against that backdrop, fraudsters see opportunities galore
Venable LLP, July 2010, tinyurl.com/36pt43ub.) in what is now a multibillion-dollar industry, sometimes with
L’Oreal’s success in protecting its brand from fakes contin- potentially lethal results. Counterfeit perfumes are regularly be-
ued. Its Lancôme subsidiary successfully proved in 2008 that ing seized at airports across the globe, with authorities warning
Dutch-based Kecofa had infringed on one of its fragrances by that they may even contain poisons or carcinogens. (See “Fears
using gas chromatography, a chemical method that separates fake designer perfume could contain cyanide and human urine,”
substances into individual components. The results showed that by Tom Sanders, Metro, Dec. 16, 2022, tinyurl.com/5n7a3t9y and
the Kecofa smell-alike product used 24 of 26 ingredients found in “Arrest made as fake cosmetics, perfumes seized in Hong Kong,”
the Lancôme fragrance, and therefore was classified as a “fixed by Phil Taylor, Securing Industry, tinyurl.com/46tnm4j6.)

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 25

 WHAT’S THAT SMELL?

Perfume’s long history Psychology of scent and consumer behavior

The fascinating history of perfume use dates back at least 4,000 Fragrances and perfumes aren’t marketed to our noses — it’s our
years, from the alluring scents discovered in ancient Egypt to brain that’s the ultimate target of fragrance chemistry via the
the luxurious fragrances in the Roman Empire, Mesopotamia, olfactory receptors in the nose.
ancient China and the Persian Empire. Besides being used for A variety of scents, including perfume, stimulates the body’s
personal hygiene and cleanliness, perfumes also held immense limbic system, which is responsible for processing feelings, emo-
ceremonial value — especially burials — and symbolized nobility tions and memory. Recent research indicates that smell can in-
and wealth. It wasn’t until the early 16th century that perfume fluence as much as 75% of our daily moods. (See “Future sense:
and other fragrances became a fashion accessory that spread Defining brands through scent,” by Stephen Bell and Coley Porter
rapidly through Europe. Bell, Market Leader: Journal of the Marketing Society, Autumn
Fast forward to 2023: The global perfume and fragrance 2007, tinyurl.com/2tywnvzp.) Consequently, it’s not surprising
market has global annual revenues at around $53.44 billion that perfume is used increasingly to regulate emotions and uplift
and is expected to grow to $67.4 billion by 2028, according to one’s mood.
Statista. (See tinyurl.com/3ms54fjd.) Price points for perfumes The sense of smell is often the first warning of safety or dan-
and fragrances are as numerous as the variety of scents. You can ger, friend or foe. Odors can drive behavior on an instinctive and
even purchase the one-and-only bottle of Shumukh (I think it’s subconscious level while evoking both positive and negative
pronounced “sch-muck”) perfume for a mere $1.29 million. The psychological states of mind and reactions in milliseconds. The
bottle, a symbol of the United Arab Emirates’ rich heritage, is intensity of Proustian memories — which are memories evoked
carefully encased in genuine leather. It boasts silver clamshells by various scents, as French novelist Marcel Proust famously
cradling real pearls, roses crafted from pink gold and diamond described in his book “À la recherche du temps perdu” — varies
dust, and marble pillars adorned with a falcon sparkling with with individuals. However, memories evoked by a product’s fra-
diamonds. These unique fragrances are also potential magnets grance are also the prime driving forces in motivating consumer
for fraudsters. Although the charges were dropped, one fashion behavior. (See “Proustian Products are Preferred: The Relationship
designer recently was accused of fraud when he said he owned a Between Odor-Evoked Memory and Product Evaluation,” by Ha-
44 million pound perfume made by the singer Michael Jackson. ruko Sugiyama, Akiko Oshida, et. al., Chemosensory Perception,
(See “The 15 Most Expensive Perfumes of All Time,” by Leanna June 3, 2015, tinyurl.com/4az7d6a3.)
Serras, FragranceX.com, Nov. 12, 2021, tinyurl.com/387zhmnz and Generally, the more vivid the memories that a fragrance trig-
“Fashion designer, 50, ‘claimed to own £44million perfume made gers, the greater the odds that someone will purchase a product
by Michael Jackson and said he had agreed £48m deal over 200 with that fragrance. Nostalgia is a strong psychological element in
Ghost bags with the Brunei royal family’, court hears,” by Shari fragrance marketing by the major perfume houses. They conduct
extensive consumer research on how their fragrances can trigger
Miller, The Daily Mail, March 15, 2023, tinyurl.com/38ejub5z.)
a memory of a past experience. It’s about capturing the positive,
Things have come a long way from the days when everyone’s
wistful, even longing sentiments people pine for in a scent and
grandmother wore Jean Naté. (Jean Naté body powder was discon-
packaging it in a bottle. There’s even a perfume called Nostalgia.
tinued due to allegations that it contained talcum contaminated
with asbestos, a known cause of mesothelioma). It’s no surprise
that the luxury perfume market — valued at $2.397 billion in ‘Puttin’ on the Ritz’ at home
2021 — is expected to grow to $5.4 billion by 2027, representing Luxury hotel chains are now experimenting with how fragrance
a growth of 14.5% over this period. (See “Luxury Niche Perfume influences consumer behavior. “Scent branding” involves hotels
Market Size, Share, Growth, and Industry Analysis by Type, By pumping their signature scents into rooms and lobbies to create
Application, Regional Forecast By 2031,” BusinessResearchIn- the connection between the experience and a particular fragrance.
sights.com, Nov. 6, 2023, tinyurl.com/38jmhye4.) Some of those hotel chains are offering those branded scents for
So why are people spending so much money to smell good? consumers to purchase so they can recreate the luxurious scent

26 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

experience in their own homes. (See “Inside the Invisible but Influ- Perhaps perfumers should rethink “eau de toilette” as a
ential World of Scent Branding,” by Laurence Minsky, Colleen Fa- name for a class of fragrances.
hey, and Caroline Fabrigas, Harvard Business Review, April 11, 2018,
tinyurl.com/58hxnsdc.) Scent notes
A legitimate fragrance or perfume consists of three types of

What’s really in that perfume bottle? “notes” (classes of fragrant elements) that contribute to the
overall essence of the scent. Top notes contribute to the initial
Besides herbs, spices, florals and citrus elements used in fra-
scent upon opening a perfume or cologne bottle and linger for
grances, non-fragrance companies produce perfume and cos-
about 15 seconds. Middle notes are the secondary fragrances that
metic ingredients, especially base chemicals (oils and alcohols)
begin to dominate after the top notes dissipate. Bottom notes are
called “feedstocks” and common chemical “intermediaries.” For
scents that dominate after the middle notes have settled down
example, pulp and paper mills may provide chemical byproducts
and last from four to six hours. (See “Fragrance Buying Guide,”
called turpenoids that are used in fragrances, while petrochemi-
Costco.com, tinyurl.com/2bvh2xcw.)
cal companies might generate small quantities of phenylethanol
Why are fragrance notes important? A telltale signal of a
for use in perfumes as well. (See “The Chemistry of Fragrances:
counterfeit fragrance is how quickly the initial scent dissipates
From Perfumer to Consumer,” compiled by David H. Pybus and
without any follow-on trace because the bogus perfume lacks
Charles S. Sell, Royal Society of Chemistry Paperbacks, 1999,
the essential middle and bottom notes characteristic of legiti-
tinyurl.com/mrxmfwzz.)
mate fragrances.
People purchasing counterfeit fragrances and cosmetics
just to save money are gambling with their health and well-
being. Counterfeit health and beauty products often include Are ‘smell-alike’ fragrances illegal?
dangerous chemicals that cause acne, eczema and cancer when Companies that develop less expensive knock-off fragrances
absorbed through the skin. Bacteria, lead, beryllium, DEHP rely heavily on consumers’ familiarity with a reputable brand.
(a suspected human carcinogen), antifreeze — and urine — They claim that they offer an almost identical product, albeit
are other identified contaminants. (See “Fake Cosmetics and without the costly packaging, advertising and marketing. As the
Their Health Risks,” New York Department of State, dos.ny.gov, introductory cases showed, large perfume houses have struggled
tinyurl.com/dhu7enhw.) to protect their creations from knockoffs. The U.S. legal system

Companies that develop less

expensive knock-off
fragrances rely heavily on
consumers’ familiarity with a
reputable brand.

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 27

is arguably more tolerant of smell-alike brands so long as they
clearly state a disclaimer separating them from the name brand.
There have been exceptions, however. For example, in 2017, Coty,
a high-end fragrance company, sued in U.S. courts Excell Brands,
which sold nearly identical-looking products labeled in small
text saying “our version of” various Coty fragrances. Coty won
the case on trademark infringement, false advertising and unfair
competition. However, copyright of fragrances (as opposed to
trademark protections) is tougher to secure and enforce, as legal
systems in many countries such as France don’t think perfumes
are eligible for copyright protection. (See “Smellalikes, Dupes,
and Clones — Trademark Infringement and Trade Dress [Part 1,
maybe],” by The Perfume Baby, June 18, 2019, tinyurl.com/ytz-
rr4m2; “Coty Inc. v. Excell Brands, LLC,” Casetext, Sept. 18, 2017,
tinyurl.com/ye25jeh7; and “Perfumes and fragrances: legal protec-
tion,” Anna Realmuto, Arlaw, Oct. 3, 2019, tinyurl.com/yc4t5kc7.)
Counterfeit perfumes differ from knockoffs in one major
aspect: Bogus perfumes explicitly mislead consumers with pack-
aging (and pitches from con artists) that falsely assert they’re the
original branded fragrance. Both, however, can contain subpar
ingredients and in some cases lethal ones.

The ultimate ‘killer’ fragrance

Can a fraudulent fragrance actually kill you? It can, if it’s a fake Nina
Ricci perfume bottle laced with the deadly nerve agent Novichok.
Two Russian assassins smuggled the bottle into England
that killed former Russian double agent Sergei Skripal and his
daughter, Yulia, in March 2018. Several months later, an indi-
vidual found the perfume bottle and applicator boxed up in a
charity receptacle and took it home where he tried to reattach
the applicator to the bottle. He gave the tainted perfume to his
girlfriend, who quickly fell ill and later died in a local hospital.
(See “Revealed: How ‘assassins’ faked a Nina Ricci perfume bottle
full of toxic nerve agent then ‘recklessly threw it away,’ leading to
the death of British woman,” by Charles Bayliss, DailyMail.co.uk,
Sept. 5, 2018, tinyurl.com/5n78ffs7.)

Phony products create

phony authenticity
Using counterfeit products even exacts a price with how indi-
viduals perceive themselves and how others perceive them. Even
though people buy counterfeit products to convey positive quali-
ties, research indicates that wearing counterfeit items actually
diminishes one’s sense of authenticity. Authentic fragrances
that align with our identity enhance our own self-expression
and foster genuine connections with others based on honesty

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 29

 WHAT’S THAT SMELL?

and trust. Fragrance then serves as a medium through which Soberon-Ferrer, The Journal of Consumer Affairs, March 4, 2005,
we create meaningful interactions and establish lasting impres- tinyurl.com/ybep4yx3.) That’s not to say a young, educated person
sions — something bogus fragrances consistently fail to achieve. who has a temporary lapse in cognitive discernment couldn’t fall
(See “The Counterfeit Self: The Deceptive Costs of Faking It,” by victim to a scent scam.
Francesca Gino, Michael I. Norton, and Dan Ariely, Association These bogus products make their way from global distri-
of Psychological Science, 2010, tinyurl.com/bdwczb44.) bution networks into independent discount retail locations,
The experience of wearing fake products leads to a feeling flea markets, online websites — even from street corners and
of being inauthentic, known as the counterfeit self, which plays a the trunks of cars. While appearing as petty counterfeiting, the
role in how counterfeit products affect unethical behavior due to revenue from the wholesale global distribution of counterfeit
the priming effect. Wearing counterfeit versions of high-end fra- goods often helps fund other criminal enterprises such as illegal
grances fools people into believing they possess the social status drugs, human trafficking and terrorism financing.
and wealth associated with the authentic scent. The research also No one is immune from falling victim to counterfeit scams.
reveals that people can’t accurately predict the impact counterfeit The Fraud Susceptibility Index helps explain how people fall for
products have on their ethicality, which further highlights the counterfeit products. The index uses three variables that help
deceptive nature of their costs. (See tinyurl.com/bdwczb44). determine if someone is susceptible to being conned: Paradox of
value (a person is attracted to an item with low utility value but

Consumer vulnerability high emotional value), information asymmetry (the seller knows
more about the product than the buyer), and direct/indirect dif-
Consumer susceptibility to types of fraud varies with differ-
fusion (a high likelihood of the rapid spread of “a good deal” by
ent demographics. Consumer fraud targets the elderly, the
word of mouth). (See “Fraudulent facets: shining a light through
less educated and the poor because of lower levels of cogni-
diamond fraud,” by Donn LeVie Jr., CFE, Fraud Magazine, May/
tive ability and social interaction. (See “Consumer Vulnerabil-
June 2018, tinyurl.com/4d247s6k.)
ity to Fraud: Influencing Factors,” by Jinkook Lee and Horacio

Return of the amygdala hijack

Going hand-in-hand with consumer vulnerability and scent-
induced emotions is the idea of the “amygdala hijack.” Daniel
Goleman coined the term in his book, “Emotional Intelligence:
Why It Can Matter More Than IQ,” (Bantam Books, 1995) to de-
scribe a condition where any strong positive or negative emotion
increases blood and oxygen to the almond-shaped amygdala in
the brain, which impairs the rationality function of the brain’s
prefrontal cortex.
When this happens, critical thinking, discernment and
problem-solving skills are impaired, which plays directly into
the fraudster’s game. It’s not hard to imagine an amygdala hijack
happening to someone when they’re approached by an individual
who’s offering to sell JAR Bolt of Lightning perfume (normally
about $765 per ounce) for $200, and likely not in the unique hand-
cut crystal bottle. Who can resist such a deal when for $200 you
can smell like a million bucks?

Identifying counterfeit platforms

Organizations around the world are actively investigating and
prosecuting organized counterfeit enterprises. The Office of the
United States Trade Representative (USTR) publishes the Notorious
Markets List (NML) that identifies known global counterfeiting
and piracy markets. The 2022 edition lists 40 global online plat- Holograms embedded in packaging are a challenging ob-
forms that deal in counterfeit and pirated products. Some of those stacle for counterfeiters. Their unique optical properties enable
platforms include entities known as “bulletproof ISPs” that have them to diffract light and produce lifelike three-dimensional
lenient policies counterfeiters favor. (See “2022 Review of Notori- images that can’t be replicated with scanning or photocopying.
ous Markets for Counterfeiting and Piracy,” Office of the United
Holograms are synchronized with smart platforms in order to
States Trade Representative, USTR.gov, tinyurl.com/2zybbu22.)
provide real-time authentication and management. For cos-
These markets pose a significant threat to the interests of
metics companies whose business is greatly influenced by their
U.S. intellectual property owners, workers, consumers and the
economy due to the extensive amount of intellectual property in- brand image, holograms can provide robust protection against
fringement activities that occur. Some of these identified markets counterfeit products, as well as assist in preserving brand value
are known to have a mix of both legitimate and illegal activities, and consumer trust. (See “RMG holograms the best solution for
while others openly or allegedly operate solely for engaging in detecting counterfeit cosmetics,” cosmeticsbusiness.com, Jan.
or aiding unlawful activity. 13, 2023, tinyurl.com/4c67abhy.)

Major perfumers fight back Phony scents are never a ‘good deal’
LVMH, which owns Louis Vuitton, Christian Dior, Fendi, and
What motivates individuals to buy counterfeit fragrances, cosmet-
Givenchy brands, aggressively pursues fragrance counterfeit-
ics or any other fake product? No doubt most people believe the
ers with 60 lawyers and an annual budget of $17 million. The
company developed its own in-house blockchain tool called Aura benefits of counterfeits are greater than any potential costs and
that harnesses the power of Ethereum blockchain technology thus make a rational choice. However, it’s also possible that in
and seamlessly integrates with Microsoft’s Azure services. (See their zeal for a deal, people ignore or underestimate the negative
tinyurl.com/msfy9x8y.) and potentially harmful consequences of embracing counterfeit
For analyzing complex perfume mixtures, nuclear magnetic perfumes, fragrances and cosmetics.
resonance spectroscopy (NMR) can distinguish individual com- Counterfeiters, like all consumer con artists, bank on the
ponents in a single analysis. Since 2018, NMR technology has emotional, financial and/or cognitive vulnerabilities that plague
helped companies differentiate between authentic and coun-
many people. Their well-crafted tales can catch many off guard,
terfeit perfumes. (See “NMR provides effective discrimination
as our natural instinct is to trust others while giving way to un-
of counterfeit perfumes,” Bruker.com, tinyurl.com/4vtns3az.)
checked emotions, beliefs and gullibility. Our brains are wired
to be drawn to captivating stories, and these smooth-talking
Proactive product protection measures scammers skillfully create narratives that tap into deep desires
Pursuing copyright and trademark infringement of fragrances
and aspirations. It can be too tempting for some people to want
and perfumes is costly as an after-the-fact approach for luxury
a “discounted” designer or celebrity perfume, while paying little
consumer companies today. Many are now embracing edgy tech-
nology applications to protect their intellectual property and heed to the dangers to their physical health and emotional well-
products. being. ■ FM
Cosmetics company Mixer uses radio Frequency Identifica-
tion tags (RFID) technology to obtain digital information from a Donn LeVie Jr., CFE, is a staff writer for Fraud Magazine and
product and distinguish it based on its distinct digital identifier,
has presented and served as a career strategist at ACFE Global
which is stored in an embedded RFID tag within the product.
Fraud Conferences since 2012. Now retired, though speak-
Unlike barcodes that rely on images, RFID uses radio waves to
ing at ACFE conferences occasionally, he has led people and
connect with microchips. This advanced system lets brands ef-
fortlessly keep tabs on their products at every step of the supply programs for Fortune 100 companies, the U.S. federal govern-
chain, with detailed data and improved inventory control. (See ment, and academia for more than 30 years prior to his becom-
“Helping Mixer to digitalize the cosmetics market with RFID ing a leadership influence strategist, award-winning author
technology,” Checkpointsystems.com, tinyurl.com/3wnw4xfz.) and speaker. Contact him at [email protected].

