Theodore Swaggen was above reproach. This eight-year employee of a major Midwest bank, had won the trust of his coworkers and supervisors. But as the supervisor of the bank's wire transfer room, Swaggen handled ridiculous sums of money. He decided it was time to get his hands on some of it, $68.7 million to be exact.

Aided by a gang of outside accomplices and a few secret bank codes, Swaggen* planned the crime for a month and executed it in an hour. He transferred money from the accounts of major U.S. corporations to bank accounts that his co-conspirators had set up under assumed names at two banks in Vienna, Austria. But, fortunately, before the perpetrators could collect the loot, the bank discovered the fraud and put a stop payment on all electronic funds transfers (EFTs or more commonly called wire transfers). The embezzlers came tantalizingly close to succeeding and showed how vulnerable banks and their vast computerized cash movement networks can be to a dishonest insider.

EFTs are used by banks to move more than $1 trillion in funds around the globe each week and the amount is rising. Because of the large volume processed through

EFT systems, they are a prime target for fraud perpetrators wanting an immediate, enormous source of money.

Therefore, EFT systems are high risk and should receive the highest priority for security measures. As these FBI statistics show, more dollars change hands with EFTs than any other method but only make up a slight percentage of total transactions:

The volume of EFTs continues to grow as more companies use this medium to conduct business.

When a corporation transfers funds from its account, they contact its bank's wire room by telephone. The bank initiates a predetermined call-back system (using various code numbers) to a designated executive at the company to verify authorization for the transaction. All calls are automatically taped. In the Swaggen case, he had access to the codes and knew the names of the appropriate executives at the various corporations used in his scheme.

The gang originally planned to steal $232 million from the accounts of quite a few companies. However, they never got that far. On the appointed day (Friday, May 13), the co-conspirators called other wire-room employees in Swaggen's bank to request that EFT transactions be processed from the target corporations to the designated fraudulent bank accounts. The wire room employees processed the transactions to Swaggen who was responsible for the bank's call-back procedures. But instead of calling the indicated corporations, he called his co-conspirators outside the bank at predetermined telephone numbers. These individuals then pretended to make the telephone conversations sound like they were EFT confirmations. Once they falsely obtained approvals for these transactions, the transfers were initiated. The scheme collapsed when one of the corporations being used in the scheme didn't have sufficient funds in its bank account to cover the EFT transaction; it bounced just like a non-sufficient funds check. Swaggen's bank then reversed the "irregular" EFT transactions and the perpetrators received nothing but hefty jail time.

When fraudsters use the EFT banking system to divert funds to personal use by sending vast sums of money from U.S. banks to overseas banks, chagrined bank managers often find these internal control weaknesses:

• Password systems have been compromised.
• The requirement for dual authorization of transactions has been neutralized.
• Non-repetitive bank numbers have been improperly used.
• Management reports aren't prepared, monitored, or reconciled in this critical function.
• Prompt follow-up actions aren't taken to resolve unconfirmed EFT transaction.

The following presentation describes a relatively simple computer software system that companies often use to process investment transactions by EFT. The software belongs to the bank, and access to the system is via a telephone modem through a personal computer or public telephone. Following are some of the internal controls designed to keep fraudsters out of the company's EFT activity:

