Other Books Authored or Co-Authored
Information Systems Security Officer’s Guide: Establishing and Managing
an Information Protection Program: May 1998, ISBN 0-7506-9896-9; by Dr.
Gerald L. Kovacich; First Edition and July 2003, ISBN 0-7506-7656-6, Second
Edition; published by Butterworth-Heinemann (Czech translation of First Edition
I-Way Robbery: Crime on the Internet: May 1999, ISBN 0-7506-7029-0; coauthored by Dr. Gerald L. Kovacich and William C. Boni; published by ButterworthHeinemann; Japanese translated version published by T. Aoyagi Office Ltd, Japan:
February 2001, ISBN 4-89346-698-4.
High-Technology Crime Investigator’s Handbook: Working in the Global
Information Environment: First Edition, September 1999, ISBN 0-7506-7086-X;
co-authored by Dr. Gerald L. Kovacich and William C. Boni; July 2003, and Second
Edition; July 2006 ISBN 10: 0-7506-7929-8; ISBN 13: 9-780-7506-7929-9; co-authored
with Dr. Andy Jones and published by Butterworth-Heinemann.
Netspionage: The Global Threat to Information: September 2000,
ISBN 0-7506-7257-9; co-authored by Dr. Gerald L. Kovacich and William C. Boni;
published by Butterworth-Heinemann.
Information Assurance: Surviving in the Information Environment: First Edition,
September 2001, ISBN 1-85233-326-X; co-authored by Dr. Gerald L. Kovacich and
Dr. Andrew J. C. Blyth; published by Springer-Verlag Ltd (London); Second Edition,
ISBN 1-84628-266-7, published in March 2006.
Global Information Warfare: How Businesses, Governments, and Others
Achieve Global Objectives and Attain Competitive Advantages: June 2002,
ISBN 0-84931-114-4; co-authored by Dr. Andy Jones, Dr. Gerald L. Kovacich and
Perry Luzwick; published by Auerbach Publishers/CRC Press.
The Manager’s Handbook for Corporate Security: Establishing and Managing
a Successful Assets Protection Program: April 2003, ISBN 0-7506-7487-3;
co-authored by Dr. Gerald L. Kovacich and Edward P. Halibozek; published by
Mergers & Acquisitions Security: Corporate Restructuring and Security Management: April 2005, ISBN 0-7506-7805-4; co-authored by Dr. Gerald L. Kovacich
and Edward P. Halibozek; published by Butterworth-Heinemann.
Security Metrics Management: How to Manage the Costs of an Assets Protection
Program: December 2005, ISBN 0-7506-7899-2; co-authored by Dr. Gerald
L. Kovacich and Edward P. Halibozek; published by Butterworth-Heinemann.
The Security Professional’s Handbook on Terrorism: Establishing and Managing a Corporate Anti-Terrorism Program: To be released in September 2007, ISBN
0-7506-8257-4; co-authored with Edward P. Halibozek and Dr. Andy Jones; published by Butterworth Heinemann.
How to Establish and Manage an
Dr. Gerald L. Kovacich
AMSTERDAM • BOSTON • HEIDELBERG • LONDON
NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Butterworth-Heinemann is an imprint of Elsevier
Elsevier Academic Press
30 Corporate Drive, Suite 400, Burlington, MA 01803, USA
525 B Street, Suite 1900, San Diego, California 92101-4495, USA
84 Theobald’s Road, London WC1X 8RR, UK
This book is printed on acid-free paper.
Copyright © 2008, Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopy, recording, or any
information storage and retrieval system, without permission in writing from the
Permissions may be sought directly from Elsevier’s Science & Technology Rights
Department in Oxford, UK: phone: (+44) 1865 843830, fax: (+44) 1865 853333,
E-mail: firstname.lastname@example.org. You may also complete your request on-line
via the Elsevier homepage (http://elsevier.com), by selecting “Customer Support”
and then “Obtaining Permissions.”
Library of Congress Cataloging-in-Publication Data
Kovacich, Gerald L.
Fighting fraud : how to establish and manage an anti-fraud program /
Gerald L. Kovacich.
ISBN 978-0-12-370868-7 (alk. paper)
1. Commercial crimes. 2. Commercial crimes — Investigation. 3. Fraud —
Prevention. 4. Fraud investigation. I. Title.
