Online Exclusive

More than words

Key lessons from the Unaoil scandal for forensic email reviews



Unaoil, a Monaco-based oil consulting company, was recently exposed in a media investigation for potentially supporting or facilitating bribes on behalf of large multinational firms in the oil and gas industry. Though the company is from Monaco, Unaoil is believed to have supported companies in winning contracts across Middle Eastern and African countries. The investigation, which Fairfax Media and The Huffington Post conducted, identified several emails providing references to the routing of bribes.

The Unaoil case provides several lessons on using forensic email reviews to help gather evidence or indications of fraud, misconduct and regulatory non-compliance. Investigators who use these reviews rely on communication as a raw form of evidence that exhibits subjects' unethical or illegal intent. Keyword searches are an effective method of identifying evidence in the huge volumes of data stored in digital devices. Investigators choose keywords based on context and relevance to the case.

An analysis of the evidence gathered by Fairfax Media and The Huffington Post on the Unaoil case reveals a number of lessons on forensic email reviews for investigators.

Using code words in communication

Many of the leaked Unaoil emails and excerpts contain several code words referring to individuals, organizations, events and the contexts of the communication. Individuals are referred to as "Doctor," "Ivan," or "Lighthouse." Keywords can help disguise intent in communication. For example, bribers or bribe receivers (public officials) might not be red-flagged in email if they identify themselves by code name or keyword.

Of course, these reviews wouldn't be effective unless investigators are aware of the keywords subjects are using because generic keywords might show inconsistencies. 
Investigators should look for:

  1. Data (files created, system logs, etc.) and communication (email and chat logs) pertaining to a specific time period (a month, quarter or a year that's relevant to the incident or the issue in question). 

Dissecting the chain of events

The leak in the Unaoil case included emails referencing the opening of a separate bank account to channel funds; a request for depositing funds into an unknown, third-party, offshore account; and a payment rejected by a bank, which noted the transaction "may conflict with U.S. government sanctions." In that case, the rejected payment was subsequently cleared by the bank.

Automated communications from a banking channel on payouts or deposits might be ignored assuming they're irrelevant. However, if someone attempts to place some of these transactional communications into the overall chain of events relating to the issue or the incident in question, it helps in identifying relevant evidence on a violation or misconduct. Such communication might not contain any of the keywords (including names of key people) that are considered in the review.

When looking at the chain of events, investigators should consider the following three key factors:

  1. Inconsistent nature of received communication.
  2. Unusual patterns of communication and the use of "Bcc:" in emails.
  3. Communication representing financial transactions or financial manipulation.

These outliers help put together events and look at them from a bird's-eye view. Looking at the chain of events in this way enables the investigator to identify potential red flags. For instance, a Bcc: communication might show that the perpetrator intended to involve the subject in the blind copy field without the receiver knowing it.

Considering noteworthy relationships

Several of the emails in the Unaoil case illustrate the nature of the relationships among certain individuals. For instance, the private secretary of the Crown Prince of Abu Dhabi was referred to as "Our new sponsor in Abu Dhabi. Not a bad title." The relationships included all types of individuals, from former government officials to former oil company representatives. The emails also suggest that these relationships extended to other intermediaries and the lawyer who conducted a due diligence investigation on Unaoil on behalf of one of their partners.

When examining relationships, we need to consider several things, such as the context in which the subjects' communications are taking place, the frequency of contact and any references to meetings or other in-person communication.

There are several key factors to consider when using forensic email reviews to evaluate relationships:

  1. Public domain information about unknown connections. These generic searches might provide insights about their associations, vocation or businesses.
  2. Chain of events associated with a relationship.

You can use relationship management tools to help you understand, for example, when the business manager last communicated with a customer. In coming years, investigators might use these tools to understand communication trends that potential criminals use.

Using regional languages to find evidence

Email users in the Unaoil case also referred to "bribes" in regional languages. It might be difficult to identify discrepancies through keyword searches and understand the context of the communication if organizations work across multiple jurisdictions with multilingual communication. You can use tools, like Boolean methods, to search for code words in emails and help identify keywords in regional languages that might indicate red flags of fraud, like the word "bribes."

The appearance of transparency

A number of emails from Unaoil executives gave the impression that they were abiding by the company's code of conduct. Also, in some of their responses to their contacts they warned them to be mindful about communications regarding bribes. It even seemed like they influenced third-party due diligence efforts by asking their co-conspirators or their connections in the respective companies to provide the "ethical company" tag in reference checks.

Investigators must look beyond messages that might just pay lip service to ethics and transparency, and closely examine all relationships and the underlying actions they promote.

To ensure you're able to identify appropriate evidence, always scrutinize private email addresses from external domains and communication about financial transactions and potential manipulation.

Forensic email reviews help uncover clues

Organizations should consider using forensic email reviews in new ways to uncover information to understand key players' communication patterns, including what and with whom they communicating, and files they're sending and receiving. If you conduct this type of analysis on each individual for an isolated sample period you might identify specific keywords.

These reviews should extend beyond keyword-based searches to examine communication among identified individuals, time-period-based information exchange, inconsistent/unusual patterns or nature of communication, and any suspect references to financial transactions and manipulation.

The Unaoil case demonstrates how you can use these tactics in forensic email reviews to help unravel large-scale, complex fraud schemes and discover communication patterns, preserved digital evidence and, most importantly, fraud perpetrators' own words — saved for posterity.

Sundaraparipurnan Narayanan is the associate director of forensic services at SKP Business Consulting LLP. His email address is: SNarayanan@skpgroup.com.






Related Articles

No truce in cyberwars

With people increasingly living their lives online, fraudsters have never had easier access to potential victims. COVID-19 has only accelerated that trend. Indeed, business is booming for cybercriminals now focused on high-value organizations. Fraud Magazine talks to cyber expert Robert Herjavec and CFEs about how best to tackle this ever-evolving threat.

Better online security

How CFEs can help small businesses protect themselves from cyber attacks

Cyber-attack vector? Who, me?

The relatively indiscriminate sharing of personal data that so many consumer websites encourage is antithetical to the safe use of corporate information resources. Facts and information about cyber-attack vectors.