1. Personal computer log-on A company's investment officer or other designated employees enter the software access code for the EFT program on their personal computers, which allows them to contact the bank to use the system for EFTs as well as other types of bank transactions. Access to this computer software program is restricted to only a few people for security purposes.
2. Office password This password identifies the company and user to the bank. There are two passwords used in the bank's system, each of which has at least six characters using a variable of numbers, letters, and symbols. Each authorized investment official in the office uses this one set of codes when using the system.
3. Individual password This password of six characters permits an individual to process transactions once the wire transfer portion of the computer software system has been activated. Access to this password is restricted to only a few people for security purposes.
4. Password changes The bank normally requires that individual passwords be changed at least every six months to ensure integrity. The bank reportedly doesn't know these passwords, even though they're recorded in their computer and they could find them.
5. Repetitive bank numbers When the EFT system is initially installed, the company sets up a standard list of bank numbers for all anticipated future usage. These are initially established by letter from the investment officer to the bank, and includes the authorized individuals who are signatories on the company's main depository bank account where the EFT transactions are processed.
   If additional transactions are needed for banks not listed on this pre-authorized list, additional non-repetitive bank numbers can be entered into this system. These are initiated on a one-time basis for the current date only, and must be authorized by telephone by an authorized signatory on the account.
6. Notification of recipient Before initiating a transaction, the investment officer telephones the recipient to advise him or her that an EFT transaction is being sent on the current date. The recipient then monitors the EFT transaction activity in his or her bank account to ensure receipt.
7. Daily security code The investment officer devises a daily security code according to instructions received from the bank. This code must be calculated and used for each individual EFT transaction. It has two components: a) a code for the current date (provided on a chart by the bank); and b) a code which represents the sum of the digits of the amount of the transaction to be sent (whole dollars only, excluding the cents). These two numeric codes are added together to make the daily security code for the EFT transaction to be sent.
8. Second-person authorization The bank's software system for EFT transactions has an option for a second person to authorize the transaction after all the data has been entered. This authorization can occur either at the time the transaction is entered in the system, or subsequent to this time during the same day and in a batch mode. For instance, if several people input transactions during the day, the supervisor or investment officer – the second authorizer – could review and authorize transactions processed by all office personnel at one time.
9. Dollar limit The bank system requires that dollar limits be established for each individual EFT transaction as well as for the total amount of all EFT transactions that can be processed by the company on a single working day.
   If it becomes necessary to process EFT transactions in excess of these dollar limit amounts, exceptions can be made by placing a telephone call to the receiving bank to bypass this control. The bank has to agree to this option, and then also becomes responsible for their action in the matter. These exceptions are initiated on a one-time basis for the current date only, and must be authorized by an authorized signatory on the account.
10. Control log All EFT transactions are entered in the check register for the main depository account as they occur (recorded as "EFT" rather than entering a normal check number). In addition, the investment officer can print a copy of each EFT transaction processed during the day, or can print a copy of a wire activity report at or near the end of each operating day. The wire activity report indicates the complete details of all EFT transactions, both incoming and outgoing. This document or a list of the individual EFT transactions serves as a control log of all EFT transactions processed during the day.
11. Bank confirmation All EFT transactions are confirmed daily by the bank via mail using a notice of funds transfer document, which is compared to the check register entries recorded in the main depository account for all EFT transactions processed on the previous business day.
12. Reconciliation The wire activity report and bank confirmation documents are used during the daily cash balancing done in conjunction with the preparation of the daily cash accountability document in the company's business office. These documents are agreed to the total of all individual EFT transaction documents processed during the previous business day. This reconciliation is performed daily by an independent third party who doesn't have any responsibility for processing actual EFT transactions.
13. Daily System Report Each morning, the investment officer accesses the wire transfer system at the bank and prints a system report of all banking transactions of the previous business day. This report provides a daily record of all EFT transactions (at the summary level only for both incoming and outgoing transactions) that were processed.
    The wire activity report is filed with the daily cash accountability document, but the daily system report is filed separately in the check redemption section of the company's business office.
    The company can also access the bank's computer software system and find the wire transfer portion of the system to determine what EFT transactions have been recorded in the system at any point in time during the current working day. The company can also obtain a list of all incoming and outgoing EFT transactions.
14. Transmission Security All EFT transactions are sent over normal telephone transmission lines. The bank's computer software system doesn't require data transmission scrambling so there isn't any communications security in the system and the entity can't change this.

One Message You Don't Want

If you're in the banking business, you could receive the following teletype, which undoubtedly would cause a wave of panic, dismay, and alarm:

FROM: ANOTHER BANK TO: YOUR BANK

MR. SMITH LEFT YOUR BANK IN 1989 TO JOIN US AS A SENIOR PROGRAMMER. YOU WILL RECALL YOU GAVE HIM AN EXCELLENT REFERENCE. YOU WILL THEREFORE BE SURPRISED TO HEAR THAT MR. SMITH WAS ARRESTED LAST WEEK FOR DEFRAUDING OUR BANK OF $5 MILLION. DURING INTERVIEWS HE ADMITTED USING THE SOFTWARE UTILITY "DOTTO" TO CHANGE THE BALANCES ON FILES AND TO DIVERT AND ROLL OVER PAYMENT INSTRUCTIONS. HE ALSO SAID THAT HE USED THE SAME METHOD OF FRAUD AT YOUR BANK AND GOT AWAY WITH AT LEAST $2 MILLION. HE HAS REFUSED TO ELABORATE FURTHER. WE THOUGHT YOU WOULD LIKE TO KNOW.

BEST REGARDS, JOHN JONES, DIRECTOR OF AUDIT

The immediate questions which arise are: a) Could you reconstruct the programs Mr. Smith had access to and worked on while employed at the bank? b) Could you trace his concealment activities? (c) Could you develop evidence to prove or disprove this confession? d) What would you say to the board of directors, shareholders, and investors? e) What security improvements would you put in place immediately?

