Other Fraud Schemes Flashcards
A pharming scheme differs from phishing because:
A. The attacker delivers the solicitation message via telephones using Voice over Internet Protocol (VoIP) instead of email.
B. The attacker must rely on users clicking a link in an email or other message to direct them to the malicious website that is imitating a legitimate website.
C. The attacker does not have to rely on users clicking a link in an email or other message to direct them to the malicious website that is imitating a legitimate website.
D. The attacker delivers the solicitation message via short message service (also known as SMS or text messaging) instead of email.
C. The attacker does not have to rely on users clicking a link in an email or other message to direct them to the malicious website that is imitating a legitimate website.
See pages 1.1410-1.1411 in the Fraud Examiner’s Manual
Pharming is a type of attack in which users are fooled into entering sensitive data (such as a password or credit card number) into a malicious website that imitates a legitimate website. It is different from phishing because in pharming schemes, the attacker does not have to rely on users clicking a link in an email or other message to direct them to the imitation website.
In smishing schemes, the attacker uses text messages or other short message systems to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, internet service provider (ISP), or other entity with which the target does business.
In vishing schemes, the attacker leverages Voice over Internet Protocol (VoIP) in the telephone system to falsely claim to be a legitimate enterprise to scam users into disclosing personal information or executing an act that furthers a scheme.
After paying the ransom demanded by the fraudster, a ransomware victim is always granted access to all locked files on the compromised computer.
A. True
B. False
B. False
See pages 1.1426-1.1427 in the Fraud Examiner’s Manual
Ransomware, as its name implies, is a form of malware that locks a user’s operating system and restricts access to data files until a ransom is paid. While some ransomware simply prevents access to files, other forms encrypt users’ files or steal data. This is concerning to businesses due to the potentially disastrous threat of encrypted network drives. These schemes typically promise that, after payment is received, the user will be provided with a key to release the system and unencrypt files; however, even after money is transferred, many victims find that the malware remains installed on their machine and a key is never provided.
Less sophisticated forms of ransomware have also appeared that claim to have encrypted victims’ files when the malware has simply deleted the files, thus tricking victims into paying to regain access to files that no longer exist. Some forms of this imitation ransomware go a step farther by deleting the restore points and registry keys needed to reboot a system in safe mode or overwriting deleted files to make them nearly impossible to recover.
Fraudsters often use stolen credit or debit cards to purchase prepaid gift or debit cards to quickly convert illicit card funds into a legitimate cash equivalent.
A. True
B. False
A. True
See pages 1.1020 in the Fraud Examiner’s Manual
Among the schemes that prepaid cards are used to facilitate are payment (i.e., credit or debit) card theft schemes. Thieves use stolen payment cards to purchase prepaid debit or gift cards, thus quickly converting the illicit payment card funds into a legitimate cash equivalent.
__________ is the term used for including additional coverages in an insurance policy without the insured’s knowledge.
A. Sliding
B. Churning
C. Twisting
D. None of the above
A. Sliding
See pages 1.1104 in the Fraud Examiner’s Manual
Sliding is the term used for including additional coverage in an insurance policy without the insured’s knowledge. The extra charges are hidden in the total premium. Since the insured is unaware of the coverage, few claims are ever filed. For example, motor club memberships, accidental death, and travel accident coverage can usually be added to the policy without the insured’s knowledge.
Susanna was arrested for committing a fraud scheme. During her arrest, she falsely identified herself as her cousin, Laura, so that the crime would be attributed to Laura instead of Susanna. This scheme is an example of which of the following?
A. Business identity theft
B. True name fraud
C. Criminal identity theft
D. Account takeover
C. Criminal identity theft
See pages 1.804-1.805, 1.807-1.808 in the Fraud Examiner’s Manual
Criminal identity theft occurs when fraudsters falsely identify themselves as other people to law enforcement while being arrested or investigated for a crime. The crime is then incorrectly attributed to the other person instead of the fraudster.
Financial identity theft occurs when a fraudster uses an individual’s personal information for fraudulent financial transactions. Examples of financial identity theft include:
- Using an individual’s stolen credit card or credit card number to purchase goods (account takeover)
- Impersonating an individual to gain access to the individual’s bank account (account takeover)
- Using an individual’s personal information to open a new credit card account (true name fraud)
Business identity theft occurs when a fraudster impersonates a business to commit financial fraud. In addition to impersonating an existing business, fraudsters can use government business filings to reinstate a closed or dissolved business. They can also deceive third parties by creating a new business with a name similar to an existing business.
All the following can help prevent a computer from infection by malicious software EXCEPT:
A. Updating the operating system regularly
B. Using anti-malware software
C. Installing shareware into a system’s root directory
D. Updating with the latest security patches
C. Installing shareware into a system’s root directory
See pages 1.1431-1.1432 in the Fraud Examiner’s Manual
The following measures can help avoid infection from a malicious program:
- Use anti-malware software to scan all incoming email messages and files.
- Regularly update virus definitions in anti-malware programs.
- Use precaution when opening emails from acquaintances.
- Do not open email attachments unless they are from trusted sources.
- Only download files from reputable sources.
- Regularly update the operating system.
- Regularly update the computer with the latest security patches available for the operating system, software, browser, and email programs.
- Ensure that there is a clean boot disk to facilitate testing with antivirus software.
- Use a firewall and keep it turned on.
- Consider testing all computer software on an isolated system before loading it.
- In a network environment, do not place untested programs on the server.
- Secure the computer against unauthorized access from external threats such as hackers.
- Keep backup copies of production data files and computer software in a secure location.
- Scan pre-formatted storage devices before using them.
- Consider preventing the system from booting with a removable storage device (such as a USB flash drive); this might prevent accidental infection.
- Establish corporate policies and an employee education program to inform employees of how malware is introduced and what to do if malware is suspected.
- Encourage employees to protect their home systems as well. Many malware infections result from employees bringing infected storage devices or files from home.
The purpose of draw requests in construction lending is to provide:
A. Documentation that the construction project cannot continue without additional funding
B. Documentation that the design is approved by the International Union of Architects
C. Documentation that costs have been incurred and reimbursement is sought
D. Documentation that all architectural and engineering designs and quotes have been completed
C. Documentation that costs have been incurred and reimbursement is sought
See pages 1.908 in the Fraud Examiner’s Manual
Construction loan advances are generally supported by draw requests. A draw request is the documentation substantiating that a developer/borrower has incurred the appropriate construction expenses and is now seeking reimbursement or direct payment. A typical fraud scheme that occurs in a draw request involves requesting advances on the loan for inappropriate costs, such as personal expenses and/or construction costs for an unrelated project. Draw requests might provide the greatest opportunity for a developer to commit fraud because the lender relies upon the developer’s documentation.
Which of the following is NOT an indicator that a computer or network might have been accessed or compromised by an unauthorized user or entity?
A. Users are prompted to install unusual software or patches onto their computers.
B. Users receive a notification to update their system passwords before they expire.
C. An authorized user is denied access to an area in the network that is part of their role.
D. A user in the IT department detects geographical irregularities in network traffic.
B. Users receive a notification to update their system passwords before they expire.
See pages 1.1402-1.1403 in the Fraud Examiner’s Manual
Recognizing that a computer or network has been accessed by an unauthorized user or entity is one of the most important elements of cybersecurity. Signs that attackers have accessed or are currently attempting to access a system might be referred to as indicators of compromise (IOCs) or indicators of attack (IOAs) depending on the context. Regardless of the technical labels a cybersecurity professional might use to describe an indication of intrusion, it is important for fraud examiners and other computer system users to recognize signs that intruders have accessed or affected the system, which can include unusual inbound or outbound network traffic, anomalies in user access to network files, or unusual network or computer performance.
Every day, organizations’ networks experience inbound and outbound traffic as part of normal business operations. Among the typical types of traffic are emails sent to and from employees, as well as data transmitted to or from the internet. Abnormal traffic, either higher or lower than usual, could be an indication that an attacker has gained access to an organization’s network and is manipulating traffic by sending malicious software to the network or exfiltrating data from it. A common sign of unusual network traffic includes geographical irregularities related to network access and traffic.
Most organizations employ a system that restricts access to sensitive files or information on their network to those who require that access as part of their organizational role, and user patterns typically reflect access that aligns with normal business habits. Any abnormalities or outliers to the usual access patterns could indicate that the network has been compromised by an insider or external actor and might include passwords that are not working or bundles of data in the incorrect place.