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 31

TAKE A STAND AGAINST FRAUD
If your agency is looking to improve
its anti-fraud initiatives, I encourage
you to join the ACFE Law Enforcement
and Government Alliance (LEGA).
LEGA provides anti-fraud training,
resources, and other benefits to U.S.
and international agencies keen on
taking a stance against fraud. It gives
you the edge you need to stay up to
date in an ever-evolving landscape.”

-Tom Caulfield, CFE

ACFE Regent and former Assistant Inspector
General for Investigation, Pandemic Recovery

LEGA is free to join and open to government,

law enforcement and NGO entities. Nearly 300 government
agencies and NGOs participate in LEGA and have access to a
variety of training discounts and benefits at no additional cost.

Join global agencies in the fight against fraud.

Visit ACFE.com/LEGA or email [email protected].
 The Ethics & Compliance
Programme Effectiveness Report
2023 Global Standards Edition

Why some ethics and compliance programmes

succeed in shaping their organisations’ ethical
culture and some are less impactful?
Download report

For more of LRN's insights, please visit LRN.com.

 CORRUPT CENTRAL BANK
GOVERNOR ALLEGEDLY
HELPED PUSH LEBANON’S
ECONOMY OFF THE CLIFF
By Fadi Makdessi and Rayan Mohamed, CFE

34 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

 LEBANON’S ECONOMY HAS COLLAPSED, AIDED BY
CORRUPT MONETARY POLICY, EMBEZZLEMENT
AND ILLUSORY REGULATORY OVERSIGHT.
HERE’S AN ANALYSIS OF RIAD SALAMEH’S
MISMANAGEMENT OF BANQUE DU LIBAN DURING
HIS THREE DECADES AS ITS GOVERNOR.

O
n July 31, 2023, Riad Sal- estate and illegally amass a fortune. family, and his associates in appar-
ameh retired from a 30-year Interpol has issued “red notices” for ent contravention of Lebanese law,
tenure as the governor of him — requests to law enforcement Salameh contributed to Lebanon’s
Banque du Liban (BdL), the central worldwide to locate and provisionally endemic corruption and perpetuated
bank of Lebanon. Instead of a retire- arrest him. Also, at least seven Euro- the perception that elites in Lebanon
ment party and a flattering press pean authorities, including French need not abide by the same rules that
release detailing his time at BdL, 16 and German prosecutors, have cre- apply to all Lebanese people,” said
days later, Wassim Mansouri, Salam- ated arrest notices for him. Under Secretary of the U.S. Treasury
eh’s successor, froze Salameh’s bank Lebanese authorities confiscat- for Terrorism and Financial Intelli-
accounts after the U.S., Britain and ed his Lebanese and French passports gence Brian E. Nelson in August of
Canada had imposed sanctions on in May 2023 to prevent Salameh from last year.
him for “contributing to the break- fleeing Lebanon, but as of publica- (See “The world’s worst central
down of the rule of law in Lebanon” tion his whereabouts were reportedly banker retires,” The Economist, July
following decades of alleged corrup- unknown. (See “Judiciary confiscates 31, 2023, tinyurl.com/yvc92eum;
tion. The international coalition con- passports of Lebanon’s central bank “Lebanon Freezes Accounts of For-
tends that several close to Salameh chief after French arrest warrant,”
mer Central Bank Governor,” by Liz
helped him funnel $330 million in by Bassem Mroue, Associated Press,
Alderman, The New York Times, Aug.
funds from BdL through shell May 24, 2023, tinyurl.com/3wpe9zyh
16, 2023, tinyurl.com/26v7abev; and
companies to invest and “Did Salameh leave Lebanon?
“Joining Partners, U.S. Treasury Sanc-
in European His agent: ‘If you know, tell me,’”
tion Former Central Bank Governor
real Farah Mansour, Al-Modn, Sept. 23,
of Lebanon and Co-conspirators in
2023, tinyurl.com/bdkpjb3s.)
International Corruption Scheme,”
“By using his position
U.S. Department of the Treasury, Aug.
to enrich him-
10, 2023, tinyurl.com/343f9xs5.)
self, his

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 35

 CORRUPT CENTRAL BANK GOVERNOR

Collapsing Lebanese economy creditors and that hid the true nature of the
The World Bank said Lebanon has endured one risks involved. (See “Lebanon Public Finance
of the “top 3 worst economic and financial crises Review: Ponzi Finance?” World Bank Group,
since the mid-nineteenth century.” That marks a July 2022, tinyurl.com/459e833n and “In Leba-
sad decline for a country that was once touted as non, a renowned central bank governor faces
the Switzerland of the Middle East. Even during attack,” by Tom Arnold, Reuters, Nov. 15, 2019,
the 2008 global financial crisis, Lebanon drew tinyurl.com/4uz3rr8h.)
media attention for being an oasis of stability Salameh’s appointment in 1993 was unprec-
amid the global economic turmoil. And Sal- edented because unlike previous central bank
ameh took much of the credit for the country’s governors, he came from the world of finance.
economic resiliency, earning him the nickname Salameh had been an investment banker with
“the magician.” However, since 2019, Lebanon’s Merrill Lynch who’d managed the portfolio of
economy has collapsed, which resulted in the Rafic Hariri — Lebanon’s first post-civil world
Lebanese pound (lira or LBP), once pegged at prime minister and, at the time, one of the rich-
1,500 to the U.S. dollar since 1997, losing 98% est individuals in Lebanon. (See “‘The magician’:
of its value and plummeting to the current Riad Salameh and the plundering of Lebanon,”
90,000 to the dollar trade value. Annual infla- by Raya Jalabi, The Financial Times, Aug. 19,
tion has soared over 100%, averaging 171.2% 2023, tinyurl.com/4tw9u7wn.)
in 2022, and gross domestic product has con- Hariri tasked Salameh with stabilizing the
tracted by 39.9%. (See “The world’s worst central lira to attract foreign inflows from neighboring
banker retires,” The Economist, July 31, 2023, countries and Lebanese migrants abroad, which
tinyurl.com/5cjnhtfp.) was key to Hariri’s reconstruction strategy. In
Lebanon’s economic collapse has shone a 1997, the lira was formally fixed to the U.S. dollar
spotlight on how BdL, and the policies spear- (USD), so the USD became the dominant cur-
headed by Salameh, were engineered to fun- rency for bank deposits, while the lira was used
nel millions for illicit gains under the banner for public expenditure. A constant inflow of
of economic reform. [See “Lebanon Economic the USD was required to pay interest on public
Monitor: Lebanon Sinking (To the Top 3),” World debt, maintain the peg and cover the cost of
Bank Group, Spring 2021, tinyurl.com/3a4tt77b; subsidies on imports, such as fuel. This would’ve
“Explainer: Lebanon’s financial meltdown and helped create a sense of stability in post-civil war
how it happened,” by Edmund Blair, Reuters, Lebanon. However, various impediments would
June 17, 2021, tinyurl.com/3dx38ue9; “Leba- remain unresolved, including an inadequate tax
non: Normalization of Crisis is No Road to Sta- regime, inefficient public expenditures and an
bilization” World Bank Group, May 16, 2023, excessive dependency on imports, which all lead
tinyurl.com/mrx8a3p9; “Lebanon ‘immune’ to a current account deficit and a subsequently
to financial crisis,” by Natalia Antelava, BBC overvalued lira. (See “The Origin of the Crisis
News, Dec. 5, 2008, tinyurl.com/272udc38; in the Lebanese Banking Sector,” by Alain Bi-
and “Lebanon is experiencing a tourism fani, Hoover Institution, Stanford University,
boom,” by The Economist, Aug. 24, 2023, 2021, tinyurl.com/yszks92w.) This mandate
tinyurl.com/bdjphw2x.] for a constant flow of the USD to support the
currency peg was strained by regional politi-
‘Financial engineered’ cal instability in 2011, particularly the Syrian
Ponzi scheme conflict, and tumbling oil prices in 2014, which
Indeed, experts have frequently described reduced foreign currency inflows.
the country’s financial system, designed in In an attempt to staunch the outflows of
part by Salameh, as a type of Ponzi scheme vital foreign currency reserves, bolster market
that depended on fresh money to pay existing confidence and in turn maintain the currency

36 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

peg, Salameh established in 2016 what he BdL had issued some $60.82 billion in U.S. debts,” The Economist, March 12, 2020,
called “financial engineering.” Through dollar-denominated certificates of depos- tinyurl.com/43bannjv.)
a complex series of financial operations its to commercial banks, which it even-
and debt swaps, BdL effectively offered tually had to pay back. (See “Lebanon’s Money laundering and
Lebanese banks double digit returns Financial Crisis: Where Did the Money embezzlement allegations
to place dollars at BdL. (See “Part II of Go?” by Mike Azar, LCPS, April 30, 2020, As the Lebanon economy collapsed, BdL,
Crisis in Lebanon: Buildup of Interre- tinyurl.com/4ee7pw4n and “Lebanon’s Fi- its policies and Salameh came under scru-
lated Challenges,” by Junko Oguri, Yale nancial House of Cards,” by Sami Halabi tiny. A turning point came on Nov. 27,
School of Management, Sept. 21, 2020, and Jacob Boswall, Triangle, November 2020, when Swiss authorities submitted
tinyurl.com/2rjp8m7a and “‘The ma- 2019, tinyurl.com/2e6vph96.) a request for mutual legal assistance under
gician’: Riad Salameh and the plun- This delicate balancing act was only the ambit of the United Nations Conven-
dering of Lebanon,” by Raya Jalabi, possible when BdL had access to con- tion against Corruption to their Lebanese
The Financial Times, Aug. 19, 2023, sistent flows of U.S. dollars through the counterparts to investigate Salameh and
tinyurl.com/4d2hzxrf.) This in turn en- commercial banks and other sources, but his younger brother, Raja Salameh, on
couraged local banks to offer high rates to the fresh inflows of hard currency began suspicion of money laundering and em-
attract dollar deposits, which largely came to dry up as foreign donors and investors bezzlement of funds via the Swiss banking
from locals and the Lebanese diaspora that lost confidence in the government’s abil- system. [See “À l’attentiondes autorités
has long supported the domestic economy ity to deliver the necessary reforms to put compétentes de la République du Liban Par
through hard-currency remittances. Lured the economy on a sustainable footing and l’intermédiaire du Département Fédéral
by substantial profits, Lebanese banks also after a tax on WhatsApp calls sparked pro- de Justice et Police (DFJP),” Nov. 27, 2020,
shifted most of their foreign currency li- tests against the country’s elites. Gross re- tinyurl.com/5tfkwm23 and “Swiss probe
quidity from correspondent banks abroad serves at the central bank fell from a peak Lebanon’s central bank chief over alleged
into BdL, which eventually held two-thirds of around $36.8 billion in October 2017 to $300m embezzlement,” by Chloe Cornish
of Lebanese bank deposits. The strategy $10.4 billion in December 2022, accord- and Sam Jones, The Financial Times, April
helped replenish the central bank’s foreign ing to the IMF. (See “Explainer: Lebanon’s 24, 2021, tinyurl.com/yspjk95p.]
currency reserves. Banks deposited more financial crisis and how it happened,” Upon receiving the Swiss judicial co-
than $24 billion at BdL between late 2017 by Edmund Blair, Reuters, Jan. 23, 2022, operation request, Lebanese authorities
and early 2019, according to the Interna- tinyurl.com/3p45navx; “Lebanon: 2023 initiated their own probe. This has been
tional Monetary Fund (IMF). (See IMF’s Article IV Consultation - Press Release,” followed by investigations in Lebanon,
2019 Article IV Consultation for Lebanon, IMF, June 29, 2023, tinyurl.com/2b6e24kr; France, Germany and Luxembourg. (See
tinyurl.com/mt4fkmvs.) and “Gross International Reserves Held by “US, UK, and Canada sanction Lebanon’s
The problem was that BdL used the Central Bank for Lebanon,” St. Louis Fed, former central bank governor over cor-
hard currency reserves to cover a whole tinyurl.com/5f8yw7yc.) ruption allegations,” by Kareem Chehayeb,
host of rising costs. Not only did those By 2019, BdL faced a liquidity prob- AP, Aug. 10, 2023, tinyurl.com/4jnfhhub.)
reserves finance the country’s widening lem that worsened during the COVID-19 Central to the probe was Forry Asso-
trade deficit, but they helped maintain pandemic and eventually resulted in the ciates Limited, a shell company created
the lira’s precarious peg to the dollar and country’s first-ever default on March 9, in the British Virgin Islands owned by
funded the government’s increasingly 2020, when the country failed to repay Raja through which Salameh funneled
large fiscal deficit in part through the a $1.2 billion Eurobond — a setback that $333 million from the BdL between 2002
purchase of Eurobonds. (Some of those Lebanon had never encountered, even and 2016. On April 6, 2002, Forry re-
Eurobonds also found their way onto the during its 15-year civil war. Commercial portedly executed a brokerage contract
balance sheets of the commercial banks banks, unable to access their deposits signed by Salameh on behalf of BdL and
through swaps that were part of Salameh’s at BdL imposed strict capital controls to CEO of Forry, Kevin Walter. Salameh
financial engineering.) That’s not to men- prevent deposit outflows by Lebanese de- maintains that BdL’s central council,
tion all the interest and principal BdL owed positors who saw their standards of liv- which Salameh chaired (see “About BDL,”
to the commercial banks. According to a ing plummet against the lira freefall. (See tinyurl.com/ms766dff), authorized him to
2019 working paper by think tank Triangle, “For the first time, Lebanon defaults on its contract Forry to act as an agent to market

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 37

 ARTIFICIAL INTELLIGENCE
WHISTLEBLOWING

TAX FRAUD
ETHICS
CORRUPTION
CYBERCRIME
FRAUDBRIBERY
CORPORATE GOVERNANCE
VENDOR AUDITS
MONEY LAUNDERING
AUDIT DATA ANALYSIS

Discover how your peers tackle common

anti-fraud challenges. LEARN MORE

Join more than 150 of the world’s largest

organizations in the fight against fraud.

ACFE.com/Corporate | [email protected]
financial products, including purchases or sales of financial almost imme-
instruments, such as certificates of deposit between BdL and diately trans-
commercial banks. In turn, Forry reportedly earned a broker’s ferred to an HSBC
fee of up to 0.375% of the value of each transaction. (See “What account under Raja
we know so far about Riad Salameh’s Swiss money laundering Salameh’s name, and of
probe,” by Lynn Sheikh Moussa, Beirut Today, April 15, 2021, that amount, $207 million
tinyurl.com/mrxhnptk and “Revealed: How investigators say Riad was transferred to five dif-
Salameh conducted central bank embezzlement operation,” by ferent Lebanese banks under his
Nada Maucourant Atallah, The National, tinyurl.com/bdhar2as.) name and titled “private expenses,”
According to a Financial Times article citing a Lebanese according to the Swiss authorities. The
judge’s summary note and other sources, the brokerage contract embezzled funds were disguised through a
was never shown to council members at the BdL, though Sal- complex layering process where the funds were
ameh has maintained that Forry had a legitimate contract with transferred through multiple bank accounts, offshore
the central bank. The same article cites Salameh saying that he companies and trusts in Switzerland, Panama, the U.S. and the
handled transactions to Forry himself through a subordinate. U.K. and linked to real estate acquisitions in Paris, New York and
Commissions from several banks reportedly went to a clearing Germany. [See “Forry Associates: How Lebanon’s Central Bank
account opened at BdL, and then they were routed to Forry’s Governor Embezzled Public Funds,” by Ali Noureddine, Fanack.
HSBC account in Switzerland, of which Raja was the beneficial com, Feb. 13, 2023, tinyurl.com/muvk3vht; “À l’attentiondes au-
owner. BdL contracted with one Lebanese bank to pay 3/8 of torités compétentes de la République du Liban Par l’intermédiaire
1% commission on the purchase of certificates of deposits, but du Département Fédéral de Justice et Police (DFJP),” Nov. 27,
the contract made no mention of Forry, and senior executives at 2020, tinyurl.com/5tfkwm23; and “Lebanon’s Offshore Gover-
local banks said that they’d never heard of the brokerage firm nor,” by Hazem Ameen and Alia Ibrahim (Daraj.com) and Tom
until Swiss authorities opened an investigation into the matter, Stocks, Riad Kobaissi and Rana Sabbagh (OCCRP), Aug. 11, 2020,
according to a Reuters report. (See “‘The magician’: Riad Salameh tinyurl.com/2bpdm5hu.]
and the plundering of Lebanon,” by Raya Jalabi, The Financial European investigators are also looking into multiple fam-
Times, Aug. 19, 2023, tinyurl.com/4d2hzxrf and “Contracts show ily members and close associates who they allege assisted Sal-
Lebanon’s central bank obscured recipients of commissions,” ameh in his scheme to defraud the BdL. Chief among them is
by Samia Nakhoul and Timour Azhari, Reuters, Feb. 20, 2022, Marianne Hoayek, a former assistant to Salameh at the BdL;
tinyurl.com/455dsudn.) Marwan Kheireddine, chairman of Lebanon’s Al-Mawarid Bank
Forry hit trouble in 2015, around the same time Salameh (AM Bank) and the former minister of state between 2011 and
was implementing his financial-engineering plans, when HSBC 2013; and Anna Kosakova, Salameh’s romantic partner for over
Switzerland detected irregularities. When HSBC demanded a copy two decades, who’s also accused of money laundering. Kosakova
of the brokerage contract, Raja provided a version with marked owned and managed several European real-estate management
discrepancies from the BdL original, including Forry’s address firms that purchased office space in Paris, part of which was
and the replacement of Kevin Walter’s signature with Raja’s. rented to the BdL. (See “France names Mother of Salameh’s daugh-
The bank refused to process those transfers and shuttered the ter as suspect in Central bank probe,” Ya Libnan, Dec. 6, 2022,
account; Raja dissolved Forry in 2016 because of a “drop in the tinyurl.com/muucf7y6.)
pace of work in 2015,” according to an article in The National. Hoayek is being investigated for money laundering after
(See “Revealed: How investigators say Riad Salameh conducted receiving funds from Forry in 2008 and 2013. She began working
central bank embezzlement operation,” by Nada Maucourant at BdL in 2003 as an intern and progressed to senior executive
Atallah, The National, Feb. 1, 2023, tinyurl.com/53uz5663.) Ju- adviser in 2020. (See “Riad Salameh’s assistant faces European
dicial investigators have been unable to identify or locate Kevin investigators in Beirut,” by Nada Maucourant Atallah and Jamie
Walter, a broker license or a list of clients. Prentis, The National News, April 27, 2023, tinyurl.com/bdhvx67v;
Forry’s HSBC account received around $326 million via 310 “French prosecutors name bank chairman a suspect in Lebanese
transactions between April 2002 and October 2014, from BdL central bank probe,” by Layli Foroudi, David Gauthier-Villars and
and were marked as “commissions” or “fees,” according to the Timour Azhari, Reuters, April 8, 2023, tinyurl.com/vmck6stf;
Swiss authorities. Much of that money, about $248 million, was and “French Prosecutors Name Ukrainian Suspect in Lebanese

