Featured Article

The challenges of change

Members of the ACFE Board of Regents always bring a wealth of experience from their respective sectors. Here they impart their thoughts on an array of topics and the importance of continual learning in the ever-evolving anti-field field.

Technological advancements remain a hot talking point among anti-fraud professionals, especially following the launch late last year of ChatGPT, the generative artificial intelligence (AI) tool that facilitates everything from coding to passing an MBA exam to writing flawless texts. Fears are that AI technology will soon make it easier for fraudsters to dupe their victims in a whole host of ways. But some CFEs think this is just par for the course in a field where fraud examiners are always adapting to change in a continual cat-and-mouse game with criminals.

Members of the Board of Regents sat down with Fraud Magazine at the 34th Annual ACFE Global Fraud Conference in Seattle to talk about AI and other technological threats, job scams, how to better protect whistleblowers and advice for aspiring CFEs.

FM: Technology is now an ever-present theme in the anti-fraud world. But the pace of technological change is faster and perhaps more unsettling than ever. ChatGPT is the latest example of this. What are your thoughts on the dangers and opportunities presented by generative artificial intelligence (AI)?

Chrysti Ziegler: I don’t know if we know yet what it can and can’t do from a fraud perspective. In theory what you can say is that fraudsters are going to use it and that there are ways to get around it. From my understanding, ChatGPT has some limitations. In other words, I can’t just ask, “Hey ChatGPT, how do I build a bomb?” or “How do I commit fraud?” There are barriers to that, but apparently, there are loopholes too, depending on how you ask the question.

Wendy Evans: It’s a whole new area and there are dangers. Companies are carefully evaluating how we use new technology like machine learning, ChatGPT and other applications. The U.S. Department of Defense, for example, established ethical guidelines for the use of AI, and we have adopted those at Lockheed Martin. Ethical principles help guide your process for dealing with artificial intelligence and how datasets are verified, for example.

Ziegler: I have heard a lot of companies are banning it outright.

Natalie Lewis: One of the things we need to be aware of with AI is not only how fraudsters are using it to commit fraud but also the way we can use AI and machine learning to conduct our fraud investigations. It’s interesting to look at it from both perspectives. It is helpful in terms of investigating fraud — such as using machine-learning technology to run algorithms and train it to look for certain data analytics — but also to think about how fraudsters are maybe using it to alter photos or evidence, or perpetrate fraud in another way.

Tom Caulfield: I understand why you asked about AI, but it’s worth noting that we are still in a juvenile stage with predictive analytics — I mean in the sense of true predictive analytics in fraud identification and detection. It’s worth looking at AI in a similar way. I can remember when we started saying predictive analytics, and IT people would say it is not really predictive analytics. It’s just statistical detections. So, in the same way, I think people are going to start using the term AI when it isn’t truly AI. AI, or machine learning, also requires so much data and training time. People may say they are using advanced AI when in fact they are not. So, I am not so much concerned with AI itself but rather the false representation that AI is being used to help us when it really isn’t.

Ziegler: To your point, you are going to have companies or service providers saying we are using AI to fight fraud when they’re really not. But the fraudsters definitely will be using it. Historically, fraudsters are usually one step ahead of us, and we are constantly trying to catch up with them. That is the scary part: Fraudsters may be more advanced in using true AI to commit their crimes, and we are following behind as companies advertise they are using AI, when they are not.

Caulfield: My son asked a generative AI tool how to commit timecard fraud. But the results were rudimentary at best, at least for someone who really studies fraud. We have time for AI to mature, but you’re right — fraudsters will use it. It’s like hackers, 16-17-year-old kids; it is a game to them. The same thing with AI.

FM: What other dangers lurk behind the AI revolution?

Ziegler: Things like phishing emails. I would imagine those will get better. ChatGPT will create an email that looks exactly like it comes from FedEx or Amazon. It will be more convincing with fewer errors and be able to spoof the email address. Even the tone of an email from the CEO or CFO might be enhanced by using ChatGPT or another type of generative AI.

Caulfield: AI will also be used in social engineering schemes. Think about how AI was used to create a conversation to convince a mother that her daughter was in danger. (See “Mother Says AI Was Used To Clone ‘Kidnapped’ Daughter’s Voice to Fool Her, Fake Abduction of Her Child,” by Kendra Stacy, The Science Times, April 17, 2023.)