Many different types of computer and network intrusion or compromise can result in performance issues for the computers or networks that are presumed to be affected, whether the issues relate to malware infection, external unauthorized access, or insider actions. Some unusual performance issues that could indicate that a computer or network is compromised include unexpected patching of systems or the installation of unwanted or unknown software.
All the following are methods of identity theft prevention that are recommended for businesses EXCEPT:
A. Limiting employees from accessing the personal information of customers
B. Performing audits of practices involving the handling of information only when regulators require it
C. Conducting background checks on prospective employees when permitted by law to gather that information
D. Restricting the use of laptops to those employees who need them to do their jobs
B. Performing audits of practices involving the handling of information only when regulators require it
See pages 1.816 in the Fraud Examiner’s Manual
The following are some of the steps that businesses can take to protect personal information and prevent identity theft:
- Limit the personal information collected from customers. For example, do not collect government identification numbers from customers unless there is a legal requirement to gather that information.
- Restrict employees from accessing the personal information of customers and coworkers.
- Use network-security tools to monitor who accesses personal information.
- Do not retain personal information for longer than necessary.
- Adopt a policy regarding the handling of information that governs how personal information is stored, protected, and disposed of. Strictly enforce the policy, and discipline employees who violate it.
- Conduct regular employee training on the company’s policy regarding the handling of information and best practices for preventing identity theft.
- Ensure the security of buildings by using locks, access codes, and other security features.
- Keep physical documents containing personal information in locked rooms or locked file cabinets.
- Secure all computer networks and electronic information.
- Use encryption to protect all personal information stored by the company or sent to third parties. Encryption should also be used to protect information sent over the company’s wireless network.
- Restrict the use of laptops to those employees who need them to do their jobs.
- Require employees to use complex passwords or passphrases.
- Where permitted by law, perform background checks on prospective employees.
- Thoroughly investigate contractors and vendors before hiring them.
- Do not use government identification numbers as employee identification numbers or print them on paychecks.
- Perform regular audits of practices involving the handling of information, network security, and other internal controls.
- Create a data breach response plan.
High percentages of returns, missing compliance certificates, and evidence of falsified test inspection results are red flags of which of the following procurement fraud scenarios?
A. A contractor charging the procuring entity for labor costs that are not permissible
B. A contractor delivering goods or services that do not conform to the contract specifications
C. Two or more competing contractors agreeing to refrain from bidding
D. A procuring employee manipulating the bidding process to benefit a favored contractor
B. A contractor delivering goods or services that do not conform to the contract specifications
See pages 1.1523-1.1525 in the Fraud Examiner’s Manual
Nonconforming goods or services fraud, also known as product substitution or failure to meet contract specifications, refers to attempts by contractors to deliver goods or services to the procuring entity that do not conform to the underlying contract specifications. Once contractors deliver goods that do not conform to the contract, they bill and receive payment for conforming goods or services without informing the purchaser of the deficiency.
The following is a list of potential red flags for nonconforming schemes:
- High percentage of returns for noncompliance regarding specifications
- Missing, altered, or modified product compliance certificate
- Compliance certificates signed by employees with no quality assurance responsibilities
- Materials testing done by supplier, using the supplier’s own personnel and facilities
- Evidence that test or inspection results were falsified (e.g., documents appear altered or modified, test documents are illegible, signatures on documents are illegible, documents were signed by unqualified or inappropriate personnel, or test reports are similar or identical to sample descriptions and test results)
- Highest profit product lines have the highest number of material return authorizations or reshipments
- Discrepancy between product’s description or normal appearance and actual appearance (e.g., a new product appears to be used)
- Used, surplus, or reworked parts are delivered
- Delivery of products that appear counterfeit (e.g., product packaging, appearance, and description do not appear genuine; items that are consistently defaced in the same area; items that appear different from each other)
- Offers by contractors to select the sample and prepare it for testing
- Delivery of look-alike goods
- Unusually high number of early replacements
- Contractor restricts or avoids inspections of goods or services upon delivery
Unscrupulous debt consolidation schemes include each of the following EXCEPT:
A. The debt consolidation company writes a letter to the debtor’s creditors and arranges a payment plan.
B. The debt consolidation company charges an up-front processing fee and then disappears.
C. The debt consolidation company guarantees the debtor will receive a loan or credit card regardless of the debtor’s credit ratings.
D. The debt consolidation company collects payments but does not appropriately forward them.
A. The debt consolidation company writes a letter to the debtor’s creditors and arranges a payment plan.
See pages 1.1302 in the Fraud Examiner’s Manual
Unscrupulous debt consolidation schemes often involve the agency collecting the money from the debtor but not forwarding it to the creditors. In some instances, considerable time can pass before the debtor discovers that their money has been misappropriated. Another variation of the debt consolidation scheme occurs when customers are guaranteed that they will receive a loan or a credit card regardless of their credit rating. Typically, the victims have been rejected by legitimate financial institutions because their credit ratings are poor. The victim must pay a processing fee for the application to be accepted. After the victim pays the fee, the fraudster disappears.
To conduct an electronic payment using a person-to-person (P2P) system, the two individuals must meet in person at a financial institution to sign an order requesting the transfer of money from one person’s account to the other.
A. True
B. False
B. False
See pages 1.1031 in the Fraud Examiner’s Manual
Individuals can pay each other for goods or services electronically, which is known as the person-to-person (P2P) system. Many credit cards and banks offer this service to their customers. P2P payments can now be made through a variety of services using a computer, smartphone application, or email address.
Which of the following is a way that dishonest contractors collude to evade the competitive bidding process?
A. Submit bids that are competitive in price.
B. Submit invoices for work that was not performed or materials that were not delivered.
C. Use obscure publications to publish bid solicitations.
D. Submit token bids that are not genuine attempts to win the contract.
D. Submit token bids that are not genuine attempts to win the contract.
See pages 1.1511 in the Fraud Examiner’s Manual
Schemes involving collusion among contractors seek to evade the competitive bidding process. In these schemes, competitors in the same market collude to defeat competition or to inflate the prices of goods and services artificially.
Complementary bidding (also known as protective, shadow, or cover bidding) is a common form of collusion between competitors, and it occurs when competitors submit token bids that are not genuine attempts to win the contract. Token bids give the appearance of genuine bidding, but, by submitting token bids, the conspirators can influence the contract price and who is awarded the contract.
Which of the following are considered red flags of insider cyberfraud?
I. Access privileges are limited to those required to perform assigned tasks.
II. Access logs are not reviewed.
III. Production programs are run during normal business hours.
IV. Exception reports are not reviewed and resolved.
A. I and III only
B. I, II, III, and IV
C. III and IV only
D. II and IV only
D. II and IV only
See pages 1.1405 in the Fraud Examiner’s Manual
The following are conditions that produce an environment that is conducive to, or facilitates, insider cyberfraud:
- Access privileges are beyond those required to perform assigned job functions.
- Exception reports are not reviewed and resolved.
- Access logs are not reviewed.
- Production programs are run at unusual hours.
- Lack of separation of duties exists in the data center.
Which of the following is the BEST definition of the automobile insurance scheme known as ditching?
A. An insured falsely reports a vehicle as stolen to collect on an insurance policy.
B. An agent inflates their commissions by pressuring customers to unnecessarily replace existing policies for new ones.
C. An insured has two insurance policies in place and files claims with both.
D. An agent collects a customer’s premium but does not remit the payment to the insurance company.
A. An insured falsely reports a vehicle as stolen to collect on an insurance policy.
See pages 1.1105 in the Fraud Examiner’s Manual
Ditching, also known as owner give-ups, involves disposing of a vehicle to collect on an insurance policy or settle an outstanding loan. The vehicle is normally expensive and purchased with a small down payment. The owner falsely reports the vehicle as stolen while orchestrating its destruction or disappearance in some way, such as by having it stripped for parts, burned, or submerged in a large body of water. In some cases, the owner just abandons the vehicle, hoping that it will be stolen. Sometimes the scheme involves a homeowner’s insurance claim for the property that was supposedly in the vehicle when it was “stolen.”
If an insurance company fails to follow procedures to detect fraudulent claims when acting as an intermediary for a government health care program, it can be found guilty of fraud in some jurisdictions.
A. True
B. False
A. True
See pages 1.1231 in the Fraud Examiner’s Manual
When an insurance company acts as an intermediary administering a government health care program, the insurance company has a duty to try to detect false claims by providers and beneficiaries. Although it is impossible to detect every fraudulent claim, if a company bypasses its own claims verification procedures, it can be found guilty of fraud in some jurisdictions.