658.4′73 — dc22
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
ISBN 13: 978-0-12-370868-7
ISBN 10: 0-12-370868-0
For all information on all Elsevier Academic Press publications
visit our Web site at www.books.elsevier.com
Printed in the United States of America
08 09 10 11 12 13 10 9 8 7
Working together to grow
libraries in developing countries
www.elsevier.com | www.bookaid.org | www.sabre.org
This book is dedicated to all those fraud fighters who combat defrauders and the
other miscreants who try to take something of value from others without their
permission and without providing the owners with just compensation.
This book is especially dedicated to those whistleblowers who have the guts to
stand up when a wrong has been committed!
This page intentionally left blank
[T]he modern economic world centers on the controlling corporate
organization. . . . Executives of Enron, WorldCom, Tyco and others
became the focus of widely publicized criticism, even outrage. Joining
the language came the reference to corporate scandals. Avoided only
was mention of the compelling opportunity for enrichment that had
been accorded the managers of the modern corporate enterprise, and
this in a world that approves of self-enrichment as the basic reward for
economic merit . . .
. . . Great firms, particularly in energy and mass communications but
not so confined, came to dominate the news. In all cases, the situation
was the same, as was the result. Management was in full control. Ownership was irrelevant, some auditors were compliant. Stock options
added participant wealth and slightly concealed take. . . .
The least expected contribution to the adverse and even criminal activity was the corrupt accounting . . . This provided cover for the devious
actions that extended to outright theft. Individuals had long regarded
accounting as both competent and honest. . . .
The corporate scandals and especially the associated publicity have led
to discussion or appropriate regulation and some action — to positive
steps to insure accounting honesty and some proposed remedies, as
required, to counter management and lesser corporate fraud . . .
. . . Managers, not the owners of capital, are the effective power in the
modern enterprise. . . .
. . . So, as a very practical matter, power passed to the mentally qualified, actively participating management, and it did so irrevocably. The
belief that ownership has a final authority persisted, as it still
does . . .
. . . The basic fact of the twenty-first century — a corporate system based
on the unrestrained power of self-enrichment.
* From John K. Galbraith’s book, The Economics of Innocent Fraud: Truth for Our
Time. Houghton Mifflin, Boston. 2004.
This page intentionally left blank
Table of Contents
Introduction and Premise
SECTION I: AN INTRODUCTION TO THE WONDERFUL
WORLD OF FRAUD
The New-Old Global Business Environment
Globalization of Business — Benefits to Nation-States
Expansions of the Global Marketplace and their Areas
Types of Corporations
Corporate Owners and Locations
The High-Technology Factor
High-Technology Related Frauds and Other Crimes
Advent of the Superhighways
The Impact of Superhighways on Frauds and Other Crimes
A Short History of Crimes and Other Frauds Via the I-Way
Superhighway Frauds and Other Crimes to I-Way Robberies
I-Way Robbery — Its Prevalence
There Is No I-Way Patrol to Stop I-Way Robbers
Global Connectivity Via the I-Way = Global Exposure to
Attacks by Fraud-Threat Agents and Other Miscreants
Capabilities and Limitations of Law Enforcement
Challenges to Security Professionals and Others
Case Study 1
Case Study 2
Corporate Assets, Frauds and Other Terms —
What Are They?
Definition of General Fraud
Specific Fraud Definitions
Other Terms and Definitions
Some U.S. Federal Fraud-Related Laws
Relevant Consumer Protection Laws for Fraud in the
A Few Examples of U.S. Federal Enforcement of
Fraud-Related Laws, Approach and Actions
Mail Fraud Statutes (condensed and paraphrased)
Financial Institution Fraud (Bank Fraud)
U.S. Treasury Collection
Role of Phone Companies
European Fraud-Related Laws
EU Fight Against Frauds
ASIA and Fighting Fraud
“Blowing the Whistle” on Defrauders can be Dangerous
Corporations Don’t Commit Frauds, People Do
Are Defrauders a Product of Their Environment, or Is It
in Their Genes?
Some Criminology Theories
Table of Contents
Human Errors — Accidents
Man-Made or Malicious Fraud Threats
Potential Fraud-Threat Agents
Fraud-Related Factors for Attacking Systems
Relationship of Threat Elements
Fighting Fraud — Whose Job Is It Anyway?
Role of Executive Management
Role of Corporate Management
Role of the Corporate Employees
Role of the Ethics Director
Role of the Auditor
Role of the Fraud Examiner
Role of the Chief Security Officer (CSO)
Why the Corporate Security Professional?