Ziegler: If it fooled a mother that her daughter was in danger, I would imagine it would fool way more employees than it normally would. The employee population has started to familiarize itself with phishing emails, such as looking for a second “i” in that email address that shouldn’t be there or hovering over a link to see it isn’t directing them to the right place. So, they know some of the things to do now. But with this type of AI, and the advancement in spoofing, I feel that more people are going to fall for it.

Lewis: With the phishing emails, that means we must increase our training efforts with employees to make sure they are aware of the red flags within a phishing email that would tip them off so that they’re always on their toes and on the lookout.

Caufield: It comes down to training, education and information sharing. As fraud examiners, we are going to have to become smarter at understanding these capabilities. Our IT security people will have to become smarter to know how to build protections against it. And our employees will have to become smarter, so they don’t fall prey to this kind of activity. It’s like so many other things that happen in our profession.

FM: How have fraudsters leveraged technology in East Africa?

Collins Wanderi: In Kenya, we have seen an increase in online fraud with SACCOs, savings and credit cooperatives, which don’t operate on the same platform as banks, and the regulatory requirements are a bit different. So, the fraudsters have realized that the SACCOs have different information management systems to handle membership, accounts and loans. The fraudsters have created a network with the technology vendors. One of the things they do is engage in denial of services (DoS), so they hack into the system and deny service. Then you have to call somebody to come and do the debugging, but those vendors are working with the fraudsters, and they deploy malware into the system.

I happen to sit as chair on the supervisory committee for a SACCO, and one of the issues we are grappling with is whether we open up our systems for more mobile and internet transactions when we don’t have adequate firewalls. The government has tried to centralize the regulation of SACCOs, but it is not offering support in terms of technology and software to stop the fraudsters from deploying malware. East Africa is not prepared for this because the focus has been on internet and mobile banking for banks. But they have a regulator at the central bank, and their operating systems are similar. It’s not the same for SACCOs. They often have different and incompatible systems, so it is not possible to deploy the same kind of tools for protection.

FM: Are there efforts to create a centralized regulatory body for SACCOs, and would a stricter regulatory environment help?

Wanderi: Yes, there is now what is called the SACCO Societies Regulatory Authority (SASRA). However, the authority is more focused on reining in SACCO management boards that are misappropriating money but not on the entities that have technological challenges. The SACCOs now have reporting requirements, but they don’t touch on the technology they are using. The banks, on the other hand, are required to report on technology. In other words, many SACCOs don’t even have business continuity plans or disaster recovery plans in the event of a cyberattack, where for example there is a denial of services.

FM: It seems that job scams have become increasingly commonplace as more people look for work online. There are numerous tricks that fraudsters use to fool job seekers, including the spoofing of company websites and emails. Has this been your experience?

Wanderi: That is common in East Africa. And the reason for that is that we have high levels of unemployment, and a lot of young people graduating from university. Some of the fraudsters create phony websites that look very much like the websites of real organizations, and they replicate authentic vacancies that are already advertised elsewhere. Fraudsters will put a link on social media that directs applicants to another site, where they will be asked to apply. They will create a link in Teams or Zoom and “interview” people, but what they are looking for are potential victims. Often, they will ask applicants about parents. And that is the catch. If the father is an engineer or doctor, fraudsters know this person is a good source of money. But if you say your mother is a maid, fraudsters won’t bother as it will be difficult to get $100 out of that person. They will then ask the victim to wire money on their mobile phones to pay for tests, for example. Fraudsters only need 1,000 young people to send them that kind of money, and after three days the website disappears.

Caulfield: In the U.S., we might wonder why they are asking to pay for a job test, but in other countries if you want to get the documentation sometimes you have to pay $30, $40 or $50. It’s not unusual.

FM: Xavier Justo is one of the keynote speakers at this conference. He was the whistleblower who helped expose the dirty dealings at Malaysian sovereign wealth fund 1MDB. But he paid a high price. His corrupt work colleagues were able to bribe officials to arrest him and throw him in prison in Thailand. How do you protect whistleblowers against deep-pocketed criminals who have influence across borders?

Caulfield: Protection starts and ends with the language within the law of the nation of the whistleblower. The problem is sometimes the difference in what the term whistleblower means. In certain countries what they call whistleblower legislation is not whistleblower legislation. They are really witness-protection programs.