All the following are correct statements about identity theft EXCEPT:
A. Solicitations for pre-approved credit cards are especially valuable to identity thieves.
B. The type of malware that is most commonly associated with identity theft is ransomware.
C. One way to conceal identity theft is to change the victim’s mailing address.
D. Identity thieves often engage in pretexting by impersonating the victim’s bank.
B. The type of malware that is most commonly associated with identity theft is ransomware.
See pages 1.809-1.811, 1.814 in the Fraud Examiner’s Manual
Identity thieves use malware to steal personal and business information from computers. The type of malware that is most commonly associated with identity theft is spyware, which is software that collects and reports information about a computer user without the user’s knowledge or consent.
Dumpster diving can yield bills, credit card receipts, bank statements, and other items that contain a person’s name, address, and telephone number. Solicitations for pre-approved credit cards are especially valuable to identity thieves, but even nonfinancial information can be useful.
Another way to obtain personal or business information is to surreptitiously change the victim’s mailing address (or email address) to an address selected by the identity thief. In this way, the identity thief receives the victim’s mail directly, and no theft is required.
Identity thieves often engage in pretexting by impersonating the victim’s bank or another financial institution with which the victim has a business relationship.
Insurance agent/broker fraud includes which of the following?
A. Fictitious death claims
B. Premium theft
C. Fictitious payees
D. All of the above
D. All of the above
See pages 1.1102-1.1103 in the Fraud Examiner’s Manual
Types of insurance agent/broker fraud include:
- Premium theft—An agent collects the premium but does not remit the payment to the insurance company. Thus, the insured unknowingly has no coverage available upon a qualifying event.
- Fictitious payees—An agent or a clerk changes the beneficiary on record to a fictitious person and subsequently submits the necessary papers to authorize the issuance of a payment.
- Fictitious death claims—An agent or employee obtains a fictitious death certificate and requests that a death claim payment be issued. The agent then steals the payment.
Which of the following statements about vendor management best practices is INCORRECT?
A. The person who maintains the vendor master file should have the authority to approve payments for invoices.
B. Vendor master files should be kept current to reduce the risk of duplicate payments.
C. The procedures used to monitor vendors should address the red flags of vendor schemes that pose the greatest risk.
D. Vendors should be subject to a background check before they are added to the vendor master file.
A. The person who maintains the vendor master file should have the authority to approve payments for invoices.
See pages 1.1536 in the Fraud Examiner’s Manual
The person responsible for the vendor master file should not be authorized to approve payments for invoices or to sign checks.
Procurement entities must maintain an accurate and up-to-date vendor master file. An inaccurate or incomplete vendor master file can result in greater risks of duplicate payments, unfavorable payment terms, and noncompliance regarding regulations. Thus, the vendor master file should be updated continuously and reviewed on a regular basis for inaccurate or incomplete records.
To manage vendors, a procuring entity must establish clear procedures for setting up new vendors and changing vendor master file records. For example, procuring entities should require accounts payable personnel to verify new vendors (i.e., ensure that the vendors are qualified) by conducting a vendor background check before entering them into the vendor master file.
Procuring entities must also use monitoring and auditing systems reasonably designed to detect criminal conduct by their vendors. The procedures to monitor vendors are similar to those used to evaluate vendors, and they should address red flags of vendor schemes that pose the greatest risk.
A draw request on a construction loan should be accompanied by all the following EXCEPT:
A. Inspection reports
B. Lien releases from subcontractors
C. Change orders, if applicable
D. Expenses from similar contracts
D. Expenses from similar contracts
See pages 1.908-1.909 in the Fraud Examiner’s Manual
A draw request is the documentation substantiating that a developer has incurred the appropriate construction expenses and is now seeking reimbursement or direct payment. Generally, draw requests on construction loans are made on a periodic schedule (e.g., once a month) and are verified by a quantity surveyor (QS) or other authorized entity as agreed to by the financial institution. The request should be accompanied by the following documents:
- Paid invoices for raw materials
- Lien releases from each subcontractor
- Inspection reports
- Canceled checks from previous draw requests
- Bank reconciliation for construction draw account for previous month
- Loan balancing form demonstrating that the loan remains in balance
- Change orders, if applicable
- Wiring instructions, if applicable
- Proof of developer contribution, if applicable
Which of the following BEST describes a linked financing loan fraud scheme?
A. Borrowers pledge the same collateral with different lenders before liens are recorded without telling the lenders.
B. Unqualified borrowers misrepresent personal creditworthiness, overstate their ability to pay, and misrepresent characteristics of a housing unit.
C. Insiders in different banks cause their banks to lend funds or sell loans to other banks with agreements to buy their loans.
D. Large deposits (usually brokered deposits) are offered to a bank on the condition that loans are made to individuals affiliated with the deposit broker.
D. Large deposits (usually brokered deposits) are offered to a bank on the condition that loans are made to individuals affiliated with the deposit broker.
See pages 1.905-1.906 in the Fraud Examiner’s Manual
In a linked financing scheme, large deposits (usually brokered deposits) are offered to a bank on the condition that loans are made to individuals affiliated with the deposit broker.
In a residential loan fraud scheme, unqualified borrowers misrepresent personal creditworthiness, overstate their ability to pay, and misrepresent characteristics of a housing unit they intend to occupy or treat as an investment property to qualify for a loan.
In double-pledging collateral schemes, borrowers pledge the same collateral (i.e., an item of value used to secure or guarantee a loan) with different lenders before liens are recorded without telling the lenders.
In a reciprocal loan arrangements scheme, insiders in different banks cause their banks to lend funds or sell loans to other banks with agreements to buy their loans, which is done to conceal loans and sales.
One method that competitive intelligence professionals commonly use to gather data about a competitor involves posing as a job applicant and interviewing with key employees at the competing company. This practice is BEST described as conducting surveillance.
A. True
B. False
B. False
See pages 1.707-1.708 in the Fraud Examiner’s Manual
Intelligence professionals might gather data through human intelligence (i.e., through direct contact with people). Generally, human intelligence is gathered from subject-matter experts and informed individuals. Such efforts typically target individuals who can provide the most valuable information.
For example, an intelligence professional might gather intelligence by posing as a customer of the target entity. This approach exploits two weaknesses of corporate culture: (1) all salespeople want to make a sale and (2) many salespeople will do almost anything to make a sale. Other approaches include:
- Employment interviews (real and fake)
- False licensing negotiations
- False acquisition or merger negotiations
- Hiring an employee away from a target entity
- Planting an agent in a target organization
- Social engineering
An address similarity report is an electronic insurance fraud detection tool that compares multiple payments going to the same address.
A. True
B. False
A. True
See pages 1.1123 in the Fraud Examiner’s Manual
Data analysis is an effective tool used to detect insurance fraud schemes. By using data analytics, fraud examiners can generate reports that provide good leads to possible fraud. For example, address similarity reports electronically compare multiple payments going to the same address. These reports are extremely useful because they might show a payment defalcation or funds going to another insurance company, broker, or fictitious payee.
Which of the following activities does NOT typically occur during the containment and eradication step of the recommended methodology for responding to cybersecurity incidents?
A. Identifying all breaches that occurred
B. Restoring control of the affected systems
C. Limiting the damage caused by the attack
D. Notifying the appropriate internal personnel
A. Identifying all breaches that occurred
See pages 1.1462-1.1463, 1.1465 in the Fraud Examiner’s Manual
Every organization should be ready to respond to a wide range of cybersecurity incidents, including cyberattacks and data breaches. The recommended methodology for responding to cybersecurity incidents can be summarized in the following steps:
- Preparation
- Detection and analysis
- Containment and eradication
- Breach notification
- Recovery and follow-up
The focus of the detection and analysis step is to identify incidents of breach as quickly as possible.
During the containment and eradication step, management must rely on its preparation and planning to mitigate the attack effectively and efficiently. The idea is to restore control of the affected systems and limit the damage. Other considerations, such as identifying the intruder, are important, but maintaining control of the system is a primary concern. Also, appropriate personnel must be notified in accordance with the incident response plan. Information about the attack should be distributed on a need-to-know basis. Managers need to distribute enough information to effectively combat the problem without creating panic or additional vulnerabilities.
Maria, a successful restaurateur, has been informed of an unusually attractive investment opportunity by a recent acquaintance and decides to invest in it. Several months and a couple of underwhelming payments later, Maria grows frustrated with the diminishing disbursements and attempts to withdraw her money. After several weeks of delay, she realizes that the promoter seems to have vanished, along with her investment. Maria is the victim of which of the following fraudulent ploys?