Red Flags for EFTs

• There is unrestricted access or too many people are allowed into the wire room or the EFT transaction processing area.
• The wire room or EFT voice or computer passwords aren't changed periodically or when individuals terminate employment.
• EFT voice or computer passwords are written down somewhere in the office.
• Dual authorization to process EFT transactions are either not required or are optional.
• The company or bank doesn't use call-back procedures to ensure that all transactions are properly authorized and approved, or the same person receiving the request also performs the call-back duties.
• Dollar limits for individual EFT transactions or for the entire EFT processing department aren't established or aren't monitored to ensure that processing is conducted only within established limits.
• Management reports listing EFT transactions either aren't prepared or aren't monitored daily.
• Control logs aren't established for EFT transactions processed each day.
• EFT transactions to non-repetitive bank numbers aren't specifically reviewed by supervisors for propriety.
• Bank and company reports of EFT activity aren't reconciled daily.
• EFT transaction suspense accounts aren't promptly reconciled.
• Bank wire room transactions aren't encrypted during transmission.
• New employees work in the wire room or EFT processing department.
• Background checks aren't made on all employees working in the wire room or EFT processing department.
• The wire room or EFT processing department doesn't tape record all transactions.

Detection of EFT Fraud

• Be observant of activities in all wire rooms and EFT transactions processing areas, and determine whether access to these areas is appropriately restricted.
• Determine whether managers require that EFT voice or computer passwords be changed periodically or when individuals terminate employment, and whether employees write them down somewhere in the office.
• Evaluate key controls for the wire room and EFT transmission area to determine whether dual authorizations are required to process transactions, dollar limits have been established for individual transactions and daily department totals, management reports are prepared and monitored daily, control logs are established, and bank and company reports of EFT activity are reconciled daily.
• Determine whether the company or bank uses appropriate call-back procedures to ensure that all transactions are properly authorized and approved.
• Determine whether EFT transactions to non-repetitive bank numbers are promptly reviewed by supervisors.
• Determine whether prompt follow-up action is taken to resolve unconfirmed EFT transactions.
• Determine whether bank wire room transactions are encrypted during transmission.
• Determine whether the wire room or EFT processing department tape records all transactions.

Company electronic funds transfers are ordinary and routine. But because huge amounts of money are handled every day, EFT transactions are prime targets for fraudsters and should receive the highest priority for security measures.

*The fraudster's name has been changed. 

Joseph R. Dervaes, CFE, Association of Certified Fraud Examiners Fellow, CIA, is director of special investigations with the Washington State's Auditor's Office. He is chairman of the Association's Board of Regents, and the Association's first recipient of the Fellow status. 

References

1. Brodfuehrer, CFE, CIA, Richard F. "Wire Transfers: a License to Steal," seminar presented at Third Annual Fraud Conference of the Association of Certified Fraud Examiners.
2. Cash Receipts and Disbursements Fraud coursebook (two case histories) © 1994 Association of Certified Fraud Examiners.
3. Comer, CFE, Michael J. "How to Prevent Fraud," Asian Banking, February 1982. Telex idea from this article credited to The Computerized Society by Adrian R.D. Norman.

Case in Point

Executive Diverts Cash to Husband's Failing Dance Club

A market coordinator for a Midwest oil company stole $473,541 by processing two EFT transactions in the company's oil margin accounts in an 11-month period. These transactions transferred funds from the company's margin account (managed by a broker in New York) to the market coordinator's failing business, a non-alcoholic dance club for teenagers in San Antonio, Texas. The couple also bought three cars for cash.

Segregation of duties was the major cause of this loss but this internal control problem was compounded by a lack of independent authorization of any unusual account transactions. Only the market coordinator had access to the margin accounts and no one reconciled the accounts.

The broker handling the margin account had never received a list of the authorized bank accounts for routine transfers from the account, and didn't use call-back procedures to verify transactions. The market coordinator managed six margin accounts, and told the broker that the dance club was a company subsidiary.

A thorough investigation proved the existence of only two irregular EFT transactions in one margin account. The documents associated with these two transactions were falsified, and margin account statements were altered in an attempt to conceal the loss. Letters of authorization for the fraudulent EFT transactions were sent from the company to the margin account broker by facsimile machine. These letters were "cut and pasted" by the market coordinator to obtain the signatures of other company officials needed to authorize and approve the transactions. The first fictitious transaction occurred two weeks after the margin account was opened.

An audit found the margin accounts in disarray (by design), and recommended that they be independently reconciled by the accounting department. The accounting department pressured the market coordinator to resign. Subsequent reconciliation of the accounts revealed the two irregular EFT transactions. The market coordinator was charged with two counts each of mail and wire fraud for the two facsimile and EFT transactions involved in this case, promptly confessed and was sentenced to five years in prison, five years probation, and full restitution.

Her husband said that he thought the money came from his wife's family inheritance and plead innocent to conspiracy charges. However, he had no credibility with the jury, and was sentenced to four years in prison as a co-conspirator for his participation in the proceeds and money laundering.