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 39

 CORRUPT CENTRAL BANK GOVERNOR

Central Bank Probe,” by David Gauthier- 2015, to Sept. 9, 2019, to six Lebanese • A&M identified no records confirm-
Villars, Reuters, U.S. News, Dec. 5, 2022, banks including AM Bank and one ing that a service was performed to
tinyurl.com/yeybmyn9.) HSBC Private Bank (Suisse) SA. Based justify some of the commission pay-
Kheireddine is accused of allowing on BdL’s records, A&M was unable ments. BdL at the time had provided
Salameh to process fund transfers through to confirm whether a service was no further documentation or explana-
AM Bank. Bank statements showed Sal- actually performed to justify commis- tion for the book entries and transfers
ameh’s accounts at AM Bank ballooning sion payment. (See pages 96 and 97 of in and out of the consulting account.
from $15 million in 1993 to more than $150 audit.) (See page 24 of the audit.)
million by 2019, according to Reuters. (See • A&M found eight credits booked to
“French prosecutors name bank chairman the consulting account totaling $92.97 Will justice be served?
a suspect in Lebanese central bank probe,” million between Jan. 31, 2015, and Several steps have been taken internation-
by Layli Foroundi, David Gauthier-Villars Dec. 31, 2020. BdL created two credits ally to provide some restitution. In 2022,
and Timour Azhari, Reuters, April 8, 2023, totaling $35.9 million when it carried the European Union Agency for Criminal
tinyurl.com/3eeae3ca and “Former French out financial-engineering transac- Justice Cooperation (Eurojust) announced
central bank governor investigated over the seizure of $130 million in assets linked
tions with Optimum Invest SAL, a
Riad Salameh ‘embezzlement’ scandal,” by to Salameh’s wealth, including bank ac-
Lebanese brokerage firm established
Nada Maucourant Atallah, The National, counts and real estate in Germany and
in 2004 with which the central bank
July 27, 2023, tinyurl.com/2aybkmuw.) France valued at 44 million euros. An-
signed a nonexclusive contract. This
was “explicitly to create commissions other 36.5 million British pounds in real
Audit reveals wrongdoing to be paid to third parties,” accord- estate assets tied to the Salameh family
Late last year, an audit by consulting firm were seized in the U.K. at the request of
ing to the audit. (See page 99 of audit
Alvarez & Marsal (A&M) allegedly revealed the French judiciary, while European au-
and “Broker used by Riad Salameh’s
more evidence of corruption and poor thorities also froze bank accounts in Lux-
Lebanon central bank accused of
management at BdL between Jan. 1, 2015, embourg and France worth 13.3 million
‘extravagant’ irregularities,” by Nada
and Dec. 31, 2020. The 330-page audit goes euros. (See “France, Germany and Lux-
Maucourant Atallah, The National,
into great detail about the BdL’s financial- embourg seize assets of Lebanon’s central
Sept. 6, 2023, tinyurl.com/y8uhp3ya.)
engineering operations and the commis- bank chief,” France 24, March 29, 2022,
BdL also sold treasury bills to Optium
sions funneled through what A&M calls tinyurl.com/y4xjd3dw; “European inves-
and repurchased them at a higher
a “consulting account.” Below are some tigators arrive in Beirut for corruption
price, whereby the additional premi-
of its findings. (See “Preliminary Forensic probe,” by Raya Jalabi, The Financial Times,
um was transferred from another BdL
Audit Report Banque du Liban,” Alvarez & Jan. 16, 2023, tinyurl.com/2fhzuj3y; and
account and credited to the consulting
Marsal Middle East Limited, Aug. 7, 2023, “More than £36m in UK property seized in
account.
tinyurl.com/y6zmrext.) Riad Salameh money laundering probe,” by
• Three credits totaling $43.45 million
• A&M highlights an account in the Nada Maucourant Atallah, The National,
records of the BdL titled “consulting” comprised commissions charged to
July 27, 2023, tinyurl.com/4b45yw5w.)
whose International Bank Account banks “to credit a credit balance that
In addition to the coordinated U.K.,
Number, or IBAN, is referenced as a could be used to offset the costs of
U.S. and Canada sanctions on Salameh,
source of payments to Forry, and con- financial engineering,” according to
Raja and their associates, the U.K. govern-
tains 27 debit and eight credit entries. the audit. (See page 103 of audit.)
ment utilized for the first time the Global
A&M says that the account holders or • Three credits accounted for $13.6 Anti-Corruption Sanctions regime against
the ultimate beneficiaries of this ac- million from another BdL account as individuals involved in corruption in Leba-
count are unavailable as BdL removed payment transfers received from AM non. (See “UK, US and Canada sanction
the beneficiaries’ name fields, citing Bank. (See page 103 of audit.) Lebanon’s former Central Bank Governor
banking secrecy laws. (See pages 94 • The BdL’s central council partly ap- Riad Salameh and close associates,” GOV.
and 95 of audit.) proved the credits, but the central UK, Foreign, Commonwealth & Develop-
• The 27 debit entries totaling $111.3 bank governor set their amounts and ment and Lord Ahmad of Wimbledon,
million were made from April 22, destinations. (See page 105 of audit.) Aug. 10, 2023, tinyurl.com/2wf7jffb

40 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

and “EU seizes $130m assets linked to Lebanon, Oueidate referred Salameh’s 2020, where 218 individuals were killed.
money laundering in Lebanon,” Aljazeera, case to the Beirut public prosecutor Ziad Since the tragedy, no one has yet been held
March 28, 2022, tinyurl.com/3jwncnpp.) Abou Haidar who declined in June 2022 to accountable.) Oueidate has accused the
Lebanon opened an investigation in prosecute Salameh because of the case’s investigating judge of “rebelling against
January 2021 after Switzerland made a political sensitivity. However, on Feb. 23, the judiciary and usurping power” after
request for judicial cooperation. The ju- 2023, the Lebanese public prosecutor Raja resuming the inquiry after a 13-month sus-
diciary appointed Judge Jean Tannous to Hamoush charged Salameh, Raja and Mar- pension because of political resistance.
lead the preliminary investigation, which ianne Hoayek, with money laundering, (See “Beirut blast: Lebanon prosecutor
has encountered hurdles, including po- embezzlement, tax evasion and forgery. charges judge leading investigation,” by
litical intervention. Tannous was forced (See “Court ruled unfit to judge arrest war- Anna Foster and David Gritten, BBC, Jan.
to suspend his investigations on four rant against ‘fugitive’ Riad Salameh,” by 25, 2023, tinyurl.com/3k7h3npu.)
Lebanese banks at the behest of the then Maan Barasy, NOW Lebanon, Sept. 7, 2023,
Prime Minister Najib Mikati to the public tinyurl.com/ycknt6xm.) Possibility of Lebanon’s
prosecutor, Ghassan Oueidate. Mikati has Perhaps the biggest challenge to the collapse
publicly defended Salameh, stating “you Lebanese investigations has been law- The Salameh saga continues to unfold,
don’t change officers during a war.” (See suits that Salameh has filed. On Aug. 29, as acting BdL governor Wassim Man-
“Groups lodge complaint against Swiss 2023, Salameh failed to appear before an souri emphasized that the Lebanese
banks involved with Riad Salameh,” by indictment and opted to lodge three ap- state may collapse in the absence of re-
Sunniva Rose, The National, Feb. 25, 2022, peals against the three judges heading forms. (See “Lebanon’s scorned central
tinyurl.com/46b679rn.) the indictment chamber. (See “Lawsuit bank chief Riad Salameh steps down,” by
Furthermore, BankMed, one of the freezes Lebanese investigations into Riad Adam Lucente, July 31, 2023, Al-Monitor,
four Lebanese banks that Tannous asked Salameh,” by Naija Houssari, Arab News, tinyurl.com/mr237ep7.) “Every day we
for details on Raja’s accounts, accused Tan- Aug. 29, 2023, tinyurl.com/mmws59nz waste without drafting laws, losses increase
nous of gross misconduct. The primary and “Riad Salameh’s lawyer files action as well as the possibility of a state collapse,”
point of contestation was the varying inter- against indictment chamber,” by Claude Mansouri says. In countries with weak state
pretations of Lebanon’s bank secrecy laws. Assaf, L’Orient Today, Aug. 29, 2023, institutions, fraud permeates the private and
Lebanese banks argued that only the coun- tinyurl.com/59jr8zud.) (This tactic, based public sectors, which fosters an environ-
try’s Special Investigation Commission on Lebanon’s post-civil war policy of impu- ment where the lack of effective oversight
(SIC), which Salameh chaired, could lift nity, has been used and abused by officials and regulation leads to largely unfettered
banking secrecy. In January 2022, the pub- linked to the investigation into the authority, and undetected and unpunished
lic prosecutor Oueidate stopped Tannous Port of Beirut explosion fraudulent activities. These
from attending a meeting with European on Aug. 4, f a c to r s , p l u s
prosecutors investigating Salameh. After fragmented
the conclusion of an 18-month regulatory
preliminary investi- over-
gation in

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 41

 CORRUPT CENTRAL BANK GOVERNOR

sight, corruption and excessive bureaucra- “Lebanon’s interim central bank chief vows Fadi Makdessi is a KYC analyst at Credit
cy — supplemented by a political system not to lend money to government, calls for Suisse, part of the UBS group, in North
that requires power to be shared among economic reform,” Yalibnan, Aug. 25, 2023, Carolina. Contact him at
Lebanon’s diverse religious factions — al- tinyurl.com/3p7p4bsz.) [email protected].
lowed Salameh to override BdL’s indepen- For years, Lebanon will bear the
dence as a central banking authority and burden of an unprecedented economic Rayan Mohamed, CFE, is a KYC assistant

its internal controls, and fully control its depression caused in great part by corrup- vice president at Credit Suisse, part of the
public function to misappropriate pub- tion, unchecked authority and illusionary UBS group, in North Carolina. Contact him
lic funds for his illicit enrichment. (See public oversight. FM■ at [email protected].

A&M AUDIT: POOR OVERSIGHT LED TO YEARS OF

CORRUPTION AND MISMANAGEMENT AT BANQUE DU LIBAN

C ritics have blamed an acute lack of transparency and

oversight at Banque du Liban (BdL) as one of the main
reasons behind the corruption and financial shenanigans
Audits that year were reportedly signed off by EY and Deloitte.
(See “Lebanon: Central bank chief inflated assets by $6bn in
2018,” Al Jazeera, July 23, 2020, tinyurl.com/3ds55spw.) A&M
allegedly perpetrated by Lebanese central bank’s former presi- criticized BdL’s use of the concept as “at best unconventional
dent Riad Salameh. and controversial.”
A recent audit by consulting firm Alvarez & Marsal During the Lebanese probe, EY highlighted that Sal-
(A&M) underscored how a lack of oversight was central to ameh excluded the consulting account from the “scope of
Salameh’s dominance of BdL. The A&M audit draws attention the audit” because of “confidentiality.” (See “Embezzlement
to Salameh’s “unscrutinized authority” and BdL’s ineffective at the Lebanese central bank: Did auditors overlook alleged
internal and external audit functions. A&M says that it saw fraud?” by Nada Maucourant Atallah, The National, May 15,
little evidence of proper risk management controls and that 2023, tinyurl.com/4r66kuaw.)
the central council (see “About BDL,” tinyurl.com/ms766dff) Since the collapse of the Lebanese economy, IMF has
was an ineffective governing body that failed to challenge called for an overhaul of how the BdL is held accountable
Salameh’s decisions. (See “Preliminary Forensic Audit Report to the public. It also still sees shortcomings in the country’s
– Banque du Liban,” Alvarez & Marsal Middle East Limited, banking secrecy law. This law, passed in 1956, prohibits the
Aug. 7, 2023, tinyurl.com/mvrru6u8.) disclosure of client names, assets or facts to an individual
This obfuscation extended to how the central bank re- or the public, e.g., judicial or administrative authority. (See
ported its financials. A&M notes that full audited financial Banking Secrecy Law of Sept. 3, 1956, tinyurl.com/mr2d6vxe.)
statements were never made public from 2015 to 2020, and Lebanon passed anti-money laundering laws in 2001 and
BdL only provided a summary balance sheet. Without full 2015, which ostensibly enabled the lifting of bank secrecy. But
financials, experts struggled to see the full extent of BdL’s the IMF has said that amendments to the banking secrecy
problems. According to Reuters, an International Monetary law have failed “to address outstanding critical weaknesses”
Fund memo drawn up for the Lebanese authorities in April and access to critical data. (See “Lebanon: Staff Concluding
2016 showed there was a $4.7 billion hole in the country’s Statement of the 2023 Article IV Mission,” IMF, March 23,
reserves, but that fact was never made public. (See “Before 2023, tinyurl.com/bdepwe9y.)
Lebanon’s current financial crisis, central bank faced a $4.7 Recent laws created the Special Investigation Commis-
billion in reserves – IMF memo,” by Sami Nakhoul, Reuters, sion (SIC), which established Lebanon’s Financial Intelligence
Oct. 28, 2021, tinyurl.com/yt54tf94.) Unit (FIU) within BdL. Yet while the SIC is supposed to be an
The way BdL accounted for “seigniorage” — the profit independent, legal entity, it still reports to BdL’s governor.
generated from the value of money creation minus the cost of (See Fighting Money Laundering Law No. 318 of April 20,
its production — has also come under scrutiny. In 2020, critics 2001, tinyurl.com/2spca2jm and “In brief: banking regula-
slammed how in 2018 BdL recorded seigniorage as an asset tory framework in Lebanon,” March 15, 2023, Abou Jaoude
to help bolster its balance sheet and hide holes in its books. & Associates Law Firm, Lexology, tinyurl.com/yckkw5bh.)

42 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

 PREPARE TO PASS
THE CFE EXAM
The CFE Exam Prep Course® gives you flexibility to prepare
for the CFE Exam on your schedule. Including lessons,
review questions and flashcards, the CFE Exam Prep Course®
will help you prepare to pass the rigorous CFE Exam.

Includes a subscription to the

online Fraud Examiners Manual!

STUDY PLAN LESSONS REVIEW QUESTIONS FLASHCARDS

Follow a recommended study plan Learn at your own pace with lessons Evaluate your preparedness for the Review important definitions and
to ensure your exam preparation covering everything you will need to CFE Exam with review questions. concepts with curated flashcards.
stays on track. know to succeed on the CFE Exam.

Visit ACFE.com/PrepCourse to learn more.

Is a Third Party’s Use
of Encrypted Email
Services a Safeguard
or a Red Flag?

By Antonio Rossi, CFE, and Lucrezia Tunesi

 Global organizations employ thousands of suppliers and
vendors to get their business done, so they need to use the
latest investigative tools of third-party due diligence (TPDD).
Here we examine how we can use TPDD to discover how
suspicious third parties can use email encryption services
(and corresponding primary email addresses) to mask
illegal activities and steal valuable data.

T
he new textile startup company, FabricFibre, worked with This article summarizes the methodology and outcomes of the
several third parties to produce their clothing lines. Its research and analysis.
internal auditors stressed to the executives that it should
conduct extensive “third-party due diligence” (TPDD) to verify Most control functions are TPDD
the transparency and reliability of the external companies. So, A 2019 Gartner study says that 60% of worldwide organizations
FabricFibre thoroughly investigated via open sources (paid and each work with more than 1,000 suppliers on average — a number
unpaid) its more than 100 suppliers’ corporate chains, profit- that will grow as business ecosystems continue to expand and
ability, reputations, viability and other criteria. become more complex. [See “Third Party Risk Management
The company, guided by savvy leaders, determined that the (TPRM),” Gartner, tinyurl.com/3prj5kjz.] However, according to
prospective suppliers employed email encryption services (EES), the Gartner study, more than 80% of the legal and compliance
which many upright organizations use to foster anonymity and leaders that participated said they identified third-party risk after
security in communications. However, criminal groups can also initial onboarding “suggesting traditional due diligence methods
in risk management policy fail to capture new and evolving risks.”
use EES to conceal their illicit activities and obstruct investiga-
Gartner’s study says that 73% of the effort of control functions
tions. And they can link their primary email addresses to EES
is dedicated to TPDD activities and recertification of counterpar-
services to avoid detection. FabricFibre delved deeper and found
ties, and 27% of the effort is devoted to identifying risks during
that two of its suppliers had some suspicious roots. The company
relationships. (Investopedia says a counterparty is simply the
gave those firms a wide berth, and probably saved itself a lot of
other side of a trade — a buyer is the counterparty to a seller. See
money and grief.
tinyurl.com/ms8cucww.)

