Note: the following unclassified case studies are actual cases we worked on. The names have been changed to protect the identity of our clients who have allowed us to publish them for awareness and educational purposes to help save the readers from the same good old tricks.
The case brief
On 7th March 2015, I [Mustapha B Mugisa] received a call from a prospect; an internal auditor at one of the financial institutions, for a meeting over an issue the caller said required urgent attention. He explained that:
- In their core banking system, they have noticed a bank account without clear credentials but had recently transacted a lot of money via funds transfer to an off shore account.
- On review, the account had been in operation for about eight months, and on further review of the AML know your customer information required to be collected about any client prior to opening the bank account; they discovered the account in question did not have any physical file and no KYC information was captured in the banking system, apart from pseudo names with fake identified enough to withdraw money from the account.
- On 6th March 2015, the bank got a notification from another local bank of an instruction to transfer US $5,000 to an account in Uganda shillings; as the account has been newly opened, the other bank became suspicious and decided to call the bank the funds were originating. It is on the basis of that call, they invited me, and also got to understand the extent of the problem.
- A total of US $120,000 had been wired in small amounts of US $2,000 to US $5,000 over a period of six months. It is believed that this was intended to avoid detection, since it was below the daily reporting limits.
They now wanted Summit Consulting to support with the investigation to bring the culprits to book.
This is a classic case. Specific information will not be stated in the interest of client confidentiality. However, it raises critical lessons for all concerned:
Lesson 1: there is no system that is foolproof. Fraud is always taking place and we need vigilance and cooperation as an industry to bring culprits to book. Working alone is not enough. The victim bank has some of the best internal auditors, fraud examiners and internal controls in place. Nevertheless, these are not good enough for staff collusion and clandestine activities in the areas of the operation
Lesson 2: in the case, insider involvement was clear. How would an internal control required by law – anti-money laundering act, be overridden? For example, the physical file in respect to the customer account had disappeared an indication of someone inside and in the records department; if at all KYC had been done on account opening. Nevertheless, our experience is that majority of bank frauds involve insiders – an account avoids detection for suspicious transactions for long, someone withdraws money without clear identity etc. You need to recognize that many bank frauds, if not all, involve insiders. Ask yourself, who are these people?
Lesson 3: There are no controls over staff collusion. Unlike outsiders, internal staff are able to pull-off any kind of fraud because they are the control/ process owners. They know the weakest links in the system and when to strike. In such a case, the only best strategy you have is effective whistleblowing system and training of staff about ethics and personal financial resilience.
The traditional approach of focusing on improving controls may not be effective after all. If staff want to steal, they have all it takes to pull it off. And it is expensive to investigate than to prevent.
Forensic investigations, like any investigation, start with understanding the facts readily at hand and developing the fraud theories aka hypothesis – what is the modus operandi? How could the suspects have committed the fraud?
Investigation is the process of collecting evidence to approve or disapprove a particular theory or modus operandi. For example, one theory could be that the suspect must have accessed the main server physically in order to install a key logger. During the investigation, we go ahead to collect that to confirm that the key logger on the bank server was not remotely installed, since the server is not connected to any network accessing the Internet. We review all server logs and network access points to rule out the possibility of remote connection. That way, our investigation is focused and leaves no stone unturned instead of just collecting information for which we have no clear use. We do the same for all theories and if we exhaust all of them and have no clear explanation how the fraud was done, we formulate more theories based on data collected so far.
In this particular case, the theories below were developed to explain how the fraud could have been committed:
- The hacker could have used social engineering techniques.
- The suspect could have hired a skilled hacker to break into the bank systems.
- An insider person knowledgeable in IT specifically the bank’s database, could have done it; in collaboration with external parties
Below is an expanded theory one.
A very good looking woman went to meet the system administrator (sysadmin) of a large company. She interviewed the sysadmin for a “newspaper article”.
During the interview she flirted (trying to be personal and sexy, you get what I mean) a lot with the sysadmin and while leaving she “accidentally” left her pen drive aka flash drive at the sysadmin’s desk. The sysadmin accessed the pen drive and saw that it contained many photographs of the lady. The poses where very suggestive and prompting for anyone worth their name of a man to scroll on for visual enjoyment. The IT guy, did not realize that the photographs were Trojanized i.e. they had a Trojan a computer program that on the surface looks good, when in reality it has harmful programs running in the background! Once the Trojan was in place, a lot of sensitive information was stolen very easily. The Trojan was set to run everytime the server was started, by capturing the user’s name and password, running a script of the top accounts, with low activity and emailing everything to a pre-defined email within the Trojan program.
With above, the investigation team met and refined the theory and considered the investigation steps. The idea was to examine the possibility of the above. Before going deep; one of the members explained another similar theory of what could have happened; thus:
The sysadmin of the bank received a beautifully packed CD ROM containing “security updates” from the company that developed the operating system that the bank uses to run it. He installed the “updates” which in reality were Trojanized software; with functionalities as in the above case.
As part of the initial steps to confirm which theory is more probable, it was discovered that a beautiful lady indeed visited the bank’s IT manager and it was captured on the camera. The next step was to examine further the possibility that she could have been the one who left a Trojanised pen drive; by analyzing the server and the existence of any Trojan malware.
In the end, we had clear facts establishing how the fraud was conducted, the suspects and how they did it all.
One of the key lessons we learnt is that all fraudsters leave behind a lot of evidence as it is difficult, if not impossible, to cover all tracks. And forensic investigations help connect the dots. It requires a team of exceptional investigators to respond to a crime scene professionally, undertake effective first responder procedures to preserve evidence and then process it in a controlled environment. Otherwise, many cases are lost due to poor first responder procedures.
Click here to become an expert computer forensics examiner.
By Mustapha B Mugisa, CFE, CHFI. All rights reserved, 2015. You are free to share or republish as long as you include this article link in full; and the name of the author and email contact, ceo[@]summitcl.com.