Where There Is a Will There Is a Way —
Types of Fraud Schemes
Credit Card Skimming
Computer and Telecommunications Frauds
Employment Application Frauds
Identity Theft Scams
Accounting Fraud Schemes
Bribery and Corruption
Conflicts of Interest
Purchasing — Four Basic Categories
Investments and Fixed Assets
Payroll and Personal Expenses
Advance Fee Scheme
Common Health Insurance Frauds
Letter of Credit Fraud
Prime Bank Notes
The Ponzi Scheme
Fraud Cases and Commentary — Learning by Example 127
Actual Fraud and Fraud-Related Cases
Phishers and Taxpayers
Fraud by Corporate Executives
Foreign Exchange Trading Fraud
Katrina Waste and Frauds
Organized Crime and Cybercrime
Securities Fraud in Cyberspace
Computer Hard Drives Lead to Frauds
Government Contracting Fraud
Fraud-Threat Agents Can Be Anyone in Any Position
U.S. Securities and Exchange Commission (SEC) Fighting
Fraud in School Systems
Dead Soldiers and E-Mail Scams
Another Example of Insider Fraud
Executive Management and Accounting Fraud
Merchandise Receipt and Exchange Fraud
Table of Contents
Government Contractors and Fraud
Frauds and Microsoft Software
Data Storage Conducive to Fraud-Threat Agents
Another Example of Click Fraud
Pyramid Schemes Move on to the Internet
Prepaid Cellular Phone Fraud
Identifying International Corruption
Credit Card Information Theft and Frauds
Hackers, Crackers, Phishers, Oh My!
Urban Legends and Frauds
Medical Research Frauds
Corruption and the War in Iraq
Comments on Identity Thefts as a Vehicle to Fraud
Lobbyists and Corruption
Internet Scams are International
Faking a Medical Condition
Internet Fraud Sweep
Social Security Scam
Banker and Identity Theft
Accounting Firm Fraud
Lawyers and Medical Rip-offs
Another Mention of the “Nigerian” Scams — Variations
on a Theme
SECTION II: ESTABLISHING AND MANAGING AN
The International Widget Corporation
IWC Background Information
Key Elements for the CSO to Consider
Getting to Know IWC
IWC’s Business Plans
Strategic Business Plan
Tactical Business Plan
IWC’s Annual Business Plan
IWC and the History of Its CSO
Key Elements of IWC’s Annual Business Plan
Anti-Fraud Program Planning
IWC’s Departments of Primary Importance to the CSO
IWC Vision, Mission, and Quality Statements
Other IWC Plans and CSO Support
Establishing an Anti-Fraud Program
IWC’s Anti-Fraud Program
Anti-Fraud Program Project Planning
IWC Anti-Fraud Program Project Planning and Management
Anti-Fraud Program Project Team
Anti-Fraud Drivers — The First Major Task in Anti-Fraud
IWC Anti-Fraud Program Requirements — Policies
Risk Assessment — The Second Major Task in Developing
an Anti-Fraud Program
Basics of IWC’s Risk Assessment Process
Assets Protection Risk Assessments
Assets Protection Risk Analyses
Developing Anti-Fraud Defenses
Three Key Ingredients in an Anti-Fraud Program’s Defenses
IWC’s Anti-Fraud Policies
Anti-Fraud Requirements and Policy Directive
The CSO and Security Department’s Anti-Fraud
Table of Contents
Off-Site Corporate Facilities
Recruiting Anti-Fraud Professionals
Managing an Anti-Fraud Program
Management versus Leadership
Meeting Customers’ Expectations
IWC Internal Customers
IWC External Customers
IWC Executive Management Expectations of a CSO
Security’s Vision, Mission, and Quality Statements
Managing the IWC Anti-Fraud Program
Some Aspects to Incorporate into an Anti-Fraud
Quality, Process Improvement, and Assessment of
Using Technology to Deliver Anti-Fraud Program Support
Managing Quality and Management Oversight
What is Risk Management As It Relates to IWC’s AntiFraud Program?
Managing and Reducing Risks to Corporate Assets
Program for Managing Anti-Fraud Defensive Risks
Responding to Fraud Incidents
Managing Fraud Threats
Winning through Teaming
Anti-Fraud Program Team Building
Executive Management as Team Members
Teaming with IWC Executive Management Through a
Teaming with Corporate Peers
Teaming and Dealing with Office Politics
Teaming with Your Security Managers
Teaming with Your Security Staff
Teaming and Dealing with Satellite Offices in IWC
Headquarters in the United States
Teaming and Dealing with Satellite Offices in
Anti-Fraud Project Team Functional Tasks
Anti-Fraud Program’s Non-Security Team Functions
Are We Winning the Battle? How Do We Know?