A. An illegal pyramid
B. A Ponzi scheme
C. A dog and pony scam
D. A fly and buy scheme
B. A Ponzi scheme
See pages 1.1334-1.1345 in the Fraud Examiner’s Manual
A Ponzi scheme is generally defined as an illegal business practice in which new investors’ money is used to make payments to earlier investors. The investment opportunity is typically presented with the promise of uncommonly high returns. While the scam is presented as a legitimate investment, there is minimal or no actual commerce involved. When an enterprise promotes an investment opportunity that invests a minimal amount or none of the participants’ money and uses new investments to make dividend payments, the enterprise is running a Ponzi scheme.
Which of the following is a poor information security procedure that contributes to loss of proprietary information?
A. Failure to practice data minimization
B. Failure to implement data retention and destruction policies
C. Failure to guard documents maintained in manual file systems
D. All of the above
D. All of the above
See pages 1.743-1.744 in the Fraud Examiner’s Manual
To prevent the loss or misuse of sensitive data or proprietary information, organizations should develop and implement risk-based information-security systems designed to detect and prevent unauthorized access to sensitive information. An information security system requires controls that are designed to ensure that data are used as intended, and such controls will depend on the combination and coordination of people, processes, technologies, and other resources.
To be effective, a system for safeguarding sensitive and proprietary information should include the following:
- Task force
- Security risk assessments
- Security policies and procedures
- Awareness training
- Nondisclosure agreements
- Noncompetition agreements
- Data classification
- Data retention and destruction policies
- Data minimization
- Security controls
- Measures to guard manual file systems
- Monitoring of visitor access
- Quiet room
- Incident response plan
The failure to include any of these measures is a poor information security practice that can contribute to the loss of proprietary information.
All the following are types of medical provider fraud EXCEPT:
A. Clinical lab schemes
B. Fictitious providers
C. Fictitious services
D. Smurfing
D. Smurfing
See pages 1.1205-1.1207 in the Fraud Examiner’s Manual
Fictitious services, clinical lab schemes, and fictitious providers are all types of medical provider fraud.
In a fictitious services scheme, legitimate health care providers charge or bill a health care program for services that were not rendered at all. Often, the providers submit bills for patients they have never seen but whose private patient information they purchased from someone involved in identity theft or someone who otherwise improperly obtained it.
In a fictitious provider scheme, corrupt providers or other criminals fraudulently obtain and use another provider’s identification information and steal or purchase lists of patients’ identifying information. Thereafter, the perpetrator submits bills using the fictitious provider’s information to the insurance provider or government health care program for medical services although no services are performed.
Clinical lab schemes occur when a provider advises a patient that additional medical testing is needed to diagnose a problem when the testing is not actually required or advisable. The fee for the unnecessary work is often split with physicians. In some cases, physicians own the medical testing service. Additional medical testing, which is later viewed as excessive, is not always fraud. Many doctors have a genuine fear of retaliation from their patients; they are afraid of malpractice lawsuits that might result from a delayed or erroneous diagnosis.
Smurfing is a scheme to launder funds through financial institutions.
Which of the following is NOT an example of a business email compromise (BEC) scheme?
A. Fraudsters use botnets to send massive amounts of emails for the purpose of enticing the recipients to click on a fraudulent URL.
B. Fraudsters use the compromised email account of an executive to request employees’ personally identifiable information from the person who maintains such information.
C. Fraudsters use the compromised email account of a high-level executive to pose as the executive and ask an employee to transfer funds to the fraudsters’ account.
D. Fraudsters posing as a company’s foreign supplier send an email to the company and request that funds be transferred to an alternate account controlled by the fraudsters.
A. Fraudsters use botnets to send massive amounts of emails for the purpose of enticing the recipients to click on a fraudulent URL.
See pages 1.1408-1.1409 in the Fraud Examiner’s Manual
Business email compromise (BEC) is a form of spear phishing attack that directly targets employees who can make large payments or who have access to sensitive proprietary information. BEC schemes typically involve fraudulent emails that appear to be from the company’s own chief executive officer (CEO) or from the head of a foreign supplier that the company has done business with for years. The emails often instruct the employee to perform a time-sensitive wire transfer to ensure that the supply chain is not disturbed, but the scheme has evolved to feature other methods or requests. Common scenarios for BEC schemes include:
- Business working with a foreign supplier—Fraudsters posing as a company’s foreign supplier send an email to the company and request that funds be transferred to an alternate account controlled by the fraudsters.
- Business executive requesting a wire transfer—Fraudsters use the compromised email account of a high-level executive to pose as the executive and ask an employee to transfer funds to the fraudsters’ account.
- Direct deposit changes—Rather than asking for a wire transfer or specific payment, some fraudsters executing BEC schemes pose as company executives or other high-ranking employees and request that account information associated with the direct deposit of their payroll checks be changed, thereby redirecting the funds into a new account.
- Real estate payments—Fraudsters posing as realtors, title company employees, or lawyers request a change in wire transfer payment instructions related to a sale of property, redirecting funds into a new account.
- Data theft—Fraudsters use the compromised email account of a high-level executive to request employees’ tax information or other personally identifiable information from the person responsible for maintaining such information (e.g., HR personnel). The stolen data might then be used to commit a variety of fraud schemes.
- Gift cards—Fraudsters pose as an executive and request that an assistant or subordinate purchase gift cards from retailers under the pretense that they will be gifts for family or employees and the executive is too busy to do the shopping themselves. These schemes are more likely to occur near holidays and typically involve the fraudsters requesting gift card numbers and personal identification numbers (PINs).
Payment card counterfeiting operations might include the use of which of the following?
A. Embossed blank plastic cards
B. High-speed printers
C. Desktop computers, embossers, tipping foil, and laminators
D. All of the above
D. All of the above
See pages 1.1015-1.1016 in the Fraud Examiner’s Manual
One common method of producing counterfeit payment cards includes the use of blank plastic cards. This scheme uses plastic the size of a payment card that is embossed with account numbers and names. This scheme often works in conjunction with a corrupt and collusive merchant or a merchant’s employee. Other counterfeit cards are wholly manufactured using high-speed printers. Additional tools that are common in the reproduction process include desktop computers, embossers, tipping foil, and laminators.
In a third-party health care fraud scheme perpetrated by a patient, the patient makes misrepresentations on an insurance application to circumvent coverage restrictions.
A. True
B. False
B. False
See pages 1.1229 in the Fraud Examiner’s Manual
Third-party fraud involves the unauthorized use of an insured’s identity to obtain their insurance benefits. The insured usually discovers the fraud when they receive a benefit statement containing medical services they did not receive.
In misrepresentations on applications schemes, patients sometimes make misrepresentations on their insurance applications to circumvent coverage restrictions. Misrepresentations can include false information or the omission of relevant information.
Which of the following is an appropriate technique for detecting change order abuse?
A. Reviewing any change orders submitted by the contractor that add new items
B. Examining change orders that increase the scope or price of the existing contract
C. Interviewing complaining contractors and unsuccessful bidders about the presence of red flags
D. All of the above
D. All of the above
See pages 1.1526-1.1527 in the Fraud Examiner’s Manual
A change order is a written agreement between the procuring entity and the contractor to make changes in a signed contract. Change order abuse is a performance scheme that involves collusion between the contractor and personnel from the procuring entity. In change order abuses, a corrupt contractor submits a low bid to ensure that it wins the contract award, but, after the procuring entity awards the contract, the corrupt contractor increases its price with subsequent change orders.
Fraud examiners can detect change order abuse by engaging in the following activities:
- Examining change orders that add new items to the contract
- Examining change orders that increase the scope, quantity, or price of the existing contract
- Analyzing change orders for red flags
- Interviewing complaining contractors, unsuccessful bidders, and procurement personnel about the presence of any red flags
- Searching and reviewing external records (e.g., court records, prior complaints, audit reports, investigative reports, media sources) to determine if there is any history of misconduct
A confidence scheme designed to part victims from their money by falsely promising the future delivery of a product or service in exchange for an up-front payment is called a(n):
A. Home-based business scheme
B. Bait and switch scheme
C. Advance-fee scheme
D. Scavenger scheme
C. Advance-fee scheme
See pages 1.1302 in the Fraud Examiner’s Manual
Advance-fee schemes are structured to obtain an illegal gain by falsely promising the delivery of a product or service. In some schemes, the product is marketed to several customers, and then the operation is shut down prior to the delivery stage. Common scenarios used to commit advance-fee scams include the following:
- A home improvement contractor requires prepayment for materials.