EES primary emails could be red flags Improve your TPDD process
This fictitious story reflects a real concern as reputable organi- Organizations now extensively rely on TPDD for investigating
zations conduct TPDD and discover the possible EES red flags and verifying information about third parties — individuals or
among its suppliers. organizations who interact, for various reasons, with their ecosys-
Third parties can be primary sources of value, but they also tems — to prevent risks resulting from professional relationships
can be risky areas for organizations. The steady evolution of and transactions. (Third parties aren’t subjects already included
technology has led to a necessary evolution of the TPDD process. in corporate ecosystems, such as employees and members of
We conducted research to determine if potential suppliers’ use boards of directors.)
of EES, and their EES emails as their primary contacts, could TPDD helps minimize organizations’ and/or individuals’
be considered red flags (or not) in the context of TPDD activity. reputational, financial and/or operational risks. They focus on

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 45

 Encrypted emails

potential third parties’ transparency, corporate governance open sources, the potential impact on your organization and
structures, profitability, the presence/absence of bad publicity, your risk appetite.
etc. Organizations aim to analyze corporate structures, financial
key performance indicators and reputational standings to help Using encrypted email as a third party’s main
answer questions about a third party such as: Who’s the benefi- point of contact
cial owner? Is the third party profitable? Has it been involved in Common email services are vulnerable to hackers. But EES uses
a financial scam? If I sign a contract with this third party, will I end-to-end encryption to protect the content of emails and ensure
incur any risks? that only legitimate recipients can access them. EES provides
An organization must include the changing global risk sce- reliable and secure global information infrastructures crucial
nario as a factor when performing TPDD. The widespread use for businesses and public and private organizations. (Individuals
of shell companies for money laundering and financial can also buy EES services.)
fraud — and the digital revolution that enables anon- However, criminals and terrorists use the ben-
ymous remote transactions without the need for efits of encryption to conceal their illicit activities.
geographical proximity — have increased the like- (See “Counter-Terrorism, Ethics and Technology:
lihood a company may encounter risky situations Emerging Challenges at the Frontiers of Counter-
while interacting with third parties. Therefore, you Terrorism,” Adam Henschke, Alastair Reed, Scott
must improve your TPDD process by integrating Robbins, Seumas Miller, editors, 2021, Springer,
drivers that address new risks, including analyzing tinyurl.com/enzxny8r.)
Bad actors can use EES to obstruct investigations (a
third parties’ official email addresses that they include on
phenomenon known as “going dark”) and prevent law enforce-
their websites and public documents. In the past, it was enough
ment agencies from gathering evidence for trials and dismantling
to analyze third parties’ physical addresses. No more. We must
large criminal organizations and terrorist attacks. (See “Shining
scrutinize digital addresses to find potential fraud or risk.
Light on the ‘Going Dark’ Phenomenon: U.S. Efforts to Overcome
Use publicly accessible “open sources” (free and paid), such
the Use of End-to-End Encryption by Islamic State Supporters,”
as mass media communications, computer-based data, company
by Ryan Pereira, Harvard Law School National Security Journal,
websites and annual reports, governmental records and academic
Sept. 3, 2021, tinyurl.com/3ahfjrks and “Hiding Crimes in Cyber-
information to find a third party’s corporate structure and identify
space,” by Dorothy E. Denning and William E. Baugh Jr., Dec. 2,
the ultimate beneficial owner. You can then discover the entity’s
2010, Taylor & Francis Online, tinyurl.com/3p5ub24j.)
profitability, viability and capitalization plus negative reports, in-
Recent studies of illicit markets, criminal organizations, drug
cluding possible links with criminal organizations. Moreover, you
traffickers and terrorist groups have found their increasing use of
can study the third party’s commitment to ESG (environmental,
EES, such as Protonmail, to reduce the risk of interception. (See
social and governance) sustainability issues. Your organization
then needs to rate the severity of the red flags you discover via Table 2 - The research sample

Table 1 - List of relevant domains of EES companies NUMBER OF

NO. SERVICE DOMAIN ORGANIZATIONS
NO. SERVICE DOMAIN 1 Ctemplar ctemplar.com -
1 Ctemplar ctemplar.com 2 Kolab Now kolabnow.com -
2 Kolab Now kolabnow.com 3 Mailbox Mailbox.org 4
3 Mailbox Mailbox.org 4 Mailfence Mailfence.com 1
4 Mailfence Mailfence.com 5 Posteo Posteo.de 12
5 Posteo Posteo.de Protonmail.com
6 Protonmail Pm.me
Protonmail.com 532
Proton.me
6 Protonmail Pm.me
Proton.me Runbox.com
7 Runbox 9
Runbox.com.co
Runbox.com
7 Runbox Runbox.com.co 8 Scryptmail Scryptmail.com -
8 Scryptmail Scryptmail.com 9 Startmail Startmail.com 1
9 Startmail Startmail.com TOTAL 559
Source: authors’ compilation Source: authors’ compilation
“New Directions in Online Illicit Market Research,” by Thomas
J. Holt, Ph.D., International Journal of Criminal Justice, Korean
Institute of Criminology, June 2021, tinyurl.com/r28jp9du.)
Anti-mafia prosecutor Giovanni Melillo concurs that orga-
nized crime uses EES to mitigate the risk of interception and keep
communications confidential. (See “Il procuratore antimafia
Giovanni Melillo: ‘Tra mafie e mondo cyber, relazioni profonde,’” EES provides reliable and
by Rosita Rijtano, lavialibera, Feb. 22, 2023, tinyurl.com/ysxfphsh.) secure global information
The University of Applied Sciences and Arts of Southern infrastructures crucial for
Switzerland organized the “Mafia and technology” conference, businesses and public and
Oct. 17, 2023, which highlighted the criminals’ use of encrypted private organizations. ...
communications and the new challenges for authorities. (See However, criminals and
tinyurl.com/5n6m83ue.)
terrorists use the benefits of
encryption to conceal their
Our EES global research study
After we considered the unfortunate benefits of EES that criminals
illicit activities.
use, we decided to conduct a global research study between June
2023 and July 2023 to understand the number and type of orga-
nizations adopting encrypted email as their first point of contact
and to identify any correlations and/or anomalies in the sample. The organizations that use encrypted email the most, with
We first identified the domains of the most popular EES com- a few exceptions, are based in countries with a high risk of mon-
panies. (See Table 1 on page 46. Note that some of the companies ey laundering and organized crime. (See “AML Country Risk,”
may no longer be active.) tinyurl.com/vcdjyur9 and “Global Organized Crime Index,”
We then used the EES companies’ domains as keywords to ocindex.net.)
search for companies that, according to company registers and
corporate websites, have EES emails as primary contacts. Table Average turnover and number of employees
2 (on page 46) shows the number of domains of the surveyed To understand the organizational structure of the sampled or-
organizations. (We carried out the research via open sources, ganizations, i.e., their size in terms of latest available turnovers
including company and corporate databases with global coverage, (which could show shoddy operations), we clustered organiza-
so the information we found isn’t comprehensive.) tions, where possible, by turnover, turnover costs and number
of employees and turnover. (See Table 3 on page 50.)
Our research findings Table 3 shows:
As shown in Figure 1 (on page 48) the geographical distribution of • 353 organizations (63% of the sample) have an annual
the sample is extremely uneven. The companies are concentrated turnover cost of less than 1,000 euros and between 10 and 19
in only 30 countries and more than half (66.55%) are located in
employees.
Brazil. (Russia, Ukraine, Hungary, Estonia and Germany also have
• 60 organizations (11% of the sample) have an annual turn-
a substantial number of organizations, albeit significantly fewer
over cost between 10,000 to 20,000 euros and less than 10
than those in Brazil. For example, Russia, in second place, only
employees.
counts for 5% of the companies in the sample.)
It appears that potential third-party companies that use en- • 22 organizations (4% of the sample) for which data on turn-
crypted emails as their main contact addresses is certainly a very over and average number of employees weren’t available.
rare occurrence, i.e., strictly limited to certain geographical areas. (Sixty-seven percent of the organizations in the sample were
Furthermore, comparing the number of organizations surveyed established between 2019 and 2022.)
that use encrypted email to the total number of organizations This analysis shows that the organizations that adopt en-
surveyed in the databases consulted, Brazil moves from the top of crypted email addresses as their primary communication chan-
the ranking to sixth place, preceded in order by Serbia, Georgia, nel are mostly newly established, have very small organizational
the Democratic Republic of Congo, North Macedonia and Estonia. structures and an annual turnover cost that’s generally placed
(See Figure 2 on page 48.) below 20,000 euros. A small number of employees and a low

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 47

 Encrypted emails

Figure 1 - Geographical distribution of the sample

Count of #

372

Source: authors’ compilation

turnover cost could in some cases indicate precarious financial for each company. All nine companies are dealing in the photog-
instability so they’re unable to meet clients’ demands. raphy and film retail trade. This might suggest that they’re owned
We detected the anomaly that seven Brazilian companies, by the same group or the same person; however, the managing
which all have the same encrypted email address, each show an partner is always different.
identical annual turnover cost and average number of employees Furthermore, seven out of the nine companies (two of the seven
in 2021. (See Table 4 on page 50.) companies share the same business address) appear to operate from
garages or private houses that don’t have any sign or indication of
Same email for different organizations commercial retail. (See Figure 3 on page 51. We extracted the images
The sample analysis also showed that 19 email addresses were from Google Maps after the incorporation dates of the companies.)
repeated for different organizations. Two of them are shared by two
companies, both based in Brazil and operating in the retail sector. Companies by sector
To assess how far this could be a risk vector, we examined We analyzed the incidence of the use of EES by sector by recoding
nine organizations with the same email address. The company product classification codes into 17 macro-categories. (See Table 5
name is always the same, except for the initial word, which varies on page 51. The category “Other” includes activities that are more

Figure 2 - Geographical distribution of the sample by incidence

Incidence

2%

0%

Source: authors’ compilation

48 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

STAY AHEAD IN THE
EVER-CHANGING
WORLD OF FRAUD
Fraud is always evolving.
You should be too.

ENHANCE EARN SHOWCASE

your anti-fraud 17% more than your your CFE credential
knowledge and non-certified colleagues, on social media with
expertise with according to the 2022 the exclusive CFE
world-class training Compensation Guide for digital badge.
and resources. Anti-Fraud Professionals.

Visit ACFE.com/CFE to learn how you can earn your CFE credential.
 Encrypted emails

Table 3 - Clustering of organizations by turnover, turnover costs and number of employees

Turnover (€/100)
TOTAL
<1 1-10 10-20 20-50 50-100 100-200 n.a. Case study illustrates EES
<10 12 60 2 1 - - 9 84 addresses as red flag
Average n. of employees

10-19 353 12 - - 1 1 3 370 We believe the following case study rep-

20-49 15 15 1 1 - - 5 37 resents a good example of how an EES
50-99 1 7 1 - - - 1 10
email address as a main contact might be
considered a red flag, especially if shared
100-500 1 3 1 1 - - - 6
by different companies and tied to other
>1000 - - - - - 1 - 1
factors or red flags. (We’ve anonymized all
n.a. 6 21 1 - 1 - 22 51
identifying elements for confidentiality
Total 388 118 6 3 2 2 40 559
and privacy.)
n.a.: data not available
The analysis focused on the email
Source: authors’ compilation r.**********[email protected], which
we found to be the same for three Rus-
general or less relevant to the analysis, or • Activities concentrated in regions
sian companies in the sample we analyzed.
activities with only one occurrence.) with a strong public support. Based on further research conduct-
The trade sector (wholesale and retail) Additionally, the trade sector (whole- ed in open sources, this email address is
is the most exposed to the use of EES (33% sale and retail) is considered more exposed also attributable to “Russian Company 1,”
of the entire sample). This is an interest- to the risk of organized crime infiltrating which, in addition to the address with a
ing figure if it’s added to the turnover cost the legal economy because it facilitates, Proton Mail domain, is also associated
and employee numbers data. According more than others, illegal activities and with a second email address with the
to a 2016 study by the United Nations In- same username but with the extension
money laundering. (See “Mapping the risk
terregional Crime and Justice Research f**********.pro.
of serious and organised crime infiltrating
The r.**********[email protected]
Institute (see “Organized Crime and the legitimate businesses, Final report,” edited address would also be traceable to the do-
Legal Economy: The Italian Case,” 2016, by Shann Hulme, Emma Disley and Emma main f***********.pro, whose site would no
tinyurl.com/5bexa5tv), the characteristics
Louis Blondes, European Union, 2021, longer be reachable with the extension
of companies most exposed to the risk of
tinyurl.com/27a9px2y.) .pro but only with the exten-
infiltration by organized crime are: sion .click.
The widespread use of EES services
• Less than 10 employees and a total by organizations operating in the IT sector We further inves-
annual turnover cost not exceeding 2 tigated the websites
may be motivated by the attention and sen-
million euros. of the Central Bank
sitivity of these companies on data protec-
of the Russian Fed-
• Belonging to a traditional and/or low- tion and information security. Information eration, the Italian
tech sector. technology can also explain why consul- Commissione Nazio-
• Involvement in strictly local/national tancy firms rank fifth; 16 (39% of the total) nale per le Società e la Borsa
activities. consultancy companies specialize in IT. (CONSOB) and others, and discovered the

Table 4 - Companies with the same email, turnover cost and number of employees

YEAR OF LAST
COMPANY LISTED TURNOVER AVG. NO. OF INCORPORA-
STATUS COUNTRY FINANCIAL INDUSTRY
NAME COMPANY (EURO) EMPLOYEES TION DATE
STATEMENT

Company 1 Active No Brazil 2021 253 16 01/27/2021 Retail trade of photography and filming articles
Company 2 Active No Brazil 2021 253 16 01/29/2021 Retail trade of photography and filming articles
Company 3 Active No Brazil 2021 253 16 01/29/2021 Retail trade of photography and filming articles
Company 4 Active No Brazil 2021 253 16 01/29/2021 Retail trade of photography and filming articles
Company 5 Active No Brazil 2021 253 16 02/05/2021 Retail trade of photography and filming articles
Company 6 Active No Brazil 2021 253 16 02/05/2021 Retail trade of photography and filming articles
Company 7 Active No Brazil 2021 253 16 02/05/2021 Retail trade of photography and filming articles

Source: authors’ compilation

50 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

Figure 3 - Geolocation of companies’ headquarters in Brazil

Source: The authors identified company headquarters with Google Street View, and images were generated using artificial intelligence.

domain f**********.pro appears to be traceable to the company Analyze third-party email addresses
“Russian Company 2,” which the Central Bank of the Russian In view of our findings, analyzing organizations’ email addresses
Federation and the National Commission for Companies and the as TPDD drivers is a good digital indicator — in conjunction with
Stock Exchange (CONSOB) placed on blacklists of unauthorized other critical factors — to identify potential risky third parties.
financial operators. Third parties that use EES services, especially small- and
The information we gathered appears to show an association medium-sized organizations, to send or receive confidential
between “Russian Company 1,” present in the sample and “Russian documentation to and from counterparties, isn’t a risk itself. In
fact, it can be a positive element because it indicates companies’
Company 2,” which is involved in irregular conduct on financial
focus on the security of their information, which could minimize
markets and suspended by both the Central Bank of the Russian
the risk of data breaches.
Federation and CONSOB.
However, it’s unusual for organizations to use encrypted main
email addresses. The choice of an organization to use an encrypted
Table 5 - Number of companies by sector
email address as its main contact could be synonymous with a
INCIDENCE
lack of transparency or non-traceability. Treat it as an anomaly
INDUSTRY ORGANIZATION N.
ON TOTAL (%) that you should assess to possibly find additional red flags.
Continue to religiously conduct third-party due diligence, but
Wholesale & Warehousing 93 17%
Retail trade 90 16% assure your methods are contemporary with digital advances. n FM
IT & Engineering 76 14%
Real Estate, Insurance, & Finance 44 8%
Antonio Rossi, CFE, is a manager – forensic services with a
Consulting 41 7%
multinational advisory firm and co-founder and member of
Industry 28 5%
the board of the nonprofit association OsintItalia. Contact him
Administrative Support 27 5%
Construction 21 4%
at [email protected].
Health and Care 14 3%
Marketing 13 2% Lucrezia Tunesi oversees security and threat intelligence
Hotels & Catering 9 2% activities at Italian energy infrastructure company Snam S.p.A.
Education & Culture 9 2% She’s a certified security expert and a member of the Italian
Legal Services 5 1% Association of Corporate Security Professions (AIPSA) and the
Agriculture & Fisheries 5 1%
nonprofit association OsintItalia. Contact her at
Research & Development 4 1%
[email protected].
Energy & Waste 3 1%
Other 77 14%
TOTAL 559 100%

Source: authors’ compilation

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 51

05
most
SCANDALOUS
FRAUD CASES
of 2023

Every day, we see stories in the media of scammers and

schemers, and their various attempts to take advantage
of people for financial gain. But some reports are so brazen
and shocking we must take note. Each year, the ACFE, along
with our Advisory Council, selects those stories that we believe
will live in infamy and serve as valuable case studies for fraud
fighters for years to come.

