Our speakers were from the Office of the Securities Commissioner, the “cops on the beat” for securities fraud, the only state office that enforces Hawaii Securities Laws (HRS Chapter 485A) in the state. Their cases come from formal written complaints from investors or the public, anonymous tips from their SCAM Hotline: 58-SCAMS (587-2267) or 1-877-HI SCAMS (1-877-447-2267)
Common threats investors face in Hawaii are: Ponzi schemes, affinity fraud, unregistered individuals selling securities, unregistered investment products, variable annuity sales practices, and sales pitches
In addition to various case studies, our speakers discussed a case in which a fraudster was identified by tracking his daughter’s social media activity, proving that anyone can use the Internet to investigate fraud. Using posts on such sites as Facebook and Instagram, they were able to put a face to the name of the suspect on paper. In addition, they extrapolate data onto Google maps and a scheduled garage sale at his home to pinpoint a time and place where he could be apprehended. One caveat to using social media as an investigative tool is to make sure your own identity is protected, so as not to prematurely alert someone that they are being watched by someone from your organization.
In addition to investigations, the agency also has an Investor Education Program, providing free investor information and educational presentations. For more information, check out their website at http://cca.hawaii.gov/sec/
Bruce Kim, Executive Director of the Office of Consumer Protection at the State of Hawaii Dept. of Commerce and Consumer Affairs, gave us an overview of the office and its responsibilities under the Hawaii Revised Statutes.
The OCP is consumer counsel for the State of Hawaii and is responsible for investigating and prosecuting allegations of unfair and deceptive trade practices in consumer transactions. OCP also promotes consumer awareness about important consumer protection issues through its programs, media releases and educational materials.
OCP enforces Hawaii’s unfair and deceptive practices laws over a wide range of commercial activities, from payday lenders, unaccredited degree granting educational institutes and mortgage failure rescue scams.
For OCP investigations, showing an entity’s capacity for deception is sufficient to issue a violation; intent or actual deceptions is not required – negligence is enough. Penalties can range from $500 to $10,000, with enhanced penalties against elder abuse. The OCP partners with other states on issues such as a lawsuit against T-Mobile for allowing third-party vendors to cram charges onto consumers’ bills.
Internet violations that cross state boundaries can result in joint enforcement action, as in the case of a Miami debt adjusting firm that contacted a Hawaii consumer online who was behind on their payday loans and accessed their bank account. In this case, they went after the payment processors who were charging fees and successfully obtained a judgment against them. Hawai‘i is at increased risk for mortgage failure rescue fraud due to the higher percentage of those who fall behind payments by more than 90 days. This is reported publicly in the Bureau of Conveyances Foreclosure Filings at Circuit Court, which fraudsters use a list of potential victims.
OCP also operates the Hawaii Residential Landlord-Tenant hotline, a free service that offers information to the general public about the Landlord-Tenant Code. Callers can access the Hotline by calling (808) 586-2634 or by visiting any of the OCP offices between 8 a.m. to noon.
Also, check out OCP’s Facebook page at https://www.facebook.com/HIConsumerProtection
Lorie K. Sides, Brand Integrity Service Specialist from the Better Business Bureau, provides consumer education, conducts public outreach presentations to the Military, Community Groups and Senior Citizens, and assists with dispute resolution, investigation and advertising reviews. During our November luncheon, she discussed tips on Outsmarting Investment Fraud from the Financial Industry Regulatory Authority (FINRA). She reminded us to help protect our family and friends and prevent fraud by letting them know how investment fraudsters operate and by reporting suspicious sales pitches and scams. Some common tactics include the following:
- Phantom Riches – dangling the prospect of wealth, enticing you with something you want but can’t have, e.g. “This investment is guaranteed to produce $6,800 a month in income.”
- Source Credibility – trying to build credibility by claiming to be with a reputable firm, or special credentials or experience, e.g. Senior Vice President of XYZ firm.
- Reciprocity – offering to do a small favor in return for a big favor e.g. “I’ll give you a break on my commission if you buy now – half off.”
- Scarcity – creating a false sense of urgency by claiming limited supply e.g. “There are only two units left, so I’d sign today if I were you.”
