Crooks, when committing crime, leave trails—some verbal, some numerical. Now a new generation of super-snooper software adapted from the military gives employers the power to detect documents, transactions or emails that smell fishy.
David Remnitz, head of Ernst & Young's forensic technology business and fraud investigation services in North and South America, says the technology is so new to the private sector that it has has come into use only in the past 18 months. Until now, fraud-hunters have had to rely on their own perspicacity—or on the kindness of whistleblowers. Now, however, wrongdoers can be fingered electronically and automatically, with computer programs scanning vast quantities of data in seconds.
Predicts industry information source Compliance Week, "Catching fraudsters may soon become more a matter of learning how to properly interrogate a computer program rather than putting gumshoes on the case." It goes on to say that while fraud-detection software is not new, it previously has lacked the ability to sift through non-numerical, unstructured data—such as text documents, social media and email.
Patterns of words now alert software to the possibility that fraud may be in the works.
Any of some 3,000 different words and phrases, says Remnitz, can raise a red flag. Suspicious phrases include such expressions as "nobody will find out" or "let's continue this by cell phone." Remnitz's colleague Vincent Walden, the E&Y partner in charge of fraud analytics, says that "special" is suspicious word, especially when it appears in conjunction with a payment.
Any payment described as "special" deserves a second look, he says. So, too, do the following euphemisms, typically used by fraudsters when making or receiving bribes: "government fee," "special commission," "incentive payment," "friend fee," "team building expense."
The goal is to establish the existence of what academics call the "Fraud Triangle"—the simultaneous existence of three pre-conditions deemed necessary before fraud can occur: pressure, opportunity and rationalization.
A group of related emails, instant messages, purchase orders, receipts or other documents might, for example, variously refer to someone's being "under the gun" or having to "make the number" (suggesting pressure). Others might contain phrases such as "no inspection" or "off the books" (suggesting opportunity). Still others might say "I deserve it," "nobody will find out," or might describe something as being a "gray area"--all of which suggest rationalization. A spike in the incidence of all three at once should trigger an investigation, experts say.
Analysis of this kind is not yet widespread. It's so far been adopted, says Remnitz, only by Fortune 50 companies, companies doing business overseas (and thus subject to the penalties of the Foreign Corrupt Practices Act), big financial institutions, banks, private equity firms, and, more generally, by "companies that have realized that, because of the onerous demands placed on them by regulators, they have to become more proactive in detecting fraud."
Other Big Eight accounting firms besides E&Y have their own proprietary, internally-built versions of the software, as does IBM. E&Y's product is based on a platform called Palantir, which Remnitz describes as a sophisticated data analysis and integration engine used by governments. The whole approach he describes as an application to the business world of "customized military grade technology."
Numbers, too, get scrutinized.
Say, for example, that an email refers to meeting at a restaurant at 6pm, but that the bill for the meal is dated 12 midnight. The context of that awfully-long dinner automatically earns a second look. So, too, would an expense entry made on a date when the employee was on vacation.
Ernst & Young points out that employee privacy rights are taken into account when investigators review data: Initially the information scrutinized is kept separate from the identity of the employee who created it. Only later in the process, if and when evidence of wrongdoing is strong, and after a company's privacy officer has signed off, would the employee's identity become linked to the data.
The American Civil Liberties Union, concerned about potential violations of a worker's right to privacy, notes there's no reason to assume that an employer's snooping would always be for the purpose of eradicating fraud. It could just as easily be to identify--and silence--potential whistle-blowers. "We're worried this could be used to stop whistle-blowers," says senior ACLU policy analyst Jay Stanley, referring to sophisticated new software.
Stanley says the law is unsettled and still evolving on certain issues of workplace privacy: It's legal, he says, for an employer to monitor workplace communications that concern an employee's work product or work performance. "Reviewing email, invoices, expense reports--all of that's permitted," he says. "Where it gets trickier, though, is where personal communications are concerned."
If, from work, and using company equipment, you log onto your personal email or Facebook account, is your privacy protected? It's unclear, he says. "The law remains somewhat ambiguous."