FM: Could you explain that distinction, and why it’s important? My understanding is that whistleblowers often act as witnesses.

Caulfield: There is a difference between a whistleblower program as conventionally thought of in the U.S., Canada or European countries, and a witness-protection program. Witness-protection programs assist someone who is cooperating with a criminal prosecution in that country, and the government will provide them and their family protection or give them funds to relocate. But whistleblowing by traditional definition can involve anything from an agency type of violation to somebody inside a corporation that is violating regulatory policies or even committing fraud, and it protects that person from losing their job and being retaliated against. That is different from a witness-protection program.

Ziegler: So, whistleblowing is an employment type of policy?

Caulfield: Primarily, even though in our country whistleblowers are protected against retaliation. However, protection against death is really witness protection. No U.S. whistleblower program that I am aware of by that term has relocation funds available. There is also still a negative connotation associated with whistleblowing, and there have previously been conversations to replace the term whistleblower because of that.

No U.S. whistleblower program that I am aware of by that term has relocation funds available. There is also still a negative connotation associated with whistleblowing, and there have previously been conversations to replace the term whistleblower because of that.”
- Thomas Caulfield, CFE

FM: All the more reason to protect whistleblowers, whom I imagine face death threats?

Caulfield: Yes. For example, when the U.S. government set up a training program for the future Iraqi inspector generals, we had a meeting with them and asked them what was the No. 1 challenge they faced in Iraq as an inspector general. And without hesitation, they said, “Staying alive. Getting people to report things to us for fear of being executed.”

Wanderi: In East Africa, it’s a high-risk business to be a whistleblower. We have an adversarial system of criminal justice. That means the moment you give information related to a crime you are most likely going to be classified as a potential witness. You have a situation where corrupt police authorities ask for information, and there are toll-free numbers you can call. But if you want to go beyond that, they’ll ask you to write a statement. At that point, you are on your own.

Whistleblowers in Kenya, and almost all African countries, do not get protection until the case has gone to court. So, the incentive to provide information is very low. In fact, if you ask many people in our country and in the region, if you had information that someone is involved in fraud and corruption, would you report it to the police, they will tell you, no. That’s because if you give information and follow through, you actually become the target because you can see that the law is structured in a way that there is zero protection to anybody providing information.

Just this year an employee of the national health insurance fund, which receives money from 15 million contributors in the country, collapsed in the street. Initially they thought it was a heart attack, but on closer examination they realized she had actually been shot. And she was shot by someone with a silencer in a busy street where she was walking with a colleague. It was discovered later that she was a potential witness in a case involving the former chief executive of the fund. There is no justification why her other colleague was not shot. Nothing was stolen from her. You can see the risks involved. (See “What DCI gathered from street where NHIF staffer was shot,” by Amos Robi, Pulse, Local News, Feb. 17, 2023.)

We also lost a CFE — I trained him. He was serving in the Ministry of National Treasury. He was seconded to the Ministry of Health as an auditor — the health sector is riddled with a lot of corruption in East Africa. This person detected and shared information relating to scams on procurement of medical equipment and medication during the COVID-19 pandemic. Instead of getting a medal for stopping fraud, which became a big issue in our country, he was sacked from his job. After about a year, he was found dead. So, there is basically zero incentive to report because a whistleblower is essentially a witness to a crime and may be compelled to testify in court.

Caulfield: And compounding that, in many African countries there is no such thing as a plea agreement so these cases can go five, six, seven years before they go to court, and this person is going to be a target during that time.

Wanderi: It is basically an issue in the entire region in East Africa, the five countries, Kenya, Uganda, Tanzania, Rwanda, Burundi. Unless the whistleblower is standing as a witness, the investigation is dead on arrival. Who are you giving information to? You are giving it to the police who can be very corrupt and even the investigators can be corrupt.

Caulfield: In fairness, many countries are moving forward and recognizing some of these challenges. If somebody had told me that the United Nations Convention Against Corruption (UNCAC) would be adopted in so many countries as it is today, I would have bet money against it. Somalia recently signed the UNCAC. (See “Working together for a prosperous and peaceful Somalia,” United Nations, June 1, 2023.) Now I am not naïve. I know until you become part of the UNCAC agreement, you don’t get international investment funds. But just the mere fact that Somalia did it is important. There is a movement [to tackle corruption like this.] Is it fast enough? Is it influenced by region? Can elections change this, with one president moving forward with anti-corruption efforts and the next one destroying everything? Yes. But things are moving forward.

