Fun and games in audit (adventures with Big Data part 2)

While I was writing my recent blog about working with insurance management information systems I thought about my other experience of trying to make sense out of huge volumes of data, working on fraud investigations using SAS. I toyed with the idea of including that, but decided to keep it for a separate article.

I spent a few years working as a computer auditor at a large UK insurance company. Fraud investigation was not a core part of the job, but it was a frequent and exciting diversion from the routine. If there was a concern that a serious fraud had taken place then one of the computer auditors would be told to drop everything and do whatever was necessary to piece the story together.

The largest, and most interesting investigation concerned an employee at an office in Lancashire. He managed the team that settled insurance claims. He authorised the claims payments and entered the cheque requests, which were always approved by someone more senior (although usually without detailed checking). We received an anonymous tip off that we should take a look at what he had been doing. That was all we had to go on.

I was asked to take a quick look. I extracted all the claims that he’d authorised over the previous couple of years and looked for interesting patterns. There were quite a few totally separate claims that just happened to have identical values, down to the last penny. That was interesting. Claims frauds often involve old invoices being recycled. These payments were all motor claims for third party damage, i.e. for damage done to someone else’s vehicle. Third party claims were notoriously popular with fraudsters.

This was sufficient evidence to launch a full investigation. I searched for all claims and cheques that the suspect had worked on over the precious eight years. I then interrogated the data looking for suspicious patterns.

In addition to duplicate values other red flag signs were duplicate addresses to which cheques were sent, and duplicate payees. Identifying these is a much more complicated exercise than it might seem. If you want to find duplicate addresses you can’t simply sort the data and check for matches. Fraudsters are rarely stupid and if they are using a particular address to receive the cheques they will take care to disguise it. So they enter the address slightly differently each time.

Just think how many different ways you could write your own address and still be confident that letters will reach you; slip in extra spaces or commas, break the address up differently between “address line 1” and “address line 2”, make simple spelling mistakes. What about post codes? They are pretty useless. If the post code is wrong the letter will still get there. So fraudsters would keep changing the post code each time they used an address.

You have similar problems with payee names, though there is less scope for misleading mischief if the cheque has to be paid into a bank account.

SAS was incredibly valuable for these investigations. It was extremely powerful for quick manipulation and comparison of large files, doing sort and match routines. However, it is was also very flexible for painstakingly detailed low level work: chopping up and manipulating data byte by byte, and even bit by bit when necessary. I would try to standardise addresses, stripping out all spaces, punctuation and special characters, and separating building numbers from street names. I would reduce the street name to the first six characters to reduce the chance of being caught out by a deliberate misspelling.

I would then reassemble the addresses and search for duplicates. In the case of this fraud I kept finding more and more. Each time I found some I would look at the other factors in the claim, and look for other claims that matched these factors. This produced other claims that our suspect had not worked on, but which were highly suspicious. Perhaps a third party claims cheque for an identical payee and amount had gone to a different address, but authorised by another member of staff.

As well as interrogating the historic data from the business applications I also matched them against network data. That allowed me to see which desk the user had been sitting at when a claim had been approved. It was clear that the same desk, and therefore terminal, was being used even when different user accounts were approving claims. It looked like our suspect was using other people’s accounts.

Each time I found something interesting I would feed that back into the interrogation routines, gradually building up a clearer picture.

After a few days of very long hours, crawling all over 25 million historic records, I’d identified 555 highly suspicious payments totalling £1.1 million. That was enough for us to go to the police. Some companies had a policy of keeping frauds quiet and dismissing the culprit. This insurance company took a far tougher line. It wanted staff to know that if they stole from the company the police would always be called in.

We packaged up the evidence and took it to the Lancashire Constabulary. The Fraud Squad was delighted to get such strong evidence handed to them on a plate. They checked out our suspect in ways we could not possibly have done and quickly came up with fascinating information about his lifestyle, which was wildly out of line with his salary.

Whilst they were investigating him they happened to mention in a phone call to one of my colleagues that they were tailing him in Liverpool that day. I was surprised to hear that because I had been watching what he was doing on a network monitoring tool. He was sitting at his usual desk! We got back to the police and told them they were following the wrong guy. Shortly afterwards they came back and admitted their mistake.

The police chose 13 addresses to raid, along with the home of the suspect. They obtained search warrants for all the houses and arrest warrants for the householders. They told us that they’d be going in simultaneously at all the addresses at 5 o’clock in the morning.

That night was the only time in my whole career that I’ve lain awake wondering if I’d done everything properly. Could I have made any mistakes? Were any completely innocent people going to be shocked out of their beds by a police raid?

I needn’t have worried. The conspirators were taken completely by surprise. The main suspect had a huge amount of incriminating evidence in his home and quickly caved in, admitting his guilt. The police picked off all the others in short order, telling each that the others had all owned up.

The leader of the conspiracy, our employee, had taken nearly all of the money. The other people had simply been paid to receive the cheques, or to launder them through their bank accounts. The leader pleaded guilty and received a three year jail sentence. That spared me the need to give evidence in court, which would have been an interesting experience.

Afterwards we gave a lot of thought to how we should handle fraud investigations. In this case we’d been dependent on a tip off. Once we had that lead it was possible to keep plugging away, trying out ideas, learning more, refining our theories about what might have happened until we had a clear picture. The question that bugged us was, “how do we get started when we don’t have any reason to be suspicious?”.

There were certain patterns that the company could always look out for, but every case had something new, and often a fraud might use a pattern that was unique.

We started to delve into neural networks, which seemed to offer a promising way of monitoring vast datasets to learn about patterns that could be suspicious. Neural networks have since become popular for identifying fraud. Credit card companies use them widely

One of the great things about doing this sort of work was that our rivals were crooks, not other companies. I went to speak to other insurance companies to learn and exchange ideas. Everyone was quite happy to talk about what they were doing. We were all better off if we could nail the bastards who were ripping us off. No-one felt there was any particular competitive advantage in trying to do it alone.

Unfortunately, and to my huge frustration, our commitment weakened. It was clear that nothing exciting was going to happen with fraud detection in the near future, so when I was offered an interesting new job I happily accepted it.

Still, I did miss the buzz of these investigations. It was exciting and utterly engrossing to be faced with the intellectual challenge of extracting a clear and convincing story from a vast mess. I always had a great sense of achievement when I could produce evidence that was compelling enough to convict a fraudster. It really wasn’t a moral position. Of course I knew I was on the right side and the fraudsters were wrong, but there was no sense of righteousness. It was a thrilling game, even better than being a kid playing cops and robbers. Nothing in my career has even been quite as much pure fun as catching crooks.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s