BY JENNIFER LIEBMAN, CFE

 site Coindesk about problems at FTX’s sister hedge fund Alameda

W
Research. The Coindesk article reported that Alameda’s main asset
e’d just filed our Most was FTT, FTX’s native token, and that FTX was using FTT as collateral
Scandalous Frauds story on the balance sheet. When customers subsequently tried to with-
of 2022 when news of the draw their holdings from the platform, FTX was unable to meet the
implosion of multibillion-dollar crypto demand, and FTX’s collapse destabilized the crypto industry. The
exchange FTX broke. It might’ve been a prices of bitcoin and ether sunk and crypto lender BlockFi suspended
little too late for us to add what would its operations because of FTX’s demise. (See “What Happened To
become the biggest fraud scandal since Crypto Giant FTX? A Detailed Summary Of What We Actually Know
Theranos to the 2022 list, but the FTX So Far,” Forbes, Dec. 13, 2022, tinyurl.com/yftkmy3h and “Embattled
story didn’t disappear, and we had FTX Crypto Exchange FTX Files for Bankruptcy,” by David Yaffe-Bellany,
founder Sam Bankman-Fried’s trial and The New York Times, Nov. 11, 2022, tinyurl.com/2bx7hfdd.)
eventual guilty verdict to keep us riv- Bankman-Fried was arrested by U.S. authorities in the Bahamas
eted. Of course, FTX wasn’t the only in December 2022. The government accused him of diverting funds
high-profile case that shocked us; there from FTX investors to Alameda Research and giving Alameda an un-
were many others that had a big impact limited “line of credit” funded by crypto platform customers. The U.S.
on the anti-fraud profession. Here are government also accused him of using commingled FTX customers’
the five fraud cases we found most scan- funds at Alameda to buy real estate, make undisclosed investments
dalous in 2023. and fund political campaigns. While misusing his customers’ funds,
he was promoting FTX as a responsible crypto-asset trading platform
with sophisticated risk measures to protect customer assets. (See
“SEC Charges Samuel Bankman-Fried with Defrauding Investors in
Crypto Asset Trading Platform FTX,” U.S. Securities and Exchange
Commission press release, Dec. 13, 2022, tinyurl.com/2bxvze4f.)
Bankman-Fried’s trial provided plenty of drama — his top lieuten-
ants at FTX, including ex-girlfriend and head of Alameda Research,

01/ THE FALL Caroline Ellison, agreed to cooperate with the government and testify
against him. During her tearful testimony, Ellison told the jury that

OF FTX Bankman-Fried directed her to commit crimes. She pleaded guilty

to wire fraud, securities fraud and commodities fraud. (See “Sam
Bankman-Fried ‘directed me’ to commit fraud, former FTX execu-
It took just over four hours for a jury to find FTX tive Caroline Ellison says,” by Kate Gibson, CBS News, Oct. 10, 2023,
founder Sam Bankman-Fried guilty of seven counts of tinyurl.com/7uvfcvv2.)
wire fraud, conspiracy and money laundering on Nov. And Bankman-Fried himself took the stand, testifying for over
2, 2023. The once-celebrated cryptocurrency mogul five hours and downplaying what happened at FTX. He said that he
faces a maximum of 115 years in prison when he’s
sentenced in March 2024 for stealing nearly $10 billion
from his customers to finance political contributions,
venture capital investments and other extravagances.
(See “Sam Bankman-Fried found guilty on all seven
criminal fraud counts,” by MacKenzie Sigalos, CNBC,
Nov. 3, 2023, tinyurl.com/kmjvympn and “Dramatic
fall for Sam Bankman-Fried and ‘unkempt visionary’
persona,” by Victoria Bekiempis, The Guardian, Nov.
4, 2023, tinyurl.com/2ys3zb47.)
The guilty verdict was handed down almost a year
after FTX’s bankruptcy in November 2022. The first hint
that something wasn’t right at the company — that was
once valued at $32 billion — came when the CEO of crypto
exchange Binance signaled that he’d be offloading his FTX founder Sam Bankman-Fried was found
holdings from FTX, citing an article from crypto news guilty of seven counts of fraud in 2023.
(Photo by Michael M. Santiago/Getty Images)

5 M O S T S C A N D A L O U S F R A U D C A S E S of 2 0 2 3
 5 MOST SCANDALOUS FRAUD CASES OF 2023

“made a number of small mistakes, and a num-

02/ FRAUD SPARKS

ber of larger mistakes.” He blamed Ellison, saying
that she failed to properly manage risk. (See “Sam
Bankman-Fried Testifies That He Made ‘Larger
Mistakes’ at FTX,” by David Yaffe-Bellany, Mat-
thew Goldstein and J. Edward Moreno, The New
A PUBLIC HEALTH EMERGENCY
York Times, Oct. 30, 2023, tinyurl.com/2p9d352s.)
The outsized promises of huge returns that
During an interview with NPR, Wendell Smith recounted the time
lulled many to invest their money in FTX belied
he was approached by people offering to fly him to a sober-living home in
the risk-taking and hubris that went on behind
Phoenix, Arizona. Smith, who was struggling with addiction, was living
the scenes. In the public eye, Bankman-Fried was
on the White Mountain Apache Reservation in New Mexico.
a larger-than-life character who sported messy
“I wanted to get sober, and I wanted to get back on my feet again,”
hair and rumpled clothes. He played the League of
Smith told NPR. He was promised help finding a job, but when he arrived
Legends video game during meetings and courted
at the facility, help was nowhere to be found. Instead of treatment, he
celebrities to endorse FTX. The company even pur-
says he witnessed residents at the facility drinking alcohol. (See “Fake
chased the rights to name the Miami Heat Arena
‘sober homes’ targeting Native Americans scam millions from taxpay-
the FTX Arena. Bankman-Fried, who made grand
ers,” by Alice Fordham, NPR, Aug. 31, 2023, tinyurl.com/y6nmyd7e.)
pronouncements about making the world a better
Smith was just one of many Native Americans ensnared in a massive
place, donated millions to political campaigns as
health care fraud scheme in which operators of fraudulent sober-living
part of his philosophy of effective altruism. (See
facilities exploited a loophole in an Arizona Medicaid program called
“Sam Bankman-Fried convicted of multibillion
the American Indian Health Program that allowed them to bill the state
dollar FTX fraud,” by Luc Cohen and Jody Go-
for services they never provided. Former patients of these programs,
doy, Reuters, Nov. 3, 2023, tinyurl.com/4tekw9s6
who were often recruited from reservations across the western U.S. with
and “Silicon Valley May Never Learn Its Les-
promises of jobs, shelter and help getting sober, reported being locked
son,” by Lora Kelley, The Atlantic, Nov. 2, 2023,
in rooms or barred from contacting family and friends while at the
tinyurl.com/25f95eva.)
facilities. When the Arizona state government got wind of the scheme
But the FTX story is also about something a
and cut off funding to these facilities, patients were released onto the
bit more straightforward — a lack of compliance.
streets of Phoenix. Several tribes declared a public health emergency;
Indeed, FTX didn’t employ a chief financial officer
the Navajo Nation estimated that 5,000 to 8,000 tribal members in need
or have a human resources or compliance depart-
of medical services were displaced by the facility closures. (See “Navajo
ment or board of directors. As U.S. Securities and
Nation declares widespread Medicaid scam in Arizona a public health
Exchange Commission (SEC) Chair Gary Gensler
state of emergency,” by Anita Snow, Associated Press, ABC News, June
stated when the regulator charged Bankman-Fried
21, 2023, tinyurl.com/yc6u57an.)
in 2022, “It is a clarion call to crypto platforms
Stories of people recruited from reservations into sketchy treatment
that they need to come into compliance with our
facilities had been circulating for about a year as Native American leaders
laws.” (See “Sam Bankman-Fried Was a Grown
began sounding alarms and law enforcement agencies, including the
Up Criminal, Not an Impulsive Man-Child,” by
FBI, began investigating. In May 2023, Arizona Governor Katie Hobbs
Ginia Bellafante, The New York Times, Nov. 3,
announced that the state had suspended 100 residential and outpatient
2023, tinyurl.com/2z86twuf and “SEC Charges
treatment facilities providers that had allegedly defrauded the state’s
Samuel Bankman-Fried with Defrauding In-
Medicaid program out of hundreds of millions of dollars. Arizona At-
vestors in Crypto Asset Trading Platform FTX,”
torney General Kris Mayes told The Wall Street Journal it was one of the
tinyurl.com/2bxvze4f.) /01
biggest government scandals in Arizona state history. (See “Fake ‘sober
homes’ targeting Native Americans scam millions from taxpayers,”
“IT IS A CLARION CALL TO CRYPTO tinyurl.com/y6nmyd7e and “Fraudulent Sober Homes Exploited Native
PLATFORMS THAT THEY NEED Americans, Say Authorities,” by Dan Frosch, The Wall Street Journal,
Sept. 11, 2023, tinyurl.com/tv98ar6n.)
TO COME INTO COMPLIANCE Arizona’s American Indian Health Program directly reimburses
WITH OUR LAWS.” clinics for whatever services they claim to provide unlike other Medicaid

54 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

programs where recipients receive services through managed- So far, 45 people have been indicted in connection to the fraud. In
care plans. People eligible for the program only need to attest to one case, a provider billed Arizona for alcohol-rehab treatment
being a tribal member and they don’t need to be from Arizona to for a 4-year-old. In another case, a woman who operated a fake
qualify. According to The Wall Street Journal, the reimbursement recovery program in Mesa, Arizona, pleaded guilty to defraud-
rate for substance treatments under this plan was 59% of what ing the state of more than $22 million. (See “Fake Arizona rehab
other providers billed, and there were no restrictions on what they centers scam Native Americans far from home, officials warn,”
could charge. Scammers subsequently set up fake sober houses tinyurl.com/yv3e86zv and “Fraudulent Sober Homes Exploited
throughout Phoenix and set their sights on Native Americans, Native Americans, Say Authorities,” tinyurl.com/tv98ar6n.)
a population with a high rate of addiction. Authorities think a Since the discovery of the scam, Arizona has instituted tight-
Nevada-based criminal syndicate started the first sober-living er controls on the health care program, such as a moratorium on
scams. (See “Fraudulent Sober Homes Exploited Native Ameri- enrolling new behavioral health clinics for billing. The state now
cans, Say Authorities,” tinyurl.com/tv98ar6n.) also requires site visits and background checks for providers, and
According to The Wall Street Journal, the state first noticed there’s a cap on reimbursements for outpatient rehab services.
something was improper when totals for substance-abuse treat- (See tinyurl.com/tv98ar6n.) /02
ments jumped from $53 million in 2019 to $668 million in 2022.

03/ HUMAN TRAFFICKING

FOR FRAUD
When COVID-19 hit in 2020, public health measures and
travel restrictions largely shut down the casinos and hotels that
had proliferated throughout Southeast Asia in the years before the
pandemic. Organized crime syndicates seized on the opportunity
to turn all those empty casinos, hotels and other facilities into
online fraud operations staffed with people smuggled into the
region and forced to commit cyberfraud. According to a United
Nations report released in August, hundreds of thousands of
people have been trafficked to Southeast Asian countries such
as Myanmar, Cambodia and Laos, and held captive to engage in
various cyberfrauds, such as romance and investment scams and
cryptocurrency schemes. The U.N. estimates that there are about
120,000 people in Myanmar, 100,000 in Cambodia, and tens of
thousands in Lao PDR, the Philippines and Thailand being held
in such conditions. When Philippine authorities raided several People who’ve been trafficked for cyberfraud scams say they
operators between May and August, they found over 4,400 people were lured with online job ads that promised high salaries and
who’d been forced to engage in online fraud schemes. And, accord- nice perks, but once they’d make it to their “new job,” they were
ing to the U.N., these cyberfraud centers are generating billions forced to commit fraud. Many are held captive with threats of
of dollars in revenue. (See “Hundreds of thousands trafficked to violence, and those who don’t perform well are often sold to other
work as online scammers in SE Asia, says UN report,” United Na- scam centers. Scam center operators beat those they catch who
tions Office of the High Commissioner for Human Rights, press tried to escape. (See tinyurl.com/y8yvrps4.) According to the
release, Aug. 29, 2023, tinyurl.com/anyvam59 and “They’re Forced U.N. report, most of the people trafficked for these scam centers
to Run Online Scams. Their Captors Are Untouchable.” by Sui-Lee are often well-educated, tech-savvy men. Some even have gradu-
Wee, The New York Times, Aug. 28, 2023, tinyurl.com/y8yvrps4.) ate degrees and speak multiple languages. And while the scam

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 55

 5 MOST SCANDALOUS FRAUD CASES OF 2023

centers mostly traffick men, women and girls are also victims. centers in Myanmar have enriched the military junta that cur-
They’re often forced to provide sex as rewards to others at the rently controls the country.
scam centers. (See tinyurl.com/anyvam59.) CSIS says that social media and tech companies must step
Experts who work on behalf of victims of human trafficking up to address the problem by validating employers that advertise
say that governments need to address the underlying problems on their sites and to remove fraudulent job advertisements. (See
that create the conditions for these cyber scam centers to flourish. “Cyber Scamming as a New Destination for Human Trafficking
Pia Oberoi, a U.N. senior adviser on migration and human rights Victims,” by Lauren Burke, Liam Hamama and Marti Flacks, CSIS,
for the Asia-Pacific region, told The Guardian that widespread Aug. 17, 2023, tinyurl.com/35d744v6.)
corruption in the region is largely to blame.
In his address to ACFE’s 2023 Fraud Conference Asia-Pacific,
“It’s so incredibly lucrative that there is very little political
Matt Friedman, a human-trafficking expert and CEO of the Me-
will to address this holistically,” says Oberoi. “We see no signs of
kong Group, said that the private sector has a key role to play in
it really slowing down — other than the actors relocating their
fighting these human rights abuses. Organizations must do their
operations when there’s some law enforcement pressure.” Ac-
due diligence to determine that their supply chains aren’t tied to
cording to Oberoi, law enforcement authorities protect the scam
human trafficking, assess potential suppliers before entering any
centers. (See “Gangs forcing hundreds of thousands of people into
contracts and have policies in place to address vulnerabilities to
cybercrime in south-east Asia, says UN,” by Kaamil Ahmed, The
Guardian, Aug. 30, 2023, tinyurl.com/3ubt7jud.) human trafficking in their supply chains.
Indeed, the Center for Strategic and International Studies But Friedman also told attendees that one of the biggest
(CSIS) says that at the local level, poorly paid law enforcement problems in confronting human trafficking is a lack of fund-
officers, immigration officials and judges are subject to bribes ing. The money available to fight trafficking is just no match for
from the criminal syndicates that run these scam centers. But the excessive profits that these cyber scam centers reap. (See
CSIS also says that high-level government officials benefit from “Modern Slavery’s Threat to the Economy, Society and More,”
the economic growth generated by these scam centers, and thus by Stefanie Hallgren, Fraudconferencenews.com, Sept. 27, 2023,
they see no reason to fight them. Profits from massive cyber scam tinyurl.com/5c3ekvy9.) /03

IMPOSTER SYNDROME
Ozy Media’s descent began in 2021 when The New York Times reported that
the company’s chief operating officer, Samir Rao, impersonated a YouTube
Dishonorable executive during a prospective investor call with Goldman Sachs. The Times

MENTIONS story inspired numerous other reports of malfeasance at the news media
company, including misleading tactics to amplify audience metrics. And then,
just days after Rao pleaded guilty to securities and wire fraud charges in
Here are a few scandalous February, founder and CEO Carlos Watson was arrested. According to court
frauds that weren’t big filings, Watson, a former banker and TV host, told Rao what to say during
enough to make it into that 2021 call with Goldman Sachs. U.S. prosecutors also allege that Watson
the top 5, but still deserve lied to investors about his company’s financial health and falsely claimed that
a little extra shame. celebrities and high-profile companies had invested in Ozy. (See “Goldman
Sachs, Ozy Media and a $40 Million Conference Call Gone Wrong,” by Ben
Smith, New York Times, Sept. 26, 2021, tinyurl.com/bddx7bm9; “Ozy Media
founder Carlos Watson arrested for fraud scheme,” by Madeline Halpert,
BBC, Feb. 23, 2023, tinyurl.com/yc4c94jm; and “Ozy CEO arrested after
former exec pleads guilty to fraud,” by Sara Fischer, Axios Media, Feb. 23,
2023, tinyurl.com/c2e4jmz7.)