Legitimate marketers use the same tactics, except the deals they offer are legitimate, so it pays to take the time to stop and think before making a decision. Here are two ways to respond:
- End the conversation – Practice saying no, or simply telling the person, “Sorry, I’m not interested. Thank you.”
- Ask your own questions – ask if the person and the firm are registered with FINRA, the Securities and Exchange Commission, or a state securities regulator, and ask them to name which one. Verify answers by checking the seller’s background at www.SaveandInvest.org or check out the firm’s Better Business Bureau Review at www.bbb.org/search.
- Talk to someone first – Even if the seller and the investment are registered, it’s always a good idea to discuss these sorts of decisions with family or a trusted financial professional.
For more information, check out these resources:
|Before You Invest with …
||If A Problem Occurs …
- A Broker or Firm www.finra.org/brokercheck
- A Investment Adviser SEC Investment Advisor Public Disclosure Database
- A Broker‐Dealer, Investment Adviser or Investment North American Securities Administrators Association
- An Insurance Agent National Association of Insurance Commissioners
- An Investment SEC’s EDGAR Database
- Any business that wants your money
- FINRA Complaints and Tips www.finra.org/complaint
- SEC Office of Investor Education and Advocacy
- State Securities Regulator North American Securities Administrators Association
- Better Business Bureau
Brian Shaughnessy, with ACFE Board Member and Treasurer Kenny Stanley
U.S. Postal Inspector Brian Shaughnessy has investigated some of the most noteworthy financial fraud cases in Hawaii over the past seven years. In 2010, he was a finalist for the prestigious Citizenship Award by the City & County of Honolulu for his work in combating identity theft and financial crimes.
Inspector Shaughnessy discussed some of the cases that have led to the successful prosecution of numerous defendants for felony offenses of forgery, theft, identity theft, credit card fraud, and bank fraud. He also discussed some of the challenges law enforcement faces in today’s digital era of financial fraud. Some ongoing issues included the following:
• Check kiting is still a problem in Hawaii, both with stolen and worthless checks being uttered. While fraud involving personal checks have declined slightly in recent years, forgeries involving stolen & altered business checks continue to be a problem. Slow reporting by victim businesses can hinder these investigations.
• Check fraud schemes involving online banking: A suspect in Hawaii opens up numerous online bank accounts with mainland banks, has checks mailed to Hawaii, and then uses the checks issued by those banks to commit check kiting at local banks here.
Money laundering investigations: Postal Money Orders are often the number one choice for drug trafficking organizations to get dirty money back into the U.S. banking system.
• Increase in ACH fraud & corporate account takeovers: $39 trillion went through ACH network in 2013. Criminals like ACH fraud due to the anonymity it provides. Smaller financial institutions and mid-size businesses are being targeted because they are perceived by criminals as more likely to have insufficient controls.
• Synthetic Identity Fraud: Thieves combine real and fake personal identifying information to create new credit profiles, submitting fraud applications with one financial institution after another until credit accounts are approved. This often creates a fragmented file attached to victim’s main credit file that still negatively affects their credit report, but is typically impervious to fraud alerts & credit freezes. It’s the worst case scenario for both person victim and financial institution victim. This scheme is causing millions of dollars in losses on the mainland.
• Operation Plastic Surgery: Postal Inspectors and Secret Service agents in Charlotte & Florida recently took down operators of website, www.fakeplastic.net that was selling counterfeit credit cards. Suspects only accepted payments from other co-conspirators in Bitcoins.
• Operation Rapid Refund: Large-scale stolen identity tax refund scheme that has resulted in more than $5 billion in losses to U.S. Government. Case highlights importance of protecting one’s Social Security Number more than other personal identifying information.
• Elder Abuse continues to be major problem in Hawaii – investigative efforts in these cases are being led by Honolulu Police Department’s Financial Crimes Detail & Elder Abuse Justice Squad at City Prosecutor’s Office. Recent elder abuse cases range from incidents in which the suspect and victim are known to each other (such as family member or caregiver), to cases where the victim receives a fraudulent sweepstakes notice in the mail. In the latter scheme, the victim in Hawaii often mails cash or Postal Money Orders to a middle man on the mainland, who then wires the stolen money to perpetrators outside the U.S., commonly to Jamaica.