- Notice of a supposed inheritance from an unknown relative is received.
- Various exorbitant fees are required prior to securing financial assistance or advice.
Which of the following statements regarding new account fraud is LEAST ACCURATE?
A. New account fraud can be defined as any fraud that occurs on an account within the first ninety days that it is open.
B. Fraud is more likely to occur in accounts that have been newly opened than in established accounts.
C. Automated teller machines (ATMs) are often enticing targets for new account fraud because they do not require in-person transactions with bank tellers.
D. Mobile deposits are at low risk for new account fraud because they involve sending digital images of payment orders to financial institutions rather than providing physical copies.
D. Mobile deposits are at low risk for new account fraud because they involve sending digital images of payment orders to financial institutions rather than providing physical copies.
See pages 1.936-1.938 in the Fraud Examiner’s Manual
Fraud is much more likely to occur in new accounts than in established accounts. New account fraud is generally defined as fraud that occurs on an account within the first ninety days that it is open; often, perpetrators open these accounts with the sole intent of committing fraud.
Financial institutions are increasingly allowing mobile deposits, which typically involve a person sending a digital image of a check or similar payment order to the depository institution so that the paper document never has to be received or processed. There is a relatively high risk of new account fraud with mobile deposits for two main reasons. First, there is no face-to-face transaction required, and fraudsters prefer to maintain anonymity. Second, the digital image is often taken by a camera or a scanner, so it is easier to make forged or counterfeit deposits.
Financial institutions should also consider the increased risk of new account fraud when offering automated teller machines (ATMs) that accept deposits. Like with mobile deposits, the fact that ATM deposits do not require in-person transactions with a teller is ideal for fraudsters. Many ATMs have cameras to help identify users, but ATMs are often enticing targets.
Which of the following scenarios is an example of a multiple claims health care fraud scheme as perpetrated by a patient?
A. Julia uses a stolen government identification number to impersonate a stranger and obtain medical services for herself.
B. James visits several local emergency rooms and falsely claims to have severe back pain in an effort to obtain prescription pain medication.
C. Roberta files medical claims with her ex-husband’s private insurer even though the divorce makes her ineligible for benefits under the policy.
D. Bill obtains double reimbursement for his hip replacement surgery by filing claims with different insurers.
D. Bill obtains double reimbursement for his hip replacement surgery by filing claims with different insurers.
See pages 1.1228-1.1230 in the Fraud Examiner’s Manual
Bill committed a multiple claims scheme by filing multiple claims for reimbursement for the same medical service. Patients commit fraud when they make a claim for a covered expense without revealing that they have already received reimbursement for that expense. For example, patients might seek reimbursement for the same medical service from both the government and a private insurer, two different private insurers, or two different government health care programs.
James committed a doctor shopping scheme in which patients “shop” (i.e., search) for multiple doctors who will provide controlled substances.
Patients, such as Roberta, sometimes seek reimbursement for ineligible claimants. For example, if a primary beneficiary dies, any secondary beneficiary named in the policy is generally ineligible for benefits. However, the secondary beneficiary might fail to notify the insurer of the death and continue to submit claims. Divorced parties can also commit ineligible claimant fraud. For example, suppose that a primary beneficiary and a covered spouse file for divorce, but neither party notifies the health care program. The ex-spouse might continue to submit claims even though they are no longer eligible for benefits.
Julia committed third-party fraud, which involves the unauthorized use of an insured’s identity to obtain insurance benefits. The insured usually discovers the fraud when they receive a benefit statement containing medical services they did not receive.
All the following are health care fraud schemes that are commonly perpetrated by patients EXCEPT:
A. Third-party fraud
B. Doctor shopping
C. Over-utilization
D. Multiple claims fraud
C. Over-utilization
See pages 1.1207, 1.1228 in the Fraud Examiner’s Manual
There are various fraud schemes that patients can perpetrate against government health care programs and private insurers, including:
- Fictitious claims
- Multiple claims
- Doctor shopping
- Misrepresentations on applications
- Altered bills
- Third-party fraud
- Ineligible claimants
Over-utilization occurs when a physician prescribes unnecessary or excessive patient services. This is a scheme perpetrated by providers, not patients.
Which of the following is NOT a common carrier of malware?
A. Email attachments
B. Files downloaded from the internet
C. Dual in-line memory modules
D. Freeware and shareware files
C. Dual in-line memory modules
See pages 1.1419-1.1420 in the Fraud Examiner’s Manual
Malware can infect computer systems from many sources. Some of the more common carriers of malware include:
- Unknown or unchecked application software
- Infected websites
- Banner ads
- Software or media that employees bring to work
- Files downloaded from the internet
- Infected software from vendors and suppliers
- Uncontrolled and shared program applications
- Files uploaded from storage devices, such as USB flash drives
- Demonstration software
- Freeware and shareware files
- Email attachments
Which of the following statements about ransomware is TRUE?
A. Ransomware is a program or command procedure that appears useful but contains hidden code that causes damage.
B. Ransomware is a classification of malware designed to simplify or automate online criminal activities.
C. Ransomware is a form of malware that locks a user’s operating system and restricts access to data files until a payment is made.
D. Ransomware is a type of software that collects and reports information about a computer user without the user’s knowledge or consent.
C. Ransomware is a form of malware that locks a user’s operating system and restricts access to data files until a payment is made.
See pages 1.1425-1.1427, 1.1429 in the Fraud Examiner’s Manual
Ransomware, as its name implies, is a form of malware that locks a user’s operating system and restricts access to data files until a ransom is paid. To intimidate internet users into compliance, ransomware often employs a convincing professional interface, commonly emblazoned with police insignia or an official government logo. Messages sometimes consist of threatening accusations that the user has been caught viewing illegal videos, downloading pirated media, or otherwise accessing forbidden internet content, with the only remedy being to pay a fine. Other forms are far more direct and make no effort to conceal their obvious attempts at extortion.
Spyware is a type of software that collects and reports information about a computer user without the user’s knowledge or consent.
A Trojan horse is a program or command procedure that appears useful but contains hidden code that causes damage. When the hidden code in a Trojan horse is activated, it performs some unwanted or harmful function. Often, viruses and worms attach themselves to other legitimate programs, becoming Trojan horses and spreading to other systems.
Crimeware is not a type of malware but rather a classification of malware denoted by its intent to facilitate criminal behavior. Crimeware can be described as malware designed to simplify or automate online criminal activities, such as programs to fraudulently obtain financial gain from the affected user or other third parties.
In a ____________ scheme, unqualified borrowers misrepresent personal creditworthiness, overstate their ability to pay, and misrepresent characteristics of the housing unit to qualify for a loan.
A. Reciprocal loan arrangements
B. Residential loan fraud
C. Double-pledging collateral
D. Credit data blocking
B. Residential loan fraud
See pages 1.905-1.906 in the Fraud Examiner’s Manual
In a residential loan fraud scheme, unqualified borrowers misrepresent personal creditworthiness, overstate their ability to pay, and misrepresent characteristics of a housing unit they intend to occupy or treat as an investment property to qualify for a loan. Such acts might include reporting inflated income, moving debt into a dependent’s name, reporting inflated square footage of the collateral, or even bribing an appraiser to value the home at a higher amount than the market value.
In double-pledging collateral schemes, borrowers pledge the same collateral (i.e., an item of value used to secure or guarantee a loan) with different lenders before liens are recorded without telling the lenders.
In a reciprocal loan arrangements scheme, insiders in different banks cause their banks to lend funds or sell loans to other banks with agreements to buy their loans, which is done to conceal loans and sales.
In a credit data blocking scheme, the perpetrator first applies for and obtains loans but intentionally defaults on the loans. Rather than allowing their credit report to reflect the defaulted loans, the perpetrator asserts that the initial loans were instances of identity theft. While the validity of the fraud claims is checked, the perpetrator’s negative credit history is temporarily removed from their credit report. This allows the perpetrator to take out more loans, which they will also intentionally default on.
A pyramid scheme is promoted by encouraging victim investors to recruit new members. The more members recruited, the higher the investor rises in the ranks of the enterprise and the more money the investor is supposed to make.
A. True
B. False
A. True
See pages 1.1339, 1.1345 in the Fraud Examiner’s Manual
In an illegal pyramid scheme, the more members that are recruited, the higher the investor is purported to rise in the ranks of the enterprise and the more money the investor is supposed to make.