Lewis: I do think it has to be made easier for whistleblowers to come forward. If you saw the documentary “The Big Conn” [about Kentucky-based attorney Eric C. Conn who defrauded the government in the biggest Social Security fraud case in the U.S.] those two particular whistleblowers lost their jobs and had to start all over again. They were in certain respects blacklisted because Eric Conn was seen as a highly respected individual up until it was proven he was defrauding people. He had helped them receive Social Security benefits, so he was looked upon as this savior for them. And when all of a sudden, these two individuals came forward and said he was defrauding the government, they were looked upon negatively. So, there is a need for some program to help enable these people, who are threatened and fear retaliation.

Caulfield: The ACFE, I believe, has an extra responsibility to carry the mantle on the importance of ensuring that good programs are in place and protecting and appreciating those who do step forward. We talk about this during some of our ACFE courses. Those programs will implode with the mere hint that an organization or entity is not protecting or appreciating whistleblowers.

Lewis: I certainly see that sitting on the Governing Board of the Office of the Inspector General for the City of Atlanta. The inspector general and ethics officer constantly say they must make sure people come forward and disclose complaints about fraud, waste and abuse because if they don’t disclose that, they don’t know what to investigate. They rely on people to speak up and report.

Evans: I think it comes down to some very fundamental best practices such as having multiple contact methods at your company. For example, we publicize the U.S. Department of Defense’s hotline, but we also have an ethics and compliance help line. There is a direct handoff to an ethics officer. Even if your report turns out to be more security-oriented or HR-oriented or equal employment opportunity oriented, you are going to have that personal touch to make sure that the reporting party has the support they need to file a report. You have to have a case management system that doesn’t have to be fancy or developed in-house. There are a lot of good off-the-shelf case management services. But you have to have a way to track an investigation and its results.

FM: Do you audit the effectiveness of these programs?

Evans: Audits are also important. The U.S. Department of Justice’s guidelines for an effective ethics and compliance program points out that you’d better make sure your program elements are effective. It is great to say you have this multilayered whistleblower program on paper, but do you have a way to evaluate whether it is working? It’s important to study your metrics and evaluate trends. The COVID-19 pandemic impacted these quite a bit because, for example, we weren’t on site and we were not getting as many walk-ins to our offices. But we researched and found that there were many more direct calls to our ethics officers and more helpline calls that made up for the lack of walk-in traffic to us during that time. So, you have to make sure you have some best practices and look at the metrics. A lot of our programs are not only subject to internal audits, but to external or customer audits as well.

Caulfield: In the reviews that we have done of hotline processes, the one area that seems to fall short is the control of information in the decision tree, or the process flow, from when the complaint first comes into the entity until it is handed off for action. Too many times I have seen corporations where a complaint comes in and first must go to a panel, and the panel starts making all these decisions by community. Sometimes you have to be careful when you do that because it weakens the integrity of maintaining that information. So, one of the challenges is creating and having a decision tree from the moment it comes in until the moment it is resolved, always protecting the integrity of the information. This involves questions like: Who is making decisions, who is going to be involved and who is going to be notified?

Evans: And the person reporting the incident needs to be made aware of the process. We provide a brochure in electronic form or a hard-copy format, in which we explain our ethics and compliance process. We want the reporter to feel more confident about what to expect. We also maintain regular contact with that reporter. Can you imagine having the courage to whistle blow or report something, and then it seems to go out into the air? It’s so important the reporter receives some updates during the investigative process. We ask the reporting party about a rhythm of contact they feel comfortable with, perhaps weekly. We let them know some weeks we may just say, “We are still investigating,” but at other update meetings, perhaps we are at a stage in the investigation in which we need to ask them to clarify questions or comments which have come up during the investigation. We also provide closing feedback — whether the case was substantiated or not — when the investigation concludes. This helps instill confidence and trust in the process — they can see it go full circle — from report to closure.

It’s so important that organizations have investigation policies — and policies governing the company’s stance on retaliation — on the books. You’d be surprised that even large companies don’t have these fundamental policies. Can you imagine wanting to report, and finding nothing in your company’s standard operating procedures or policies that defines the process and provides reporters with reassurance the company won’t tolerate retaliation?