Edward Tavares, Information Technology Internal Audit Manager for Hawaiian Electric Industries, drew on his academic studies in enterprise computing, anti-terrorism, electronic tracking and surveillance, as well as his wide ranging career at Verizon, BBN Communications and the U.S. Secret Service to discuss “Cyber Threats of Today and Tomorrow.. What Can We Do?”
Based on reports of incidences from 95 countries, cyberthreats in 2013 comprised more than 63,000 security incidents and 1,367 confirmed data breaches. While the universe of threats seems limitless, further analysis of 100,000 security incidents over the past 10 years showed that 92% of the breaches can be described by just nine patterns:
- Point-of-sale intrusions
- Payment card skimmers
- Physical theft and loss
- Web app attacks
- Denial of Service (DOS) attacks
- Insider Misuse
- Miscellaneous Errors
Ten years of lessons on cybersecurity have shown
that breaches can affect all industries and all sizes
of organization. The frequency of specific incidents
varies by industry. For example, 75% of attacks on the Travel/Hospitality industry targeted Point of Sale devices and systems, while 75% of incidents in Financial Services came from web app attacks, Denial of Service, and card skimming. In the public sector, only four patterns accounted for 98% of attacks: 34% errors, 24% insider misuse, 21% crimeware, and lost/stolen assets (19%).
Attackers have gotten faster at breaching systems, and while defenders are also getting faster, they are falling farther behind. Many successful breaches are detected by third parties, such as law enforcement agencies, specialist fraud detection organizations, or even customers.
Questions that investigators and auditors can ask when investigating IT-related data:
- What digital information do we have?
- Where do we keep it?
What is the risk associated with that data?
- Who has access to it?
- When was it last accessed?
- When it gets breached how do you respond?
Data Breach was a timely topic covered at our first joint luncheon with the Hawaii Chapter of ISACA – the Information Systems Audit and Control Association, held at the Pacific Club.
Our speaker was Addie Lui, the Information Security Officer at Hawaii National Bank, and ISACA’s chapter president. He covered a wide range of subjects, including:
- Types of data to protect
- Examples of data breach
- Requirements to protect credit card information
- Credit/Debit Card Scheme
- Prevention Steps
Some basic tips for prevention: know your data and protect it according to risk; keep up with software updates, use complex passwords and change them often. Remember that banks or other companies do not need to know your password, and will not request them via email or phone. IT staff should not be able to see passwords in most systems.
More advanced prevention steps include: dedicating one computer to conduct online banking or other financial transactions only; monitor network traffic with intrusion detection, prevention devices; hire an IT security firm to perform a vulnerability security assessment or penetration test on the network; use a whitelist security application to allow only approved and authorized software to be installed on computers; and be aware of suspicious activities, e.g. transmittal of files after hours.
Always a popular speaker, FBI Special Agent Tom Simon discussed “Protecting the Nest Egg” with updates on a number of Hawaii investment fraud cases. Many of them involved fraudsters who convinced families to extract cash from the value of their homes, then invest in what they claimed to be high-yield investments.
They may provide the stated returns one or two times, just enough for their victims to spread the word about the apparently successful investment scheme they had stumbled upon. Predictably, the payouts stop coming. That’s when Simon gets the call from the victims.
He noted that 90% of his time is spent talking to victims, who want to talk about the end of the payouts. He tries to get them to focus on what the fraudsters said to them before they invested, and how they were convinced. The gap between what victims were promised vs. what actually happened is key to building the case against them. While he wishes people would call to check on investments that seem too good to be true, he said this only happens 10% of the time.
He called on ACFE members, especially banking and financial professionals, to ask clients “What’s going to happen to this money?” if they notice movements of large amounts. This could help them open up the conversation about potential fraud, and possibly prevent one before it happens.
Christopher D.W. Young currently serves as a Supervising Deputy Attorney General and Division Chief of the Criminal Justice Division, Department of the Attorney General, State of Hawaii. At our January 2014 luncheon, he focused his talk on the Fraud Examiners’ Role in Prosecuting Fraud. He advised those investigating fraud to not “get lost in the forest” and try not to find all theft but look for obvious theft that can more easily lead to prosecution.