The difference between a Ponzi scheme and an illegal pyramid is how the operation is promoted. Illegal pyramids are promoted as pyramids whereas Ponzi schemes are promoted as investment opportunities. In an illegal pyramid, the pyramidal structure helps recruit new participants, each believing that they will rise through the ranks of the pyramid. A Ponzi scheme, however, masquerades as some type of investment.
When a fraudster calls someone at the target company and persuades or tricks the person into providing valuable information, that corporate espionage technique is referred to as which of the following?
A. Social engineering
B. Replicating
C. Spamming
D. None of the above
A. Social engineering
See pages 1.719 in the Fraud Examiner’s Manual
Social engineering is the act of using deceptive techniques to manipulate people into taking certain actions or disclosing information.
In social engineering schemes, social engineers use various forms of trickery, persuasion, or threats to encourage their targets to release information that the engineers can use and exploit to achieve their goals.
Attackers engage in social engineering for various reasons. Some use social engineering to gain unauthorized access to systems or obtain confidential communication so that they can commit fraud, intrude into networks, gain access to buildings, steal another party’s secrets, commit identity theft, or engage in some other nefarious act. In some situations, attackers use social engineering to procure information that will give them a competitive advantage, whereas others might engage in social engineering to find ways in which they can install malware
In a(n) _____________ scheme, the company that initially defrauded a consumer contacts that consumer and offers to help retrieve the lost money. However, the investigation requires an up-front fee, and the consumer is swindled again.
A. Retrieval
B. Advance-fee
C. Scavenger
D. Double-hustle
C. Scavenger
See pages 1.1306 in the Fraud Examiner’s Manual
The scavenger or revenge scheme involves the company that initially defrauded the consumer. Using a different company’s name, the outfit contacts the consumer again and asks if they would like to help put the unethical company out of business and get their money back. Naturally, an up-front fee is required to finance the investigation.
Which of the following objectives MOST ACCURATELY describes administrative security controls?
A. Ensuring that all personnel who have access to computing resources have the required authorizations and appropriate security clearances
B. Keeping unauthorized personnel from entering physical facilities and warning personnel when physical security measures are being violated
C. Providing connectivity with acceptable response times, user-friendly access, and a secure mode at an acceptable cost to the organization
D. Fully securing all organizational systems and data without considering budget implications
A. Ensuring that all personnel who have access to computing resources have the required authorizations and appropriate security clearances
See pages 1.1441, 1.1453 in the Fraud Examiner’s Manual
Administrative security (or personnel security) consists of management constraints, operational procedures, accountability procedures, and supplemental administrative controls established to provide an acceptable level of protection for computing resources. In addition, administrative controls include procedures established to ensure that all personnel who have access to computing resources have the required authorizations and appropriate security clearances. Examples of effective administrative controls for cybersecurity include:
- Security policies and awareness training
- Separation of duties
- Data classification
- Computer security risk assessments
- Security audits and tests
- Incident response plans
A data classification policy can BEST be described as a(n):
A. Application security control
B. Administrative security control
C. Physical security control
D. Technical security control
B. Administrative security control
See pages 1.1441, 1.1453 in the Fraud Examiner’s Manual
Administrative security (or personnel security) consists of management constraints, operational procedures, accountability procedures, and supplemental administrative controls established to provide an acceptable level of protection for computing resources. In addition, administrative controls include procedures established to ensure that all personnel who have access to computing resources have the required authorizations and appropriate security clearances. Examples of effective administrative controls for cybersecurity include:
- Security policies and awareness training
- Separation of duties
- Data classification
- Computer security risk assessments
- Security audits and tests
- Incident response plans
Zane obtained a loan from Bank A, agreeing to give the bank a security interest in his commercial property. Before Bank A’s lien was filed, Zane managed to get another loan from Bank B using the same commercial property as collateral (unbeknownst to Bank B). In which of the following schemes did Zane engage?
A. Double-pledging collateral
B. Linked financing
C. Daisy chain
D. Sham loan
A. Double-pledging collateral
See pages 1.905 in the Fraud Examiner’s Manual
In a double-pledging collateral scheme, borrowers pledge the same collateral with different lenders before liens are recorded without telling the lenders.
Which of the following is a potential indicator of a loan fraud scheme?
A. Only two change orders have been requested for a long, complex project.
B. No change orders have been received for a large project.
C. There is an increasing trend in the number of change orders for a small project.
D. All of the above are potential indicators of a loan fraud scheme.
D. All of the above are potential indicators of a loan fraud scheme.
See pages 1.912 in the Fraud Examiner’s Manual
An increasing trend in the number of change orders or amounts on change orders might indicate that construction changes have occurred that would alter the originally planned project to such an extent as to render the underwriting inappropriate.
Alternatively, some projects—especially large projects—tend to have many change orders. It might be more abnormal in situations like these to have few or no change orders than to have many. For instance, a lack of change orders for a large project might suggest that progress is not being made. Ultimately, the key characteristic that the fraud examiner should look for in change orders is abnormality, which can happen in many ways. Fraud examiners should discover what the normal trend for change orders is in terms of both quantity and content with the particular type of industry and project, and then they can look for deviations from those trends.
Which of the following refers to the type of network security systems that are designed to supplement firewalls and other forms of network security by detecting malicious activity coming across the network or on a host?
A. Network access controls
B. Intrusion detection systems
C. Network address prevention systems
D. Intrusion admission systems
B. Intrusion detection systems
See pages 1.1450 in the Fraud Examiner’s Manual
An intrusion detection system (IDS) is a device or software application that monitors an organization’s inbound and outbound network activity and identifies any suspicious patterns of activity that might indicate a network or system attack or security policy violations. These systems are designed to supplement firewalls and other forms of network security by detecting malicious activity coming across the monitored entity’s network or system activities. They act much like a motion sensor by detecting individuals who have bypassed perimeter security.
Which of the following are information security goals that an e-commerce system should endeavor to meet for its users and asset holders?
I. Penetrability of data
II. Materiality of data
III. Integrity of data
IV. Availability of data
A. I, II, III, and IV
B. II and III only
C. III and IV only
D. I, II, and III only
C. III and IV only
See pages 1.1437 in the Fraud Examiner’s Manual
All branches of an information system, including the e-commerce branch, strive to provide security for their users and asset holders. The following is a list of common information security goals that should be achieved to ensure the security of information systems for users and account holders:
- Confidentiality of data
- Integrity of data
- Availability of data
- Authentication
- Non-repudiation
A higher-than-normal level of employee turnover associated with a real estate developer is often a red flag of loan fraud.
A. True
B. False
A. True
See pages 1.911 in the Fraud Examiner’s Manual
One red flag of loan fraud to look for, particularly in construction lending, is whether the real estate developer is experiencing a higher-than-normal employee turnover. Typically, when a developer experiences a high degree of turnover, something is wrong with the internal operation. This is often a preamble for other problems.
Smart cards include a wide variety of hardware and software features capable of detecting and reacting to tampering attempts and countering possible attacks.
A. True
B. False
A. True
See pages 1.1028 in the Fraud Examiner’s Manual
A smart card is a plastic card, the size of a payment card, embedded with a microchip. A key advantage of smart cards is that, unlike regular magnetic stripe payment cards, they cannot be easily replicated. Similarly, smart cards cannot be easily counterfeited, which greatly reduces the potential for fraud with in-person transactions. Smart cards include a wide variety of hardware and software features capable of detecting and reacting to tampering attempts and countering possible attacks. If someone tries to tamper with a chip on a smart card, the card detects the intrusion and shuts itself down, rendering the card useless.
A medical provider billed a health care program for an electric wheelchair while providing the patient with a less expensive manual wheelchair. This inflated billing scheme is known as which of the following?
A. Unbundling
B. Undercharging
C. Upcoding
D. Replacement fraud
C. Upcoding
See pages 1.1217 in the Fraud Examiner’s Manual
Upcoding occurs when a provider bills for a higher level of service than actually rendered. In a typical upcoding scheme, a durable medical equipment (DME) company provides patients with an inexpensive product (e.g., a manual wheelchair) but bills the government for a more expensive product (e.g., an electric wheelchair).
Another common upcoding scheme is to falsely claim that an established patient is a new patient. A new patient generally requires an extensive examination and consumes more of the provider’s time. Therefore, under some medical coding systems, providers are reimbursed more for new patients than established patients.