Measuring an Anti-Fraud Program’s Costs, Benefits,
Successes, and Failures
Common LOE Measurement Techniques for Each Function
Examples of Metrics by Function
Investigations and NCIS Metric Chares
Examples of Anti-Fraud Investigations Metrics
SECTION III: THE FRAUDULENT FUTURE
What Will the Fraudulent Future Hold for
Table of Contents
Globalization of Business to Continue
Employees of the Future
The Future Global Corporation
Future of Fraud Attacks on Corporations
Future Anti-Fraud Protection Needs of Corporations
The Impact of High Technology on Fraud
High-Technology Anti-Fraud Defenses
What the Security and Other Anti-Fraud
Professionals Must Do Now to Personally Prepare
to Combat Tomorrow’s Frauds
Becoming and Staying Proactive and Aggressive in
Getting a Fraud Education
Gaining Fraud-Related Certifications
Gaining Anti-Fraud Experience
To Conduct or not to Conduct Fraud Lectures and Write
Summary and Final Thoughts
What Others Think About the Anti-Fraud Leadership
Position in a Corporation
Toby J. F. Bishop, CFE, CPA, FCA, President and Chief
Executive Office, Association of Certified Fraud Examiners
In Conclusion-My Thoughts
End of Line
About the Author
I must tell you up front that the focus of this book is NOT on investigating
frauds, corporations that are responsible in some form for perpetrating
frauds, and the like, although some information in that regard is provided.
The emphasis in this book is on Establishing and Managing an AntiFraud Program for a corporation from an anti-fraud management and leadership viewpoint, with the emphasis on management and leadership.
Although I use the word “corporation” throughout, it also applies to
government agencies, nonprofit groups, associations, privately held companies, and any entity that is concerned with the loss of its assets by
Over the years, many books have been written about fraud in general
and also about specific types of frauds. There have also been books written
about specific fraud cases dealing with specific corporate frauds.
All of these books, however, for the most part seem to miss one basic
fact: namely, the perpetration of a corporate fraud relates to attacking and
stealing corporate assets of various kinds. Furthermore, the leadership role
of protecting corporate assets has for decades fallen on the shoulders of
the corporation’s chief security officer (CSO), and it still does today.
That role will be discussed in more detail in the chapters of this book,
but suffice it to say here that the corporate CSO has seemed to have abdicated that responsibility — leaving the protection of corporate assets from
fraudulent attacks to others both inside and outside the corporation — to
auditors and accountants.
This book was written in part to try to change that attitude and to
provide justification to begin wresting that leadership responsibility from
others and help make a case for justifying why fighting corporate fraud
should be one of the primary duties and responsibilities of the CSO, who
is indeed the leader for protecting all corporate assets.
This book also seeks to:
Provide security professionals and others responsible for the protection of corporate assets (e.g., executive management) a roadmap for
developing their own anti-fraud program.
Help them to tailor the program to their own corporate
Help those who are interested in preventing fraud within their
corporations by providing them with an awareness and a better understanding of the threats to corporations by these miscreants.
Explain how the frauds are costing these corporations a competitive
edge in the global marketplace.
Provide guidance on how to:
• Establish and manage a corporate anti-fraud program that is both
proactive and defensive in nature.
• Use an aggressive anti-fraud strategic approach under the leadership of the CSO.
This book will also be useful for those accountants, investigators, and auditors, as well as others who work for corporations in the areas of finance,
contracts, supply, and the like, and who are interested in indicators of
frauds and anti-fraud programs and in viewing the matter from other than
an accountant’s, investigator’s, or auditor’s point of view.
Hopefully, they will see that fighting corporate fraud is indeed the
leadership responsibility of the CSO and push, pull, and otherwise support
the CSO who wants to take on that leadership role.
I want to repeat that this book emphasizes establishing and managing
an anti-fraud program and how to set up such a program for a corporation.
As noted earlier, it is not about investigating incidents of fraud, describing
fraud examination functions or incidents of fraud, and the like, except as
they relate to the primary objective of establishing and managing an antifraud program.
The text consists of three sections and 17 chapters that will provide
the reader with a practitioner’s guide (a “how-to” book), augmented by
some background information to put it all in perspective. The approach
Enable the reader to understand this global, fraud-threatening
Immediately put in place a useful anti-fraud program baseline under
the leadership of the corporation’s CSO.
The format used for this book follows the one I have used in several of my
other successful books, primarily because according to many of my readers
this format and approach provides basic information in an easy-to-read
Because of similarities between protecting corporate assets from fraud
and protecting corporate assets from various other threats agents, I have
borrowed the format and some related information from some of my previous books published by Elsevier’s Butterworth-Heinemann Publishers.