56 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

CONGRESS DOWN ON THE CONSENT FARM
Fraud bridged partisan divides in 2023 when Democratic In 2023, the U.S. Federal Trade Commission (FTC) took aim at
Senator Robert Menendez (N.J.) and Republican Congress- illegal telemarketing with its Operation Stop Scam Calls initia-
man George Santos (N.Y.) were both indicted for various tive, focusing its sights on “lead-generation consent farms”
charges. In May, Santos was arrested on 13 charges of that use deceptive tactics to get consumers to give up their
wire fraud, money laundering, making false statements to telephone numbers for robocallers. Perhaps the most notori-
Congress and theft of public funds. Santos, who’d previously ous of these farms was Fluent LLC, an outfit the FTC sued in
been called out for embellishing his résumé and personal life July for allegedly tricking people into providing personally
like a real-life Talented Mr. Ripley, was subsequently indicted identifiable information and consent to receive telemarket-
on 10 new charges in October, including wire fraud, identity ing calls. As far back as 2011, Fluent used deceptive ads and
theft, false statements to the Federal Elections Commission websites to falsely promise free rewards to brands such as
and falsifying records. In November, the U.S. House Ethics Amazon and Walmart and interviews for jobs that didn’t ex-
Committee said it found substantial evidence that Santos
ist, all with the intent of selling those leads to telemarketers.
committed federal crimes, and Santos announced that he
Telemarketers then flooded people with robocalls, texts and
wouldn’t seek reelection in 2024. (See “George Santos
emails about auto warranties, debt-relief-reduction services,
charged with fraud, money laundering and more crimes in
pain creams and for-profit schools. According to the FTC, Flu-
New York court,” by Melissa Quinn, CBS News, May 10,
ent collected and sold more than 620 million leads, generated
2023, tinyurl.com/yynkc7d2; “Santos Faces New Charges
$93.4 million revenue from its alleged scheme, and possibly
Accusing Him of Lies and Credit Card Fraud,” by Michael
deceived tens of millions of people. (See “FTC, Law Enforcers
Gold and Grace Ashford, The New York Times, Oct. 10,
Nationwide Announce Enforcement Sweep to Stem the Tide
2023, tinyurl.com/ypudemhz; and “Santos Won’t Seek Re-
of Illegal Telemarketing Calls to U.S. Consumers,” FTC, July
election After House Panel Finds Evidence of Crimes,” by
18, 2023, tinyurl.com/5yu53pas and “US sues ‘consent farm’
Grace Ashford, The New York Times, Nov. 16, 2023,
tinyurl.com/eyusd4uv.) operator for ‘massive’ telemarketing deception,” by Jonathan
In September, the U.S. Department of Justice charged Stempel, Reuters, July 17, 2023, tinyurl.com/37djrv28.)
Menendez, head of the U.S. Senate Foreign Relations Com-
mittee, with bribery, honest services fraud and extortion. And, HIGHEST DISHONORS
just as his colleagues started calling for his resignation, a In January, Charles McGonigal earned a distinction few FBI
federal grand jury in New York indicted Menendez for being a officials have ever achieved: one of the highest-ranking
foreign agent of Egypt. According to the indictment, Menen- bureau officials to be accused of corruption. McGonigal, the
dez provided sensitive government information and took former director of counterintelligence for New York’s FBI field
other steps to aid the Egyptian government. (See “Sen. Bob
office, was indicted on charges related to taking $225,000
Menendez and his wife, Nadine, indicted on bribery charges,”
in secret cash payments from a former Albanian intelligence
by Rebecca Shabad, Jonathan Dienst, Tom Winter and Dareh
officer for arranging business deals and agreeing to help
Gregorian, NBC News, Sept. 22, 2023, tinyurl.com/yrzew6fr
infamous Russian oligarch Oleg Deripaska get off the U.S.
and “Sen. Bob Menendez faces new charges accusing him of
sanctions list. He was also charged with money laundering.
working for foreign government,” by Jonathan Dienst, Tom
In September, McGonigal pleaded guilty to concealing the
Winter and Summer Concepcion, NBC News, Oct. 12, 2023,
cash payments while he was an FBI agent, and prosecutors
tinyurl.com/3jh47acx.)
agreed to drop the other charges against him. He faces up to
five years in prison. (See “Former Senior F.B.I. Official in New
THE U.S. HOUSE ETHICS COMMITTEE SAID York Charged With Aiding Oligarch,” by Benjamin Weiser

IT FOUND SUBSTANTIAL EVIDENCE THAT and William K. Rashbaum, The New York Times, Jan. 23,
2023, tinyurl.com/mvu2s4pb and “Charles McGonigal, ex-FBI
SANTOS COMMITTED FEDERAL CRIMES. official, pleads guilty to concealing $225,000 in payments,”
by Robert Legare, Caitlin Yilek, CBS News, Sept. 22, 2023,
tinyurl.com/2p85353a.)

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 57

 5 MOST SCANDALOUS FRAUD CASES OF 2023

04/ VISH ATTACK

According to Vox, vishing as a social-engi-
neering method for hackers doesn’t get enough
attention, but it’s a much easier tactic than phish-
ing, which requires a lot more technical know-how
In September, an alleged collective of Gen-Z hackers caused major such as setting up emails or text messages that look
upheaval for two of the biggest casino chains in the world with a social- convincing enough to gather the information they
engineering tactic called vishing. First, Caesars Entertainment, which runs want. All a hacker needs to pull off a successful vish-
more than 50 resorts, filed a breach report with the SEC on Sept. 14, saying it ing attack is studying publicly available informa-
was hacked on Sept. 7. According to Caesars’ filing, hackers infiltrated its loy- tion about a company’s structure and leadership,
alty program database, which includes customers’ driver’s licenses and Social whether that information comes from employee
Security numbers. In its SEC filing, Caesars reported that it quickly activated posts on social media or an organization’s website.
its incident response plan to contain the attack. (See “MGM reeling from cyber Organizations, especially ones that store massive
‘chaos’ 5 days after attack as Caesars Entertainment says it was hacked too,” by amounts of consumer data and bring in millions
Bill Hutchinson, ABC News, Sept. 14, 2023, tinyurl.com/5n7djkrz and “Titans of dollars a day the way casinos do, can’t afford to
in crisis: unraveling the MGM and Caesars ransomware timeline,” by Stefanie overlook vishing in their cybersecurity training
Schappert, Cybernews, Nov. 15, 2023, tinyurl.com/ytbrm9ma.) for employees.
As Caesars reportedly worked to pay the hackers millions in ransom “It makes the job of an attacker so much easier.
money, MGM Resorts, which owns 31 casinos around the world, was hit with Things like LinkedIn and different types of people
a hack that caused its operations to come to a halt. Beginning on Sept. 11, and search engines, that is the first step into making a
over the course of 10 days, MGM slot machines and ATMs were shut down, successful vish,” IBM’s hacking expert, Stephanie
elevators were out of order, and guests had to wait hours to check into rooms.
Carruthers, told Vox. (See tinyurl.com/3jez3rpw.)
Even if they could check in, they were unable to get into their rooms because
/04
key cards were inoperable. MGM Resorts acknowledged the attack and said it
shut down systems to protect its system and data. MGM later announced in
October that hackers accessed guests’ personal information, driver’s licenses,
passports and Social Security numbers. In all, the attack cost MGM about $100
million. (See “The chaotic and cinematic MGM casino hack, explained,” by
Sara Morrison, Vox, Oct. 6, 2023, tinyurl.com/3jez3rpw.)
Two ransomware gangs took credit for the attacks on MGM and Caesars.
The first group, Russian-linked ALPHV/BlackCat (ALPHV) is a ransomware-as-
service operator that takes a cut of ransom payouts for infiltrating networks
to find and extract data. The second group claiming responsibility is a gang
mostly made up of people ages 17 to 21 called Scattered Spider. A representa-
tive of Scattered Spider told the Financial Times that it stole and encrypted
MGM’s data and was demanding payment in crypto to release it. The repre-
sentative also claimed that the data hack was a backup plan. Scattered Spider
said it initially planned to hack MGM’s slot machines but couldn’t. (See “The
chaotic and cinematic MGM casino hack, explained,” tinyurl.com/3jez3rpw.)
Both attacks on MGM and Caesars were carried out by a social-engi-
neering tactic called vishing, a portmanteau of “voice” and “phishing.” In
the MGM case, hackers found an employee’s information on LinkedIn and
impersonated them to call MGM’s IT help desk to obtain the credentials
they needed to access its systems. According to Caesars, hackers targeted an
“outsourced IT support vendor” in its social-engineering exploit to obtain
sensitive data about the members of its customer loyalty program. (See “The
chaotic and cinematic MGM casino hack, explained,” tinyurl.com/3jez3rpw
and “‘Power, influence, notoriety’: The Gen-Z hackers who struck MGM,
Caesars,” by Zeba Siddiqui and Raphael Satter, Reuters, Sept. 22, 2023,
tinyurl.com/55xy9w42.)

58 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

 case.) About $452 million of GTV common stock was

05/ FROM RICHES sold to 5,500 investors; Guo told them that the company
was worth $2 billion. The reality was that GTV had no

TO FRAUD revenue, and U.S. prosecutors say that Guo funneled

his investors’ funds into a risky hedge fund, expensive
properties, a yacht, sports cars, $1 million worth of rugs
and a $140,000 piano. The U.S. government has since
Exiled Chinese billionaire Guo Wengui made a name for himself seized $634 million in alleged fraud proceeds from 21
as an outspoken critic of Communist China after coming to the U.S.
bank accounts and other assets such as a Lamborghini
in 2015. He assembled an impressive following of thousands on social
Aventador. Guo declared bankruptcy in 2022, claiming
media, many of whom were fellow Chinese dissidents. But U.S. au-
less than $100,000 to his name. (See tinyurl.com/mrxhbyca
thorities say that Guo used this massive online following as a source
of funding for a lavish lifestyle, selling a scam that allegedly bilked and tinyurl.com/23avxh52.)
more than 5,000 people in the U.S. and abroad out of $1 billion. In The U.S. government also accused Guo of another
March 2023, he was arrested at his multimillion-dollar Manhattan scheme in the indictment in which he allegedly got peo-
penthouse apartment on multiple charges of wire fraud, money ple to invest more than $250 million in G|Clubs, which
laundering, securities fraud and bank fraud. (See “Exiled Chinese claimed on its website to be “an exclusive, high-end mem-
Billionaire Charged in New York With Financial Conspiracy,” by Ben- bership program offering a full spectrum of services.”
jamin Weiser and Michael Forsythe, The New York Times, March 15,
According to the indictment, G|Clubs didn’t deliver on
2023, tinyurl.com/mrxhbyca and “Guo Wengui, Chinese billionaire
its promise of services and experiences to its members.
and Steve Bannon associate, to go to trial in 2024 in fraud conspiracy,”
(See tinyurl.com/mrxhbyca.)
by Chloe Atkins, NBC News, June 7, 2023, tinyurl.com/23avxh52.)
In 2014, Guo, a real-estate tycoon, fled China after officials there One of Guo’s investors told the BBC that she was
accused him of bribery and fraud. He first went to London, where he drawn to his opposition to the Chinese government. She
donated money to a foundation run by former British Prime Minister said that she invested $6,000 and that one of her friends
Tony Blair, who subsequently wrote Guo a recommendation letter invested more than $100,000. “I watched his livestreams
for the New York penthouse from which he was later arrested. Once every day,” said the investor. “The videos are very sen-
in the U.S., Guo formed alliances with the politically powerful — in sational … and we trust[ed] him completely.” (See “Guo
2017, he found his way into the orbit of then-President Donald Trump.
Wengui: How a Chinese tycoon built a pro-Trump money
He joined Trump’s Florida club Mar-a-Lago and soon befriended
machine,” tinyurl.com/yhbfr9ae.)
Steven K. Bannon, onetime advisor to the president. Bannon and
Guo pleaded not guilty to 11 counts of fraud and has
Guo bonded over their mutual dislike of the Communist govern-
ment in China and appeared on each other’s podcasts and online remained in jail since he was arrested. His trial is sched-
videos. It was on Guo’s yacht in 2020 that Bannon would be arrested uled for April 2024. (See tinyurl.com/23avxh52.)
for a fraud scheme. (Bannon was later pardoned by Trump for that Interestingly, the U.S. charges against Guo resemble
scheme.) But before that, Bannon and Guo had teamed up to form the fraud accusations against him in China, according to
a media company called GTV — the subject of Guo’s fraud charges. The New York Times. The SEC’s Director of Enforcement
(See tinyurl.com/mrxhbyca and “Guo Wengui: How a Chinese tycoon Gurbir S. Grewal called Guo a “serial fraudster” who “took
built a pro-Trump money machine,” by Mike Wendling and Grace advantage of the hype and allure surrounding crypto and
Tsoi, BBC, March 24, 2023, tinyurl.com/yhbfr9ae.)
other investments to victimize thousands and fund his
According to the federal indictment, beginning in 2018, Guo and
and his family’s lavish lifestyle.” (See “Exiled Chinese Bil-
his business partner, Kin Ming Je, used GTV as a fictitious invest-
lionaire Charged in New York With Financial Conspiracy,”
ment opportunity to solicit and misappropriate money from Guo’s
social media network. They allegedly promoted GTV as the “first tinyurl.com/mrxhbyca.) /05
ever platform, which will combine the power of citizen journalism
and social news with state-of-the-art technology, big data, artificial
intelligence, blockchain technology and real-time interactive com- Jennifer Liebman, CFE, is assistant editor of Fraud
munication.” (U.S. authorities haven’t implicated Bannon in this Magazine. Contact her at [email protected].

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 59

 DIVERSITY & INCLUSION A professional forum for all views

CASE STUDIES IN CULTURE

Conducting international investigations abroad requires adaptability and a
willingness to learn new customs. The author, who’s conducted many overseas
investigations throughout her career, details her experiences to demonstrate why
understanding people and their cultures can vastly improve your investigations
abroad.

W
hile investigating South few. (See “Global fraud is the same - legal
COLUMNIST
American drug traffick- systems aren’t,” by Dr. Joseph T. Wells,
ers, I had to track their
LOURDES C.
CFE, CPA, Fraud Magazine, July/August
MIRANDA, CFE
movements as they traveled with their CHIEF CONSULTANT, 2019, tinyurl.com/mrypfupj.) Savvy
families between South America and THE FINTECH ADVISORY fraud examiners should also know to
the U.S., but the only information I had GROUP, A DIVISION OF
conduct reconnaissance of the region so
RALYTICS, LLC.
were the men’s surnames. While this that they can successfully navigate the
information might seem vital to tracing terrain. Before you head out, read up on
Public Library, Nov. 17, 2020, tinyurl.
someone’s flights between continents, threats to the location, whether it’s ter-
com/42a7dpzp; “Lourdes C. Miranda,
having grown up in a Puerto Rican rorist organizations or human traffick-
CFE,” by Jennifer Liebman, CFE, Fraud
family and in a neighborhood of South ing or weather, and spend time studying
Magazine, November/December 2023,
American families, I knew that it’s not the local culture and customs to better
tinyurl.com/383vn9z3; and “12 Red Flags
uncommon for South Americans to use interact with people.
for ‘Funnel Accounts’ Used to Launder
both maternal and paternal surnames, No matter where you go, you’ll
Money,” by Denise Hutchings, Verafin,
and it was possible they were using their need to get around once you get there.
Feb. 25, 2015, tinyurl.com/52k5zpf3.)
wives’, mothers’ or maternal grand- I’ve been conducting international Whether you’re meeting with subjects
mothers’ last names to travel. At first, financial fraud investigations for more or witnesses for interviews or collecting
my team was skeptical that searching than 25 years, including when I was a documents for an investigation, you’ll
for the women’s names would help, but CIA officer and FBI analyst, and while need transportation, and you’ll need to
knowing this information soon paid off. the latest technologies and investigative confidently get to your destination like
The men and their spouses were indeed methods are important to my cases, I’ve a local. But not all locations are created
traveling under the women’s surnames found that my knowledge of the human equal when it comes to extensive public
since it was culturally and legally accept- side of the equation — the cultural cus- transportation systems, especially if
able for them to do so. Not only were we toms and the language — was essential you’re in a rural area. Find out what
able to track their travels to and from the to closing a case. modes of transportation the locals use,
U.S., but we were also able to find their and plan to use those. Of course, this
“funnel accounts” — bank accounts that Be prepared for anything might mean that you’ll need to learn a
receive deposits in multiple locations so Fraud examiners know that before they new skill.
that money launderers can circumvent travel to a different jurisdiction, they When I was in the CIA leading a
reporting requirements for transac- need to consider whether they’re going team in South America and in Europe,
tions — because they’d used maternal to be working within a civil or com- I first had to take a defensive-driving
surnames to open them. (See “Dos mon law system, what rules of evidence training course so that I could learn how
Apellidos: When Families Have Two they’ll need to follow, and the digital to evade people who might be follow-
Surnames,” by Nicolás Cabrera, Denver privacy laws of the land, just to name a ing us and keep up with the suspects

60 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

we were following. I also had to learn people put on shorts, dresses and t-shirts and I always listened to old and current
to drive a manual vehicle and a motor- to keep cool. But in hot climates around Spanish music when I was growing up.
cycle. Manual vehicles are common in the world, it’s typical for people to cover Learning the local dances and music is
South America and in Europe, and as up with long sleeves and long pants, a great way to improve your language
an American (and CIA officer), the last and you don’t want to look like a tourist. skills. Before you travel to your inves-
thing I wanted to do was call attention to To prepare for fraud investigations in tigation destination, spend some time
myself by driving a vehicle with auto- these regions, my team and I trained to watching movies and news from the
matic transmission. Being able to drive acclimate to hot weather. When we set location; it’s a great way to get a better
a motorcycle was also crucial for me and up shop in the region, we bought clothes understanding of where you’re going to
my team as we often had to navigate in the local stores and styled our hair to be.
narrow streets, blend in with crowds and match the locals. We got suntans, and Lastly, as a fraud examiner who’s
move fast while escaping detection. we didn’t wear our usual colognes or interviewed many people from various
Technology isn’t always reliable, perfumes. We didn’t wear anything that cultures, I’ve learned to be mindful of
and you might not have access to a would indicate that we were outsiders. gender. In some cases, male subjects
smartphone. In those cases, you might We wore the same types of watches, weren’t comfortable speaking to me, and
need to rely on maps to get around. hats, eyeglasses (no contact lenses), it was important to have a male col-
Luckily for me, I learned how to read shoes and jewelry as the locals. We had league handle those interviews.
maps for my job as a truck dispatcher to get used to drinking local tap water
when I was in college, and this skill because only tourists drank bottled Learn the language
proved advantageous for me in field water. When you’re conducting a fraud exami-
training. The trick to reading a map? nation in another country, you’re going
Read the numbers, not the names of to need to communicate with others. If
the roads, and analyze the miles from you aren’t familiar with the local dialect,
point A to point B, etc. Even in countries it’s a good idea to hire a linguist who
where I didn’t know the language and can help you interview local subjects.
couldn’t read the street names, I could Furthermore, having some knowledge
read the numbers on the map. of forensic linguistics can be extremely
Obtaining information such as helpful in building cases, developing
dates and places of birth is crucial when leads and closing gaps in intelligence.
conducting international fraud inves- Forensic linguists use language that’s
tigations, especially if you get access to spoken and written to find viable evi-
bank accounts, financial documents, dence for legal cases. Knowing dialect,
passports, and visas and need to confirm including someone’s accent or vocabu-
identifying information. However, not lary specific to their region, or slang, can
everyone has a form of identification, provide insights into where a person
and you might need to seek alternative is from or where they might live. (See
routes for that information. When col- “Forensic Linguistics,” Vaia,
lecting documents, you might consider tinyurl.com/ycyz3kh3.)
visiting local religious institutions to For example, knowing that different
obtain information about your subject’s Spanish-speaking people use different
birth or go to local government offices to Learning some of the local en- slang terms for currency helped me
corroborate dates of birth. tertainment customs can be a plus. successfully investigate South American
For example, if you’re going to a Latin drug traffickers and money launderers.
Act like you belong American country, learning to salsa or When I was reviewing surveillance tapes
If you want to blend in wherever you are, merengue is a good way to fit in and and videos, I was able to assess where
you must dress the part. For example, interact with others. Luckily, my Puerto the drug traffickers were from. The drug
in the U.S., when the temperatures soar, Rican family taught me how to dance, traffickers I investigated used the term

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 61

 DIVERSITY & INCLUSION A professional forum for all views

“chavos,” which is Puerto Rican slang It assured them that they were respected and field officers collect weak intel-
for money. In other Spanish-speaking and that I could relate to them. We were ligence because they didn’t have the
countries people might say plata, dinero, always able to gather more intelligence cultural knowledge they needed. When
chirola, billete, luca, quivo or barras and evidence when we could speak you’re working in countries and with
when referring to currency. to someone using their language. I people with vastly different cultures
Identifying different dialects is also strongly recommend that fraud inves- from yours, you can’t rely on the ways
crucial when interviewing. In one case tigators take language classes taught you’re used to doing things. You must
while I was in the CIA, an Argentinian by native speakers. Even if you never adapt to your surroundings and learn
man I interviewed knew right away become fluent in a language, having the ways of your host country — even
that I was Puerto Rican based on my some understanding of what’s being better, learn about a place before you
dialect. He also knew I was raised in said while you sit in on a meeting, or go there. Taking the time to understand
the U.S. because of my accent. I learned an interview, enables you to ask ques-
other people and their ways of doing
an important lesson about mastering tions that can help build a strong case
things enables you to relate to them and
the dialect. During an investigation in or gather valuable intelligence that can
can even protect you when working on a
Spain, I brought a translator with me to help you develop leads.
sensitive case. ■ FM
help navigate the differences between In my experience, investigations
the Spanish and Castilian languages, can collapse when people don’t learn
because they’re quite different. In my about or understand the customs and Lourdes C. Miranda, CFE, is chief con-
experience, interviewees were much the people involved in their cases. I’ve sultant for the FinTech Advisory Group,
more relaxed with me when I could seen fraud investigators miss opportuni- a division of RaLytics, LLC. Contact her
communicate with them in their dialect. ties to build strong cases, and analysts at [email protected].