___________ involve paying an individual to undergo unnecessary medical procedures that are then billed to the patient’s insurer or health care program.
A. DRG creep schemes
B. Rent-a-patient schemes
C. False cost reporting schemes
D. Fictitious patient schemes
B. Rent-a-patient schemes
See pages 1.1222 in the Fraud Examiner’s Manual
So-called rent-a-patient schemes involve paying an individual to undergo unnecessary medical procedures that are then billed to the patient’s insurer or health care program. These schemes occur in countries using a third-party payer system or single-payer system that allows private providers to bill health care programs.
Which of the following BEST illustrates the concept of human intelligence?
A. A corporate spy breaks into a competing company’s office and steals sensitive information while employees are attending an off-site event.
B. A corporate spy installs software on the computer of an employee from a competing company to monitor that employee’s communications.
C. A corporate spy creates a deceptive website that tricks employees from a competing company into divulging confidential information.
D. A corporate spy poses as a customer of a competing company to elicit information from the competitor’s salespeople.
D. A corporate spy poses as a customer of a competing company to elicit information from the competitor’s salespeople.
See pages 1.707-1.708 in the Fraud Examiner’s Manual
Intelligence professionals might gather data through human intelligence (i.e., through direct contact with people). Generally, human intelligence is gathered from subject-matter experts and informed individuals. Such efforts typically target individuals who can provide the most valuable information.
For example, an intelligence professional might gather intelligence by posing as a customer of the target entity. This approach exploits two weaknesses of corporate culture: (1) all salespeople want to make a sale and (2) many salespeople will do almost anything to make a sale. Other approaches include:
- Employment interviews (real and fake)
- False licensing negotiations
- False acquisition or merger negotiations
- Hiring an employee away from a target entity
- Planting an agent in a target organization
- Social engineering
Which of the following steps is often taken during an account takeover scheme?
A. Stealing account log-in information by sending phishing emails
B. Changing customer contact information on the overtaken account
C. Placing orders using funds from the overtaken account
D. All of the above
D. All of the above
See pages 1.1039-1.1040 in the Fraud Examiner’s Manual
Account takeover fraud occurs when a fraudster surreptitiously takes control of a payment account. Targeted accounts can include credit cards, banking, brokerage, or any type of online retail account (e.g., Amazon).
To take over an account, thieves obtain email addresses or other log-in information and use various means to obtain passwords, such as phishing emails or password-cracking botnet attacks.
Once the thief overtakes an account, communication methods and contact information are altered to keep the account holder unaware of the fraudulent activity. The thief is then free—depending on the type of account—to place orders using stored payment information, transfer funds, or request duplicate payment cards.
Elizabeth, a grocery store cashier, slips on a wet floor and falls while at work. She is unharmed but pretends to suffer an injury from the fall. She files a claim against the store’s workers’ compensation insurance policy and collects payments from the insurance carrier. She also misses several weeks of work even though she is fully capable of working. Under which category of workers’ compensation schemes does Elizabeth’s scheme fall?
A. Claimant fraud
B. Organized fraud
C. Agent fraud
D. Premium fraud
A. Claimant fraud
See pages 1.1109, 1.1112, 1.1114 in the Fraud Examiner’s Manual
Elizabeth’s scheme is classified as claimant fraud. Claimant fraud involves misrepresenting the circumstances of any injury or fabricating that an injury occurred. Such schemes are perpetrated by employees who stage accidents or exaggerate minor injuries, sometimes in collusion with unethical doctors, to fraudulently receive compensation benefits.
Workers’ compensation is essentially an employee benefit, entitling persons who are injured on the job to compensation while they heal.
The primary victim of a workers’ compensation scheme is not the employer but the insurance carrier for the employer. It is the insurance carrier who pays for the perpetrator’s fraudulent medical bills and unnecessary absences. Nevertheless, the employer is a tertiary victim of these crimes, as the fake claims can result in higher premiums for the company in the future.
Which of the following BEST illustrates the use of technical surveillance for purposes of corporate espionage?
A. A spy hacks into a target computer and monitors an employee’s communications.
B. A spy creates a deceptive website to trick employees into entering confidential information.
C. A spy impersonates a help desk representative to obtain an employee’s network password.
D. A spy uses a phony employee badge to enter an office and take a sensitive document.
A. A spy hacks into a target computer and monitors an employee’s communications.
See pages 1.707, 1.729-1.735 in the Fraud Examiner’s Manual
Technical surveillance is the practice of covertly acquiring audio, visual, or other types of data from targets through the use of technical devices, procedures, and techniques. When corporate spies resort to the use of technical surveillance, it is usually to gather nondocumentary evidence or information that cannot be found through open sources.
Corporate spies might employ various forms of technological surveillance, such as aerial photography, bugging and wiretapping, video surveillance, photographic cameras, mobile phones, monitoring computer emanations, and computer system penetrations.
Due to the paper trail involved and the emphasis placed on the problem by law enforcement, most check fraud offenders are pursued and prosecuted.
A. True
B. False
B. False
See pages 1.1001-1.1002 in the Fraud Examiner’s Manual
Many merchants overburden police and prosecutors with reports of check fraud rather than implementing effective training and controls to help prevent such schemes from the outset; therefore, law enforcement and prosecutors do not have the time or workforce to pursue all such cases and are often uneager to do so. Furthermore, check fraud perpetrators frequently migrate from one location to another, making their arrest and prosecution difficult.
Traditional identity theft involves the use of entirely fabricated personal information or a combination of real and fabricated information to create a new identity.
A. True
B. False
B. False
See pages 1.803-1.804 in the Fraud Examiner’s Manual
Synthetic identity theft involves the use of entirely fabricated personal information or a combination of real and fabricated information to create a new identity.
In traditional identity theft, a fraudster steals an individual’s personal information and pretends to be that individual. For example, a fraudster might use an individual’s name, government identification number, and date of birth to impersonate the individual and gain access to the individual’s bank account. This is called an account takeover. Another type of traditional identity theft is true name fraud, in which a fraudster uses an individual’s personal information to open a new account under the individual’s name. Unlike an account takeover, which involves an existing account, true name fraud involves a new account.
Which of the following statements regarding new account fraud schemes is LEAST ACCURATE?
A. Mobile deposits are at high risk for new account fraud because face-to-face, in-person transactions are not required.
B. Automated teller machines (ATMs) are rarely targets of new account fraud because most have cameras installed.
C. New account fraud sometimes involves withdrawing funds after opening a new business account using checks stolen from another business.
D. New account criminals often use false identification to open new bank accounts and steal money before funds are collected by the financial institution.
B. Automated teller machines (ATMs) are rarely targets of new account fraud because most have cameras installed.
See pages 1.936-1.938 in the Fraud Examiner’s Manual
New account fraud is generally defined as fraud that occurs on an account within the first ninety days that it is open; often, perpetrators open these accounts with the sole intent of committing fraud.
New account criminals often use false identification to open new accounts and steal money before funds are collected by the bank. False identification is easily purchased.
Some bank customers defraud business institutions by opening a new business account using checks stolen from another business. The fraudsters then withdraw the funds and close the account.
Financial institutions are increasingly allowing mobile deposits, which typically involve a person sending a digital image of a check or similar payment order to the depository institution so that the paper document never has to be received or processed. There is a relatively high risk of new account fraud with mobile deposits for two main reasons. First, there is no face-to-face transaction required, and fraudsters prefer to maintain anonymity. Second, the digital image is often taken by a camera or a scanner, so it is easier to make forged or counterfeit deposits.
Financial institutions should also consider the increased risk of new account fraud when offering automated teller machines (ATMs) that accept deposits. Like with mobile deposits, the fact that ATM deposits do not require in-person transactions with a teller is ideal for fraudsters. Many ATMs have cameras to help identify users, but ATMs are often enticing targets.
Which of the following is NOT a red flag that might indicate the existence of a need recognition scheme?
A. The purchasing entity does not have a satisfactory list of backup suppliers.
B. The purchasing entity’s materials are being ordered at the optimal reorder point.
C. The purchasing entity has unusually high requirements for stock and inventory levels.
D. The purchasing entity has a large number of surplus items written off as scrap.
B. The purchasing entity’s materials are being ordered at the optimal reorder point.
See pages 1.1514-1.1515 in the Fraud Examiner’s Manual
Generally, procurement actions begin with the procuring entity making a determination of its general needs. These initial determinations include assessments of the types and amounts of goods or services required to meet the entity’s needs. In need recognition schemes, procurement employees convince their employer that it needs excessive or unnecessary products or services.