He described the 5 Steps for Developing a Provable Fraud Case:
- Find and understand policies and procedures. This includes organizational rules, bylaws, who has oversight over funds, legal duties (particularly fiduciary), board minutes and financial reports. It is critical to obtain evidence that the suspect was made aware of the rules, e.g. through training.
- Find the paper trail — both what exists, and what should be there but is missing. Missing documents could be an indication of intent to defraud. Remember to track down documents that are not held by the suspect.
- Challenge the paper trail, verify what is documented. This could involve checking with a third party vendor or finding backup documents.
- Apply records to the rules obtained in Step 1. Failure to comply or partial compliance, or exceeding authorization limits could be considered intent to defraud.
- Interview a potential suspect only within the parameters of your organization’s existing administrative process. Under no circumstances during fact-finding should you consult law enforcement on what types of questions to ask, as this makes you an agent of law enforcement, which requires that a suspect be read his or her Miranda rights. If you do interview, obtain agreement at the outset, e.g. establish that the person was aware of the rules before inquiring about specific details. Record the interview if possible. Don’t accuse the person, allow him or her to provide an explanation and keep your reporting factual.
This forms the basis for a summary of findings, which the prosecutor can use to build his or her case. He noted that felony charges — which could be for amounts as little as $20,000 — must be brought within three years of discovery, so time is of the essence. Do not delay reporting, as law enforcement has better tools for obtaining records and testimony.
Cyber Crimes Investigator Chris Duque – a 30-year veteran of the Honolulu Police Department and now with the White Collar Crime Section at the City & County of Honolulu Department of the Prosecuting Attorney – shared what he has seen as he continues to focus on investigations through social media.
For example, sites such as eBay may be used as a fencing operation. The challenge is finding the person who actually committed the crime. In addition to tracking electronic footprints to find the people behind the user name, social media used in combination with what the criminal investigator knows about certain associates can be used as a tool to determine connections among various people.
Thus, real life crimes can be traced in the virtual world, then brought back to real life, leading to real prosecutions. For those in law enforcement, subpoenas can be used to find the actual people behind user IDs. Mr. Duque noted that the subpoena should not only include the person using the account, but also who is paying the bill. He noted that because technology allows multiple logins into the same account from various devices, one should be cautious about concluding who is actually posting information at specific times.
To keep up with Chris Duque’s ongoing activities, follow him online at:
At our luncheon on September 19, Lt. John McCarthy gave attendees an update on Financial Crime Trends that he has seen this year. Some examples were:
- Green Dot cards: A type of advance payment scheme in which victims receive what appears to be an award check. However, prior to receiving the award, victims are told that they must pay “processing fees” by placing money on a Green Dot MoneyPak, a type of prepaid money card. Once the money is on the card, the victim is instructed to tell the scammer the access code, which the scammer then uses to drain the MoneyPak. This allows scammers to bypass traditional cash-wiring companies.
- Credit card skimming on a global scale: One of the largest financial crimes in Honolulu started with credit cards originally skimmed in Florida, sold to a group in Russia, and ultimately used by a group in Honolulu. Within four days, scammers racked up $500,000 in purchases at high-end retailers. The suspects were arrested and charged with 24 crimes in Hawaii, New York, Florida and other states on the West Coast.
- Account takeovers: Usually the result of phishing, spyware or malware scams, an account takeover is the unauthorized use of a legitimate account that results in a loss of funds. Recently, Home Equity Line of Credit (HELOC) accounts have been commonly targeted in this scheme. In one example, a Capital One HELOC account was taken over when a signature block stored on a stolen cell phone was used to gain access to the account. Spear phishing, where malware on victims’ computers record key strokes, is another common method of gaining online access to accounts.
- Metadata on Facebook: We all leave footprints on the Web when we use social media. Third-party software can extract metadata from pictures posted on sites such as Facebook to determine when or where a photo was taken and who took it, which can then be related to others in the area who took photos at the same time.
- Bitcoin and Silk Road: Bitcoin is an Internet currency independent of any central authority. Bitcoins can be transferred through a computer or smartphone without an intermediate financial institution and used around the world. This has made it a handy tool for illegal purchases (such as drugs or guns) on online black markets such as Silk Road. Transactions were anonymous and there was no way to trace or record their identities. Silk Road was shut down by the FBI on October 2, 2013.