REGISTER EARLY AND SAVE

MARCH 13-15, 2024 | LONDON AND VIRTUAL

Attend
in person
or watch
online.

Visit FraudConference.com/Europe to learn more.

ACFE NEWS
IN MEMORIAM

JACK SANDLIN, CFE

Jack Sandlin, Indiana state senator and 1997 to 2006. In 2010, he served on the
founder of the ACFE Central Indiana Indianapolis City-County Council until
Chapter, passed away on Sept. 20, 2023. 2016, when he was elected a state sena-
He’s remembered by loved ones for his tor representing District 36 in Marion
integrity and commitment to public County and northern Johnson County.
service. Elected to serve two terms, the Republi-
Sandlin was born in Indianapolis can senator advocated for veterans, law
in November 1950 to Lewis and Betty enforcement officials and mental illness
Sandlin. After graduating from high issues, and received strong bipartisan
school, he joined the Indianapolis Police support.
Department (IPD). He then served in Sandlin was a founding member of
the U.S. Army before returning to the the ACFE Central Indiana Chapter and
IPD as an officer in 1973 and enlisting later served as president. As a Certified
in the Indiana National Guard. Sandlin Fraud Examiner (CFE), he specialized in
eventually rose to the rank of deputy insurance, arson and white-collar crime.
chief of investigations and investigator
He started a private investigator busi-
for the Marion County Grand Jury. He
ness in 1995 that provided fraud exami-
also served the Southport Police Depart- “I took Jack’s advice and subse-
nations and security consulting. Sandlin
ment until 2009. During his years-long quently worked for him as an investiga-
received the Distinguished Hoosier
career in law enforcement, Sandlin was tor in his licensed private investigation
Award in 1993 and the Certified Fraud
a sniper with the SWAT Team, served as
Examiners Distinguished Achievement firm, J.S. Consulting,” says Wright.
an undercover investigator and worked
Award in 1998, as well as the Founders Two years later, Sandlin asked
with the U.S. Marshals Service.
Award from the Central Indiana Chapter Wright to replace him as ACFE Cen-
A dedicated public servant, Sandlin
of the ACFE. tral Indiana Chapter president, where
was the Perry Township Trustee from
“I knew and worked with Jack Sand- Wright served for a decade until retiring
lin for about 25 years,” says Greg Wright, last year.
CFE, a national speaker and four times
Outside of work, Sandlin devoted
reelected president of the ACFE Central
many hours to volunteering for profes-
Indiana Chapter. “He was exemplary,
sional, civic and Christian organizations.
active in church, and loyal to his family
He was an active member at Southport
and friends.”
Wright worked as Sandlin’s busi- Presbyterian Church and later at Ha-
ness insurance agent for many years. nover Baptist Church and devoted to his
It was Sandlin who encouraged him to family. Sandlin is survived by his wife,
study and take the exam to become a Lydia, daughter, Carrie, and grandchil-
CFE. dren, AJ, Dean and Elise.

“HE WAS EXEMPLARY, ACTIVE IN CHURCH,

AND LOYAL TO HIS FAMILY AND FRIENDS.”
- GREG WRIGHT, CFE

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 63

 INNOVATION UPDATE Practical anti-fraud ingenuity

BREAKING DOWN DATA SILOS

The better the data, the better the insight. The better the insight, the better the
results. In this issue, we explore how CFEs can help their organizations break down
data silos to improve business transparency.

A fter 9/11, the U.S. federal govern-

ment created the Department
of Homeland Security (DHS) to
combine all or part of 22 different federal
departments and agencies into a uni-
COLUMNIST
VINCENT M.
WALDEN, CFE, CPA
CEO, KONA AI
inefficient and time-consuming analysis.
Even worse, data silos can lead to inac-
curate decisions when a holistic view of
relevant information is lacking, or impor-
tant facts are missing.
fied, more effective and integrated body,
In fraud examinations, data silos
creating a strengthened U.S. security
present an even more heightened risk
enterprise with a mission, stated in part, Criminal Division, updated March 2023,
as investigators gather critical facts and
“to ensure a safe, secure, and prosper- tinyurl.com/5n7an3xb.) make inferences based on the avail-
ous Homeland.” (See dhs.gov.) The DHS
So, knowing what we do about the able information. If that information is
founders recognized that gaining access
need for data sharing and access to mul- limited in any way, it can have seriously
to multiple data sources provides better,
tiple data sources, why do we still often harmful consequences, and result in
more insightful information for more
see organizations miss critical fraud risks what I call the four negative “I’s” of data
effective decision-making. Likewise, in
when the information to prevent and silos. (See Figure 1 on page 65.)
cybersecurity, organizations and gov-
ernment agencies often collaborate in detect it was available? More often than Let’s reflect on the sources of in-
data-sharing consortiums to share intel- not, it’s because different systems within formation available to a CFE during an
ligence with many different stakeholders an organization weren’t talking to each investigation — or even when they’re
and generate the right level of situational other. It’s time to break down these data conducting a proactive fraud risk assess-
awareness for organizations to defend silos once and for all. ment and/or prevention and detection
themselves against cyber threats. activities. Data gathering can generally
Ten years ago, the phrase “big The perils of data silos fall into three categories: (1) interviews,
(2) unstructured data such as email
data” was all the rage with software and The term “data silos” typically refers to communication and user documents,
technology companies. That term is no isolated data repositories or systems and (3) structured data such as account-
longer relevant because today’s organiza- within a company or organization that ing records (payments to vendors, sales
tion commonly deals with large amounts don’t communicate with each other. Data from customers, and employee travel and
of volume, variety and velocity (aka, big silos can arise for various reasons, includ- entertainment, as examples) and other
data, both unstructured and structured). ing differences in technology, segregated transactional tables. Thinking these data
The U.S. Department of Justice (DOJ) 2023 systems, multiple data formats, multiple sources are mutually exclusive is a mis-
compliance guidance document, “Evalua- company departments, business units take and can result in “siloed” thinking.
tion of Corporate Compliance Programs,” and organizational structures. Our educational bias also plays a fac-
asks prosecutors when investigating a Further, different departments, tor in what data sources we lean into — or
company to determine if “compliance and legacy systems, prior acquisitions, a “data at least are most comfortable with. (See
controls personnel have sufficient direct hoarding” culture or lack of data integra- “Avoiding bias in your fraud risk man-
and indirect access to relevant sources tion tools can all lead to data silos. Data agement program,” by Vincent Walden,
of data to allow for timely and effective silos waste time, resources and money, Fraud Magazine, September/October
monitoring and/or test of policies, con- often resulting in inefficient processes — 2019, tinyurl.com/mpn655va.) In a nut-
trols and transactions?” (See “Evaluation including duplication of efforts, manual shell, if your education and background
of Corporate Compliance Programs,” DOJ, data entry (which presents risks), and is in the legal field, your investigative

64 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

 together, is where the key insights lie. ownership, policies and standards
THE FOUR NEGATIVE “I’S” (See Figure 2 on page 66.) when sharing data helps eliminate
OF DATA SILOS confusion and reassures IT and legal
Strategies to break down that data will be handled in line with
• Inefficiencies: Efforts could data silos corporate policy.
be duplicated and processes At an organizational level, to break • Cross-functional teams: I often see
repeated among separate teams down data silos, you must also break legal compliance working with inter-
working on their own separate down barriers across the organizational nal audit, and pulling in IT, finance
dataset (sometimes using cop- divisions within the company. One and HR to conduct their proactive
ies of the same data). way to do this is to build a system that fraud prevention and detection activi-
• Isolation: Each team or work- benefits all participants (or multiple key ties or support an investigation when
stream operates independently business functions). Sometimes this needed. As mentioned, showing that
without sharing insights and can be challenging when trying to ap- an investment in data aggregation will
best practices, thus reducing pease all stakeholders — especially the benefit multiple business processes,
collaboration and insights. information technology (IT) team. Their not just yours, will make a key differ-
business area may not see the direct ence with management.
• Inaccuracies: Data in silos
may become outdated, inac- benefits from the task of assembling all • Data warehouse or data lake: As a
curate, inconsistent or prone the data into a single location — in fact, result of that “big data” revolution a
to human input error, when it’s it may put certain access controls and decade or more ago, many companies
not integrated with the latest security policies at risk. However, ironi- have since integrated a data ware-
information (or auto-refreshed) cally, IT is the key player in this equation house, or “data lake,” that centralizes
from other parts of the team or as it’s often the custodian of data, whose the data storage of key information
priority is to keep that data — the life- repositories, including financial ac-
organization.
blood of the organization — secure and counting data, contracts, sales activity,
• Indecision: Inability to access
and even email and user documents,
the total view of relevant in- running correctly. Convincing IT can be
into a single location to provide faster
formation to make the correct difficult and will often require senior
access and data insight. Make sure
decision in a timely manner. leadership support from other depart-
you know about these data ware-
ments, such as finance, marketing, sales,
houses or data lakes in your organiza-
Figure 1 human resources (HR), operations, legal
tion and be a part of the discussions
tendency will be to lean towards emails, and compliance. Having a clear business
when IT is helping design or improve
user documents and language. After all, case, return on investment, risk assess-
on these types of data aggregation
you probably didn’t go into law because ment and specific data requests will
initiatives.
make all the difference in accelerating
you loved math. On the flip side, if you • Web/cloud services: Nowadays, so
the integration efforts. In my experi-
studied accounting or mathematics, many business processes are stored
ence, some strategies for helping make
you’ll tend to lean towards forensic ac- and managed in public and private
the business case for breaking down
counting and structured data, such as cloud services, such as Microsoft
data silos include:
enterprise resource planning/account- Azure Cloud, Amazon AWS, IBM
• Looking at data integration plat- Cloud and Google Cloud, among
ing systems, databases and the like. You
forms: Investing data integration others. When data is centrally and se-
didn’t go into accounting because you
tools and software platforms with curely stored in the cloud, it helps sig-
loved writing or literature. Finally, if open “application programming in- nificantly consolidate data of all types
your education and background was in terfaces” (APIs) that enable the import and various formats, bringing data
criminology and law enforcement, you’ll and extraction of data through the ingestion, processing, transformation
have a tendency towards interviewing. tool is a key step in bringing together and storage together to facilitate data
Again, these are all generalizations, but multiple data sources. analysis.
today’s fraud examiners know that all • Data governance: Working with With any data analytics initiative,
three categories of information, working your organization to establish data you need to start by asking the right

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 65

 INNOVATION UPDATE Practical anti-fraud ingenuity

SOURCES OF RELEVANT INFORMATION FOR INVESTIGATIONS

• ERP/accounting systems • Email communications

• CRM systems • Text and messaging apps
• Transactional databases • User documents (e.g., MS Office)
• Vendor/customer/employee- • PDFs, OCR’d images, text files
master databases • Media/news reports
• Machine logs (semi-structured) • Due diligence data

Figure 2

With any data analytics initiative, to make these assessments through (1) Fraud Tree,” tinyurl.com/4c4vhs7u.)
you need to start by asking the right internal reporting hotlines; (2) decision This doesn’t include external threat ac-
business questions. For fraud examin- advisory hotlines; (3) well-designed tors in the context of cyber threats, but
ers wishing to conduct proactive fraud surveys given months after training to when it comes to the business functions
prevention and detection, the best place assess employees reactions to scenarios of the company, those are the only three
to start is your risk assessment. In an implicating choices between compli- types of entities we’re concerned with.
investigation, the starting points are the ance and profits; (4) exit interviews; As you know, they often work together,
allegations. At this beginning phase, (5) adoption of an analytic detection or require one another — often without
it’s a common trap to get caught up in system that incorporates data from the other party knowing — touching
a single data source where you think internal hotlines, HR complaints about multiple data sources to commit the
the relevant information lies. If you’re unethical behavior (including sexual malfeasance. A rogue employee may
searching for high-risk payments, you harassment), consumer complaints, and overcharge a customer or receive a kick-
might jump to the accounts payable (6) carefully calibrated performance back from a vendor. A rogue, or even
subledger. If you’re responding to an indicators that can raise red flags about fake, vendor may submit multiple bogus
investigation, you might first jump to potential misconduct. Advances in AI- invoices to the company, where they’re
the suspect’s email. As we’ve previously assisted monitoring of performance and approved by an employee. You get the
discussed, let’s not fall into that trap, transaction data may also prove a boon idea. They interact via accounting sys-
and instead ask more holistic questions to identifying ‘red flags’ or anomalies in tems, approval processes and email, to
of the data. If the risk or accusation is data that may be predictive of suspicious name a few. Keeping a 360-degree view
around payments to third-party vendors, conduct. Firms also should audit their of customers, vendors and employees
for example, you’ll want to consider systems for detecting and investigating is paramount to an effective control
multiple data sources including the misconduct to determine whether those environment for fraud prevention and
vendor master data, the accounts pay- systems are working well.” [See “The detection. And breaking down the data
able subledger, invoices, payments and Compliance Function,” by Jennifer Ar- silos to get there is something we should
purchase order data. You’ll even want to len, The Oxford Handbook of Corporate all be working towards. Keep innovat-
consider non-accounting data such as Law and Governance (Jeffrey N. Gordon
ing! ■ FM
the due diligence that was performed (or and Wolf-Georg Ringe, eds., Oxford
not performed) on the third party, and University Press 2d ed., forthcoming) at
what, if any, email communications are tinyurl.com/mwta5v4f.] Vincent M. Walden, CFE, CPA, is the
in line with that vendor. CEO of Kona AI, an AI-driven anti-fraud
Professor Jennifer Arlen, director Vendors, customers and compliance technology company
of corporate compliance and enforce- and employees providing easy-to-use, cost-effective
ment at New York University’s School If you think about the ACFE Fraud Tree third-party payment and transaction
of Law, describes the importance of and the occupational fraud schemes it analytics software around corruption,
analyzing/integrating multiple data addresses, there are only three entities investigations, fraud prevention, internal
sources to effectively assess misconduct that can rip you off in the context of audit and compliance monitoring. He
or unethical behavior, writing: “Compa- those schemes: vendors, customers (or welcomes your feedback and ideas. Con-
nies can obtain the information needed distributors) and employees. (See “The tact Walden at [email protected].

66 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

 Expert Insights Self-Study CPE Course
Merchandise

men’s and women’s Embedding Fraud Detection

into Internal Audit
denim shirts new

Show your ACFE pride

i e with
our long-sleeved, denim shirt
with sturdy construction, a Anti-fraud expert Mary Breslin, CFE, CIA, discusses the importance
of incorporating fraud detection into internal auditing procedures.
generous cut and soft
By understanding the basics of fraud, fraud characteristics and red
garment washing with flags, you will learn how to better detect fraud as an internal auditor.
embroidered ACFE seal. Additionally, you will learn how to maximize the value of every audit CPE Credit
3
through employing engagement risk assessments.

FEATURES YOU WILL LEARN HOW TO:

6.5-ounce, 100% cotton • Recognize the importance of creating a valid fraud
Double-needle stitching throughout risk assessment for each engagement and how to
create one.
Traditional, relaxed look
• Identify best practices in internal auditing and fraud Course level
Open collar prevention. Overview

Horn-tone buttons • Recognize how schemes can be detected in accounts

payable, payroll, sales and revenue.
Rounded adjustable cuffs • Recall the significance of the Fraud Tree, Fraud
Triangle and the red flags of fraud.
• Recognize the importance of adding fraud detection
$34.40 - $41.60 Members to the audit process.
prerequisites
None

$43 - $52 Non-Members

Visit ACFE.com/womensdenim or
ACFE.com/mensdenim to learn more.
Visit ACFE.com/EFDIA to learn more.
 I’M A CFE
Rasha Kassem, Ph.D., CFE
Associate Professor, Aston
University, U.K.