FM: What advice would you give aspiring fraud examiners as they look to develop their careers?

Caulfield: I am very fortunate to spend a lot of time with CFEs because of the training I do, and I will tell you what I tell them. Never underestimate the impact of what you do, be it an investigation, inspection or audit because it is more significant than you realize. If you look at the audits done in the U.S. General Services Administration (GSA) inspector general’s office, the one that caused that big scandal related to government people going to Vegas, nobody would have thought that would have had such a large impact. (See “GSA Threw an $800,000 Party and All You Got Was the Bill,” by Alexander Abad-Santos, The Atlantic, Politics, April 3, 2012.)

Evans: ACFE credentialing and training really transcend occupation. I think when you are in college or getting a master’s degree, you tend to think in a siloed way. I never thought I would become an ethics and compliance officer when I began my career path. In fact, there was no such field of study or occupation when I was in college. One thing I love about the CFE credential is it brings people with different areas of expertise together for a common mission of preventing, deterring and detecting fraud. I absolutely love meeting people at the ACFE conferences and adding them to my contacts to share information and best practices. One person may have an international trade compliance background and another person is an auditor. It’s great that the credential moves across functions and occupations.

Lewis: We need those different perspectives and various backgrounds as CFEs to uncover what is going on whether it is fraud, waste and abuse, or some other issue. I appreciate those different perspectives on my team.

Caulfield: There is also continuous learning, which is critical. Technology. Data analytics. It is not a question of how data analytics can help us but why aren’t you using data analytics?

Ziegler: It is that much more important for any new aspiring CFE to build a network because not only are you building that network in your own profession, but you are building it across industries. I tell students that when you start networking, don’t expect the benefits to be immediate. It might be 10 years down the road, and it might be from someone you didn’t anticipate helping you. It is important to build those relationships early. You can do that just by saying, “Hi, my name is Chrysti. I met you last time. How is the job going?” Those little things create that relationship that 10 years down the road, when we are both management in audit, we can call each other and say, “I have this problem. Have you dealt with it and what’s your solution?” And it becomes so much easier to call upon them for help because you have a 10-year relationship.

Caulfield: That’s important because no CFE is going to gain knowledge about everything. The profession is just too diverse. To have that contact list is very helpful. I remember in my younger days as an investigator, I would call up people who were technical experts and say we have an allegation of this nature and ask, “Is this fraud?” That technical exchange of professionals that you gain will help you so much. You are naïve if you think you own all the information.

Lewis: For people who are emerging CFEs, they may not know what opportunities or roles are out there. But they might meet someone during one of these networking opportunities and say, “Hey, I didn’t know I could do that. That’s an interesting opportunity or career path. Maybe I want to learn more about that.”

Wanderi: The one thing that we should perhaps tell people who are aspiring CFEs and want to get the credential is that it is not an end in itself. It is just the beginning. I remember when I got my credential, I was dealing with forensic and litigation support, and basically it was a new area. I was more focused on fraud detection and prevention training. What I realized along the way was that as a professional, you have to keep evolving. You have to learn and relearn. When I began in 2006 and 2007, there were a lot of physical documents in our country, so it was easy to do the forensic document analysis and get a trend. Now we hardly use paper, so as Tom said, you must learn data analytics, big data and data segregation. In other words, you must be ready to do things you thought you would never do. But the CFE credential gives you that confidence, and then you have to be ready to be told, taught and corrected. Be ready to learn. For example, I belong to the generation that didn’t start with technology. Our children are starting with technology. So, I actually learn from the new ones. At a certain point you have to learn from those who are younger because they have the advantage of new knowledge and versatility.

Evans: I’m dumbfounded at how fast technology is moving and I think if we are honest, most of our colleagues share that feeling. I think being a CFE and coming to conferences like this one equips you to anticipate the trends and deal with those changes. Who would have imagined we would survive a pandemic a few years ago, and now most organizations are seeing an increase in the number of virtual employees. This, however, has presented other related issues. For example, we are seeing an increase of conflict-of-interest type cases with remote employees being dually employed, sometimes to the detriment of the primary employer. It is great to come to sessions like this and you can really learn from each other and how people are addressing these emerging trends.

Paul Kilby, CFE, is editor-in-chief of Fraud Magazine. Contact him at pkilby@ACFE.com.

*Photography by Victor Goodpasture