9 Steps to Cyber Success in Insurance Fraud Investigations
Motor vehicle fraud is rising in North American, especially in Western Canada, where I am based. As an example, the auto insurance company Insurance Corporation of British Columbia (ICBC) reported that the number of fraud investigations they performed rose 60% year over year to more than 16,000 in 2017. ICBC experts estimate that 54% of their cases investigated contained elements of fraud, with fraudulent or exaggerated claims estimated as causing 10-20% of all claim costs, about $465 million (CA$600 million) per year.
Life of a private investigator
As a licensed private investigator working civil court cases over the past 11 years, most of my work has been and still is related to motor vehicle insurance fraud investigations. My role is a bit different from an insurance company special investigator. By the time a file reaches me it has already been tagged with several warning flags by insurance company employees and the analysis programs they use. These flags are usually based on irregularities in information, unusual claimant behavior or hotline tips that indicate something unusual is going on. In addition, by the time it gets to me it has already been looked at by (at the very least) an adjuster, a manager, a paralegal and a lawyer. The ICBC cyber unit might have done a preliminary scope, an SIU investigator may have already looked at it. Sometimes another PI firm has already taken a shot at the file. In other words, I get the toughest cases. I get the cases where there are no easy answers and everyone whose handled it ahead of me says “we know they are doing something, but we can’t figure out what it is, or we can’t prove it.”
No claimants are exactly alike
Every claimant file I handle in fraud investigations has a person with a different combination of lifestyle, family, education, occupations, activities, travel, hobbies, and widely varying levels of social networking and use of technology. As a result there is no common style or scam method. The following are examples of how widely varied the actual activities proving fraud can be:
Example 1: A person who claimed to still be injured from an accident but in the meantime had joined and played for a local roller derby team.
Example 2: A retail clerk who claimed to still be injured, spending the next three years unemployed. Meanwhile, the clerk spent that time trying to become a professional online gamer. This included creating a website, posting scheduled broadcasting times for subscribers, trademark branding, sales of branded merchandise, acquisition of sponsors, hosting game tournaments, upgrading computer equipment and operating over 75 social networking accounts. The clerk also still lifted weights in their spare time.
Example 3: A bookkeeper who claimed to be injured while in the meantime running a ‘”ghost kitchen’”that catered to a specific cultural food type and advertised on social networking websites.
Whatever the example, I use the same set of templates, tools and techniques that I use for every file for fraud investigations. Here are nine steps that every cyber investigator can or should do to improve their chances for success when working on a file.
9 Steps for Online Fraud Investigations
1) Develop a key word list: Before starting your online search, you should have a key word list containing all the information you will be searching. This should include all the information you have gained from whoever gave you the assignment, be it your supervisor, another department or a client.
2) Develop new key words: You also need to expand your list to include all reasonable search variables before starting your search. For the name, you should include all the first name variations and combinations of first and last names. Don’t forget to include maiden names and former married names. Include alternate names for the claimant’s occupation or employment title and the alternate names and spellings for any sports, hobbies or activities they participate in. Your list should also include not just where the person lives now but where they used to live and where they were born. Don’t forget alternate names for geographic areas, i.e. if a person lives in Vancouver don’t just search using the word Vancouver. You may also need to include other regional names such as Burnaby, Delta, Langley, New Westminster, Richmond, Surrey or White Rock.
3) It takes time: Back in 2009 we could do a full cyber search process and write a report in two and a half hours and we did almost all of it with just Google search results. Not any more. Information is hidden more deeply, privacy settings are complex, which means most leading social networking websites need to be searched individually. The depth of content has also increased significantly. Back in 2009 we were looking at up to 4 years of content. Nowadays we are looking at up to 14 years of online content and that’s if the privacy settings on the account let us see it. When we find it all this information it takes time to review it and time to capture it!
4) Review all historical content: I find that some cyber investigators will only look back to the date of loss in fraud investigations or to the date of the motor vehicle date, usually because of organizational policy and guidelines. I believe this to be a serious mistake. I have found backtrails to current information many times by going back in time to see their old activity, often identifying their sports, hobbies, interest, old friends, family members, telephone numbers and former residences. All of this information helps to confirm identity on current accounts that have been “privatized” and give us ideas of which new websites to search or new key words to use.
5) Analyze every image: This is a step I believe many cyber investigators do not implement as well as they should. Any image you find related to the plaintiff should be checked for potential new information, including image content, accompanying text and metadata. Many images can be located more accurately using 3D Google Maps or compare if the location they are at is the same as the address they provided. In a case earlier this year, I was able prove a specific person was operating an account and what their activity was because of the unique patterns on the shoes the person was wearing. Also, if you have checked all the historical photos you will also be able to assess if the person is a “true poster” (someone who posted unaltered images they have taken themselves and posted in a timely manner) and the content can be treated as facts or if they are a “necroposter” or “third-party” poster (someone who posts older images or images from other people’s accounts) whose image content and posting dates should be checked and verified before being treated as facts. This also includes watching the videos that we find. Videos posted after the date of loss (DOL) can contain very useful information.
6) Don’t stop searching after the first account: More frequently than I would like, I find that some cyber investigators will find that much-desired Facebook account or Instagram account and then they stop searching. Job done, wrap it up, onto the next file. I recommend you never stop the search process after finding that first account as far too many times I have found a second account, then a third account and then a group page, etc. In a file I completed just two weeks ago, the person had over 15 social networking accounts, six of them on Facebook alone. Check every possible match you find as every account you find increases your chances of finding new information.
7) Cross-reference your information: When a person you are investigating has multiple accounts, they often don’t use them all at the same time. They may use one all the time, then move on to the next one as preferences change and new websites evolved. Producing a chronological timeline of social account use can help identify what may be an undated image of interest from one account when placed beside a text comment about a specific location posted at the same time on another account. This can also help identify patterns of activity, or get an idea of how frequently a person is engaged in a specific activity.
8) Check any domain names: Any indication of a private website should be checked using “Whois” and domain registration search tools. It not only provides the opportunity for confirming addresses and telephone numbers but can indicate what type of employment or business opportunity the claimant may be involved in. Make sure you search the domain using the Wayback Machine to confirm when the website was operational and if there are saved copies of old webpages (for websites that the claimant may have deleted).
9) Check their circle of acquaintances: The first thing that a claimant usually does after getting a lawyer after an accident (if they haven’t done it already) is they “privatize” their accounts. For many claimants subject to fraud investigations this means doing what they are legally allowed to do, which is change their privacy settings so people like us can’t see their account content anymore. Others take a more drastic approach, some going so far as deleting all their content, but usually they limit themselves to changing their account names so that it breaks the link with Google search results. But they can’t make their friends, family, and acquaintances do the same thing. Sometimes they don’t want friends, family and acquaintances to know why they want to either. This is the key to finding many of the accounts of claimants and information about the claimants. The acquaintances will usually lead to the account and often to new information.
Let theory fit the facts
Not every insurance claims case is fraud. In many cases we see unusual behavior, high demands for privacy, or just a lack of applying new technology, not necessarily fraud. In fraud investigations, let the theory find support in the facts, rather than forcing the facts to fit the theory.