As a senior academic and researcher, Rasha Kassem seeks to mitigate fraud risks, improve
methods of fighting fraud, and better understand why fraud criminals do what they do.
She says that investigating fraud isn’t enough to stop it and urges fraud examiners to
innovate and explore new techniques for prevention.

Interview by Jennifer Liebman, CFE

I am fortunate to have lived in U.K. Government Counter Fraud My interest in fraud began with
two countries with great histories: Profession. the collapse of Enron. The scale
England and Egypt. I was born in and impact of that case was
Cairo, Egypt, and lived there for I investigate fraud through my re- shocking and made me question
over 20 years. In 2012, I moved search. I analyze real-world fraud where the auditors and regula-
to the U.K. to study and work, and cases and interview professionals, tors were and what went wrong.
I’ve been there ever since. law enforcement and policymak- Imagining Enron’s impact on its
ers in various sectors to explore employees, who lost their jobs
I am currently an associate profes- the psychology of fraud criminals, and pensions, and investors, who
sor at Aston University. I teach at the methods of fraud perpetration lost their investments and confi-
and how to mitigate fraud risks.
the executive, postgraduate and dence in the capital markets, mo-
undergraduate levels; conduct tivated me to help prevent future
When I find that fraud is prevalent
impactful research; and exchange frauds. Back then, I recognized the
in a specific sector, I conduct pri-
knowledge with policymakers, power of anti-fraud education and
mary research to understand more
law enforcement officials and research in raising awareness of
about it. Specifically, I interview
practitioners. My expertise is in fraud and enhancing the skills of
various professionals, members of
fraud, forensic accounting, gover- law enforcement and policymak- future fraud fighters.
nance and auditing, and I research ers to understand more about the
these areas in the private, public prevalence of the fraud risk, its My experience in fraud research,
and voluntary sectors. I am also impact and perpetration methods, the knowledge I gained through
a consultant on insider fraud for and how it can be mitigated. I my Certified Fraud Examiner
the fraud prevention organization then publish my research in aca- (CFE) credential, and the con-
Cifas, and a member of the ACFE demic and professional journals versations I have regularly with
Advisory Council and the Cross to raise awareness of fraud and various fraud examiners and other
Sector Advisory Group for the inform policy and practice. fraud fighters have enhanced my

68 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

 Fraud examiners must be more proactive in their approach to
fighting fraud, and we need to explore new ways to prevent
it. This requires a thorough understanding of the psychology
of fraudsters and their methods.

critical-thinking, analytical and victims to support them. Exploring Obtaining the CFE credential
research skills. victims’ vulnerability is crucial for has given me other great op-
disrupting fraudsters and pre- portunities, such as joining the
I’ve analyzed various real-world venting future victimization. Also, ACFE Advisory Council. The CFE
fraud cases through my research; fighting fraud is not the job of a credential is well respected and
however, Wirecard is one of the single individual or profession. It recognized among fraud profes-
most shocking cases from my requires collaboration from fraud sionals globally. Being part of the
perspective. The case involved examiners, policymakers, educa- CFE community connects me with
corruption, asset misappropria- tors and practitioners. other passionate CFEs.
tion, financial fraud and money
laundering, just to name a few. It I learned about the ACFE through Succeeding in the fraud-fighting
highlights the consequences of a search for fraud-fighting orga- profession requires the passion
ethical erosion and the failure of nizations on the internet, and the to learn more about the nature of
audits and governance within in- ACFE appeared at the top of my fraud and the determination and
stitutions. It also shows the impact Google search results. Browsing willingness to stop it. Enhance
of weak regulations and account- the ACFE website and learning your knowledge and skills by
ability and investigative journal- about its mission encouraged me reading about recent fraud topics
ism’s significant role in revealing to become a CFE. I am also a big and cases through the ACFE web-
fraud cases. fan of the resources that the ACFE site and attending ACFE confer-
The Wirecard case showed offers such as Fraud Magazine and ences and other anti-fraud events
that fighting fraud requires a ho- Report to the Nations as they raise in your country. Connect with
listic approach, including imple- awareness of fraud in interesting more experienced fraud examin-
menting robust anti-fraud controls and engaging ways. ers to learn from them. The ACFE
and governance systems, uphold- mentoring program is an excellent
ing the integrity and the tone at The CFE study materials and opportunity for doing this. Fight-
the top, reinforcing accountability, exam enhanced my knowledge ing fraud takes time, so do not
strengthening regulations, invest- of fraud, especially insider fraud. give up.
ing in technology and individuals The materials are designed with
capable of detecting and report- care and are interactive. Publish-
I love playing badminton. It re-
ing fraud, and enhancing interna- ing an article in Fraud Magazine
minds me of my childhood when I
tional collaboration. is also an excellent opportunity
used to run, jump, and laugh with
for CFEs to raise awareness and
friends and family. I also love my
Investigating fraud is insufficient enhance their knowledge of cur-
usual shopping trips, listening to
to stop it. Fraud examiners must rent fraud issues, and I am proud
music, eating out and going to the
be more proactive in their ap- of my two articles in the magazine.
theater with friends. We all need
proach to fighting fraud, and we I consider my fraud publications
time to relax, and these are just
need to explore new ways to pre- to be my greatest achievement.
the ones for me. n FM
vent it. This requires a thorough So far, I have published more than
understanding of the psychology 30 fraud-related pieces and hope
of fraudsters and their methods. In to continue publishing more to Jennifer Liebman, CFE, is assistant
the meantime, we need to bet- raise fraud awareness and inform editor of Fraud Magazine. Contact
ter understand fraud’s impact on practice and policy. her at [email protected].

FRAUD-MAGAZINE.COM JANUARY/FEBRUARY 2024 FRAUD MAGAZINE 69

 The Fraud Magazine CPE quizzes are now available
CPE QUIZ online only. Please visit ACFE.com/FMQuiz or view
the CPE Quiz form on the next page for more
No. 172 (JANUARY/FEBRUARY 2024, Vol. 39, No. 1)
information on how to earn your 10 CPE.

1. According to the article, “Fraud for sale,’’ what 6. According to the article, “What’s that smell?” what are
distinguished Hydra from other darknet marketplaces? the Fraud Susceptibility Index variables that help explain
A. Bad customer service. if someone is susceptible to being conned?
B. A disorganized crime unit. A. A person is attracted to an item with high utility value
and low emotional value.
C. Advanced infrastructure and user-friendly experiences.
B. A buyer knows a lot about a product.
D. A solitary fraudster sitting in a basement.
C. Paradox of value, information asymmetry and direct/
2. According to the article, “Fraud for sale,” how do the indirect diffusion.
business-like operations of the dark-web marketplaces D. No one is talking about the product.
parallel legitimate industries?
A. They’ve limited their customer base. 7. According to the article, “Is a third party’s use of encrypted
email services a safeguard or a red flag?” what did the
B. There’s hierarchy, specialization and analysis show about organizations that adopt encrypted
professionalization among fraudsters.
email addresses as their primary communication channel?
C. Their level of marketing is unsophisticated and
disorganized. A. They were mostly long-established organizations.

D. They’ve stopped trying to appear legitimate to B. They had huge organizational structures.
potential customers. C. They mostly had an annual turnover cost placed below
20,000 euros.
3. According to the article, “Corrupt central bank governor
D. They mostly had an annual turnover cost placed above
allegedly helped push Lebanon’s economy off the cliff,” 20,000 euros.
experts have frequently described Lebanon’s financial
system as a type of Ponzi scheme that depended on fresh 8. According to the article, “Is a third party’s use of encrypted
money to pay existing creditors and that hid the true email services a safeguard or a red flag?” analyzing
nature of the risks involved. organizations’ email addresses as TPDD drivers isn’t a
A. True. good digital indicator to identify potential risky third
B. False. parties.
A. True.
4. According to the article, “Corrupt central bank governor
B. False.
allegedly helped push Lebanon’s economy off the
cliff,” what factor(s) allowed Salameh to override BdL’s 9. According to the article, “5 most scandalous fraud cases of
independence as a central banking authority to 2023,” Arizona suspended 100 residential and outpatient
misappropriate public funds? treatment facilities providers that had allegedly defrauded
A. Fragmented regulatory oversight, corruption and the state’s Medicaid program out of hundreds of millions
excessive bureaucracy. of dollars.
B. A political system dominated by one religious faction. A. True.
C. Overly strong state institutions. B. False.
D. Fraud permeating only the private sector.
10.According to the article, “5 most scandalous fraud cases of
5. According to the article, “What’s that smell?” what’s a 2023,” which ransomware gangs took credit for the attacks
telltale signal of a counterfeit fragrance? on MGM and Caesars?
A. How quickly the initial scent dissipates. A. LockBit and REvil.
B. The scent has excessive middle notes. B. Black Basta and Ryuk.
C. The scent’s bottom notes are too dominant. C. Maze and Hive.
D. The scent has a heavy citrus note. D. BlackCat and Scattered Spider.

DO NOT SUBMIT THIS FORM. Log in to your My Learning and Resources page after purchasing the Fraud
Magazine Quiz set to submit your answers or record your answers on the answer sheet and submit online.

70 FRAUD MAGAZINE JANUARY/FEBRUARY 2024 FRAUD-MAGAZINE.COM

CONTINUED FROM PAGE 13

CPE QUIZ
you a quote. If anyone or any site asks for
your financial information, such as your
bank account or credit card number, to get
The Fraud Magazine CPE Quiz has moved to an online
a quote, that’s a scam.
self-study format, making it easier for CFEs to earn 10 ACFE
4. Medical discount plans aren’t medical (non-NASBA) CPE. CFEs can earn 10 CPE by taking quizzes
insurance. (See “Medical Discount Plans online after reading featured articles in Fraud Magazine.
and Scams,” FTC, tinyurl.com/2cywsby7.)
Scammers often pitch medical discount
plans by convincing people they’re the
same as insurance — but they’re not. They
often just take your money for very little in
Visit ACFE.com/FMQuiz
return. and follow the steps below:
If you spot a CHIP scam, report it to
the FTC at ReportFraud.ftc.gov. (Also, see
1. Select the Online Fraud Magazine CPE Quizzes
“Children’s Health Insurance Program: Spot
by year from the dropdown*.
the scam,” by Marissa Hopkins, FTC, Sept. 22,
2023, tinyurl.com/2btdunmc.) 2. Click the “Add to Cart” button and complete the
checkout process.
I’m here to help
Please use information about these scams 3. Read featured articles in Fraud Magazine that
correspond to the year of the quiz set you purchased.
in your outreach programs and among your
family members, friends and co-workers. 4. Access your quiz set by logging into your ACFE.com
As part of my outreach program, please account, clicking on the “My Transactions” tab and
contact me if you have any questions on clicking on the quiz set you purchased.
identity theft or cyber-related issues that you
need help with or if you’d like me to research 5. Pass 5 of 6 quizzes with a score of 70% or higher and
a scam and possibly include details in future receive your CPE certificate instantly via email.
columns or as feature articles.
I don’t have all the answers, but I’ll do
my best to help. I might not get back to you For more information, please review
immediately, but I’ll reply. Stay tuned! n FM the “CPE Info” and “FAQs” tabs
or contact a representative:
Robert E. Holtfreter, Ph.D., CFE, is a
distinguished professor of accounting and [email protected]
research at Central Washington University.
He’s a member of the Accounting Council (800) 245-3321 / +1 (512) 478-9000
for the Gerson Lehrman Group, a research
Secure online chat service*
consulting organization, and a member of
the White Collar Crime Research Consortium
Advisory Council. He’s also the vice president
*
Quizzes will be added to the current year’s set as issues of Fraud Magazine are published.
of the ACFE’s Pacific Northwest Chapter and CPE can only be obtained from the current year’s quizzes after the fifth quiz is made avail-
able in September.
serves on the ACFE Advisory Council and
Please Note: The Fraud Magazine CPE Service CPE credits apply only to the CFE status and
the Editorial Advisory Committee, and he not to any other professional designations. Fraud Magazine CPE is not registered with the
was recently selected to serve on the ACFE’s National Association of State Board of Accountancy (NASBA).
The ACFE collects and stores your personal data in the U.S. to provide member services
inaugural CFE Exam Content Development
and fulfill transactions requested by you. For a full explanation of your rights regarding how
Committee. Holtfreter was the recipient of we store and use your data, visit ACFE.com/privacy-policy.aspx.

the Hubbard Award for the best Fraud Maga-

zine feature article in 2016. Contact him at
[email protected]. Together, Reducing
Fraud Worldwide
CERTIFICATE
PROGRAMS
ACFE certificate programs provide you with essential anti-fraud knowledge.
‚
Whether you have no previous anti-fraud training, you re a seasoned anti-
fraud professional or fall somewhere in between, the ACFE has a certificate
program for you. After completing an ACFE certificate program, you will receive
a digital badge that is a secure means of storing, publishing and promoting
your accomplishment online. While ACFE certificate programs will equip you
with essential anti-fraud knowledge, they are not a replacement for earning the
Certified Fraud Examiner (CFE) credential.
Members ⊲ $496
Non-Members ⊲ $620

FOUNDATIONAL CERTIFICATE PROGRAMS

Foundational certificate programs provide you with the basic knowledge you need to become a more
valuable asset in your company’s fight against fraud, even if you have limited or no anti-fraud training or
experience.

A foundational certificate program might be right for you if:

• Your role occasionally deals with fraud, but it’s not the focus of your job.
• You have no previous anti-fraud training or experience.
• You’ve had some anti-fraud training in the past, but you’d like an overview of the most up-to-date
anti-fraud concepts.
• You’re not ready or eligible to take the CFE Exam.

Anti-Fraud Fundamentals Certificate Program

Courses Include:
• Fraud Examination 101
• Fraud Prevention
• Introduction to Bribery and Corruption
 Visit ACFE.com/CertificatePrograms
to learn more.

SPECIALIZED CERTIFICATE PROGRAMS

Specialized certificate programs are designed to provide CFEs and seasoned anti-fraud professionals
with the skills to enhance and demonstrate their proficiency related to specializations within the
anti-fraud profession.

A specialized certificate program might be right for you if:

• You’re already a CFE or have extensive anti-fraud training and would like to further market your
proficiency in a specialization within the anti-fraud profession while earning NASBA-approved
continuing professional education credits.
• You have experience in the anti-fraud profession, but you’re not ready to take the CFE Exam.
• You’ve had anti-fraud training in the past, but you’d like more in-depth information about a
specialization within the anti-fraud profession.
• You work in a job or department that involves a high risk of fraud or have a role that involves a
specialization within the anti-fraud profession.

Anti-Fraud Controls Certificate Program

Courses Include:
• Evaluating and Testing Anti-Fraud Controls
• Internal Controls for Data Security
• Internal Controls for Fraud Prevention

Fraud Analytics Certificate Program

Courses Include:
• Data Analysis Techniques for Fraud Examiners
• Textual Analytics
• Uncovering Fraud with Advanced Financial
and Ratio Analysis

Fraud-Related Interviewing Certificate Program

Courses Include:
• Interviewing Witnesses and Suspects
• Issues in Conducting International Interviews
• Written Statement Analysis
 CALENDAR OF EVENTS
ADVANCE YOUR CAREER WITH TRAINING FROM
THE GLOBAL LEADER IN ANTI-FRAUD EDUCATION.
ACFE.COM/CALENDAR

VIRTUAL AND IN-PERSON

JAN FEB
LEADERSHIP SKILLS FOR ANTI- GETTING PAST NO: HOW TO GET THE ROLE OF SOFT INTERNAL
FRAUD PROFESSIONALS RELUCTANT INTERVIEWEES TO CONTROLS IN THE FIGHT AGAINST
Virtual Seminar SHARE INFORMATION FRAUD
Webinar
January 11, 2024 Webinar
February 1, 2024
January 25, 2024

DETECTING FRAUD WITH DATA GOVERNMENT FRAUD

ANALYTICS WORKSHOP UNDERSTANDING THE MINDSET Virtual Seminar
OF A FRAUDSTER February 6-8, 2024
Virtual Seminar
January 16-18, 2024 Virtual Seminar
January 30, 2024 EFFECTIVE REPORT WRITING FOR
FRAUD EXAMINERS
CFE EXAM REVIEW COURSE Virtual Seminar
Virtual Seminar February 15, 2024
January 22-25, 2024
FRAUD RISK MANAGEMENT
Virtual Seminar
February 20-22, 2024

2024 ACFE FRAUD CONFERENCE

MIDDLE EAST
Abu Dhabi
February 26-27, 2024

For information or to register, visit ACFE.com/training.

 CALENDAR OF EVENTS

MAR APR
CFE EXAM REVIEW COURSE 2024 ACFE FRAUD CFE EXAM REVIEW COURSE
Virtual Seminar CONFERENCE EUROPE New York, NY and Virtual
March 4-7, 2024 London and Virtual April 8-11, 2024
March 13-15, 2024

2024 ACFE WOMEN’S SUMMIT BUILDING YOUR FRAUD

Washington, D.C. and Virtual
March 8, 2024
EXAMINATION PRACTICE
Virtual Seminar
VISIT
March 20, 2024
ACFE.COM/CALENDAR
FOR THE LATEST LIST
OF UPCOMING EVENTS.

Calendar subject to change.

MAY JUN *All in-person events will be held following

safety precautions for the city and venue of
the event.

CONTRACT AND PROCUREMENT 35TH ANNUAL ACFE GLOBAL

FRAUD + WORKSHOP (BUNDLE FRAUD CONFERENCE
AND SAVE!) Las Vegas, NV and Virtual
New York, NY June 23-28, 2024
May 6-9, 2024

CFE EXAM REVIEW COURSE

Virtual Seminar
May 20-23, 2024

For information or to register, visit ACFE.com/training.

Qsuite.
The World’s Best
Business Class
Travel the world in unrivalled luxury in
our Business Class, Qsuite, acclaimed as
the World’s Best at Skytrax 2023 for a
record-breaking tenth time. Indulge in
our unparalleled lounge dining and savour
the comfort of our luxurious lounges.
Visit qatarairways.com