This provides the reader the required information in one book instead of
having to read through other books for the information, for example, The
Manager’s Handbook for Corporate Security.
The information provided in this book is the product of decades of
experience in fighting fraud-threat agents and of information collected from
multiple sources, private, public, governmental, and corporate. This information has been passed on through my professional colleagues as well as
through the training and awareness courses offered by various U.S. federal
government agencies and the courses and conferences provided by antifraud and security-related associations. If I failed to provide specific recognition within the heart of this book for the information they have provided
over the years, I apologize in advance for this unintended oversight. After
decades in this field, the sources and personal experiences tend to merge
I hope this book provides you with a basic foundation that will help
you build an anti-fraud program and a total assets protection program. I
would be very interested in hearing from you concerning your successes
and failures in that regard. Also, I welcome all constructive criticism and
suggestions on additional topics that you think should be addressed in any
further editions of this book. Please send your questions and comments to
me through my publisher: Elsevier’s Butterworth-Heinemann.
Dr. Gerald L. Kovacich
Whidbey Island, Washington
This page intentionally left blank
In taking on any book writing project, success will elude any writer who
thinks he or she knows it all. Therefore, it was vitally important for me to
be able to call on old friends and professionals to help me meet my specific
To provide a book of useful information to help the security professionals and others who are involved in anti-fraud activities to gain
information that can be quickly put to use.
To assist in the protection of corporate assets from the global defrauders of today and tomorrow.
In that context, the following deserve special thanks:
Motomu Akashi, mentor, great friend, and one of the best corporate
security professionals ever to have protected a corporate asset, especially in the “Black World”!
William C. Boni, Corporate Vice President and CISO, Motorola
Corporation, one of our leading twenty-first-century security
Jerry Ervin, good friend, former professional crime fighter, information systems security specialist, investigator, special agent, and security guru.
Don Evans, InfoSec Manager, United Space Alliance, who is always
there to lend a hand, provide advice to the security “rookies,” and
support a security conference anywhere, anytime.
Edward P. Halibozek, Vice President of Security, Northrop Grumman
Corporation, for his friendship, professional security advice, and his
great work as a co-author.
Roscoe Hinton, a very old friend and fellow fraud fighter, Special
Agent (recently retired), who was my partner in fighting defrauders
who targeted the U.S. government, especially in our investigations
and operations against the defrauders and other miscreants who tried
to defraud the Department of Defense and the U.S. Air Force. I hope
that we won more than we lost over the years! Thanks Roscoe for the
advice and counsel.
Dr. Andy Jones, Head of Security Technology Research, at the Security
Research Centre for British Telecom, United Kingdom; distinguished
professor, lecturer, consultant; co-author, good friend, and one of the
best of what Britain has to offer to combat high-technology crimes
and information systems assets protection.
Jerry Swick, former senior telecommunications crime investigator,
and retired Los Angeles Police Department Lieutenant and co-founder
of their computer crime unit. A true crime fighting professional and
a good friend.
All those who work for the Association of Certified Fraud Examiners
(ACFE) who daily lead the way in supporting the anti-fraud professionals, whether they be auditors, accountants, financial specialists,
fraud examiners, security personnel, law enforcement personnel,
investigators, corporate or government management — in fact, anyone
who is interested in fighting fraud. Thanks especially for your many
years of supporting my activities.
The American Society for Industrial Security (ASIS), a security professional organization which has led the way in supporting security
professionals. Thanks to them for their continued leadership and
support in all they do.
The United States Air Force Office of Special Investigations (AFOSI)
for their years of leading the way in the DoD and the federal government in fighting fraud, supporting and providing some of the best
anti-fraud training one can ever receive; as well as for being a great
place to work as a special agent and fraud investigator.
The High Technology Crime Investigation Association (HTCIA), which
has become one of the primary leaders in investigating high-technology
crimes, including telecommunications fraud, computer fraud, and
various other forms of high technology-related frauds. Thanks to
them, law enforcement and security professionals have been working
closer together to fight high-technology crimes, including hightechnology-related frauds.
Of course, thanks to my better half for over 30 years, Hsiao-yun Kovacich.
I must always thank her for many years of support and giving me the
“space” I need to research and write. Thanks also for her many hours of
researching topics for my writings and for explaining the “thinking Asian
To the staff and project team of Butterworth-Heinemann — Mark
Listewnik, Chris Nolin, Jennifer Rhuda Soucy, Pam Chester, and Kelly
Weaver, the very best of professionals! Thanks again for providing great