There are several red flags that might indicate a need recognition scheme. An organization with unusually high requirements for stock and inventory levels might reveal a situation in which a corrupt employee is seeking to justify unnecessary purchases from a certain supplier. Likewise, if an organization’s materials are not being ordered at the optimal reorder point, this should raise a red flag. An employee might also justify unnecessary purchases of inventory by writing off a large number of surplus items as scrap. As these items leave the inventory, they open spaces to justify additional purchases. Another indicator of a need recognition scheme is a need that is defined in a way that can only be met by a certain supplier or contractor. In addition, the failure to develop a satisfactory list of backup suppliers might reveal an unusually strong attachment to a primary supplier—an attachment that is explainable by the acceptance of bribes from that supplier.
The equipment needed to operate a check fraud ring is very expensive and difficult to obtain.
A. True
B. False
B. False
See pages 1.1007 in the Fraud Examiner’s Manual
Check fraud rings thrive because the items needed to commit check fraud are easily obtainable and the cost is minimal. Often, the only necessary equipment for a check fraud ring is a scanner, printer, and personal computer.
Automatic debit program schemes occur when fraudsters obtain a consumer’s bank account information and then use this information to draft money from the consumer’s bank account without that person’s consent.
A. True
B. False
A. True
See pages 1.1304 in the Fraud Examiner’s Manual
Automatic debit programs are a convenient way to pay bills, such as recurring charges for mortgages and car loans. Fraudsters exploit these programs by obtaining consumers’ bank account information through telemarketing schemes. Fraudsters then use this information to draft money from consumers’ bank accounts without their consent.
To ensure separation of duties within the information systems department and between IT and business unit personnel, computer operators should be responsible for performing computer programming.
A. True
B. False
B. False
See pages 1.1454-1.1456 in the Fraud Examiner’s Manual
Separation of duties is a key element in a well-designed internal control system, and it is fundamental to data security. There are various options for achieving separation of duties in information security, and the options vary depending on department responsibilities. For example, some of the best practices for ensuring separation of duties within the information systems department and between IT and business unit personnel include:
- Programmers should not have unsupervised access to production programs or have access to production data sets (data files).
- IT personnel’s access to production data should be limited.
- Application system users should only be granted access to those functions and data required for their job duties.
- Program developers should be separated from program testers.
- System users should not have direct access to program source code.
- Computer operators should not perform computer programming.
- Development staff should not have access to production data.
- Development staff should not access system-level technology or database management systems.
- End users should not have access to production data outside the scope of their normal job duties.
- End users or system operators should not have direct access to program source code.
- Programmers should not be server administrators or database administrators.
- IT departments should be separated from information user departments.
- Functions involving the creation, installation, and administration of software programs should be assigned to different individuals.
- Managers at all levels should review existing and planned processes and systems to ensure proper separation of duties.
- Employees’ access to documents should be limited to those that correspond with their related job tasks.
Employment identity theft occurs when a fraudster impersonates a business to commit financial fraud.
A. True
B. False
B. False
See pages 1.807 in the Fraud Examiner’s Manual
Business identity theft occurs when a fraudster impersonates a business to commit financial fraud. In an employment identity theft scheme, a fraudster impersonates another person to secure a job.
All the following are red flags of health care provider fraud EXCEPT:
A. Pressure for rapid processing of bills or claims
B. Medical records that have been altered
C. Unusually high profits compared to similar businesses in the same region
D. An unusually small number of claims for reimbursement
D. An unusually small number of claims for reimbursement
See pages 1.1211 in the Fraud Examiner’s Manual
Warning signs that a health care provider is engaging in fraudulent practices include:
- Lack of supporting documentation for claims under review
- Details in supporting documents that do not match the claim
- Medical records that have been altered
- Medical records that were created long after the alleged patient visit
- Medical records that seem sloppy, disorganized, or otherwise unprofessional
- Missing pages of medical records that would cover the period of time under review
- Routine, nonspecialized treatment for patients living several hours away from the provider
- An unusually high volume of patients
- An unusually large number of claims for reimbursement
- Unusually high profits compared to similar businesses in the same geographic region
- Matching addresses on the claim form for the patient and the provider
- High percentage of coding outliers
- Pressure for rapid processing of bills or claims
- Threats of legal action for delay in making payments
To help safeguard an organization’s proprietary information, management should require all employees throughout the organization to sign noncompetition agreements.
A. True
B. False
B. False
See pages 1.750 in the Fraud Examiner’s Manual
A noncompetition agreement is an agreement whereby employees agree not to work for competing companies within a certain period of time after leaving their current employer. While noncompetition agreements can be useful in some circumstances, there are multiple legal issues that limit their effectiveness. Because of these potential legal issues and challenges, and due to differences in employees’ geographic locations, job responsibilities, access to proprietary information, and other factors, such agreements should generally be used on an as-needed basis, rather than as a broad requirement for all employees. If management does determine that such an agreement is appropriate for certain employees, it should consult with legal counsel to ensure that the agreement is valid and enforceable under the applicable laws.
Which of the following is NOT a common red flag of procurement fraud schemes involving collusion among contractors?
A. More competitors than usual submit bids on a project or product.
B. All contractors submit consistently high bids.
C. Bid prices decline when a new competitor enters the competition.
D. The same contractors bid on each project or product.
A. More competitors than usual submit bids on a project or product.
See pages 1.1513-1.1514 in the Fraud Examiner’s Manual
Common red flags of procurement fraud schemes involving collusion among contractors include:
- The industry has limited competition.
- The same contractors bid on each project or product.
- The winning bid appears too high.
- All contractors submit consistently high bids.
- Qualified contractors do not submit bids.
- The winning bidder subcontracts work to one or more losing bidders or to non-bidders.
- Bids appear to be complementary bids by companies unqualified to perform the work.
- Some bids fail to conform to the essential requirements of the solicitation documents (i.e., some bids do not comply with bid specifications).
- Some losing bids were poorly prepared.
- Fewer competitors than usual submit bids on a project or product.
- When a new contractor enters the competition, the bid prices begin to decline.
- There is a rotational pattern to winning bidders (e.g., geographical, customer, job, or type of work).
- There is evidence of collusion in the bids (e.g., bidders make the same mathematical or spelling errors; bids are prepared using the same typeface, handwriting, stationery, or envelope; or competitors submit identical bids).
- There is a pattern indicating that the last party to bid wins the contract.
- There are patterns of conduct by bidders or their employees that suggest the possibility of collusion (e.g., competitors regularly socialize, hold meetings, visit each other’s offices, or subcontract with each other).
The MOST COMMON giveaway scheme, in which a postcard arrives in the mail telling the recipient they have already won a prize such as a luxurious vacation or cash, is known as:
A. The “Fly and Buy”
B. The “1-in-5”
C. The “Bait and Switch”
D. None of the above
B. The “1-in-5”
See pages 1.1331 in the Fraud Examiner’s Manual
The most common giveaway scheme is known as the 1-in-5. In this scheme, a consumer receives a letter or postcard in the mail informing them that they have already won a prize. The prizes usually include luxurious vacations, new cars, or cash. Unfortunately, the odds of winning any of the prizes are extremely low. Victims might receive items of minimal or no value or coupons redeemable only for the company’s substandard merchandise.
Because it is a common occurrence, the fact that documents are missing from a loan file is generally NOT a red flag for loan fraud.
A. True
B. False
B. False
See pages 1.913 in the Fraud Examiner’s Manual
Missing or altered documentation is a red flag for any type of fraud scheme, and it is a particular concern for loan fraud. While it is true that many loan files have missing documents, it is important to determine if the documents have been misplaced or were never received. A waiver of certain documents is a common way lenders conceal fraud schemes.
Billing for experiments with new medical devices that have not yet been approved by a jurisdiction’s health care authority is one form of medical fraud.
A. True
B. False
A. True
See pages 1.1219-1.1220 in the Fraud Examiner’s Manual
ne form of medical fraud is the billing for experimental use of new medical devices that have not yet been approved by the jurisdiction’s health care authority. Some hospitals deliberately mislead third-party payers by getting them to pay for the manufacturer’s research. Many of the doctors involved are alleged to have stock in the manufacturing companies.
Which of the following is the MOST ACCURATE definition of a computer worm?
A. A computer program that replicates itself and penetrates operating systems to spread malicious code to other computers
B. A program or command procedure that appears useful but contains hidden code that causes damage
C. Any software application that displays advertisements while it is operating
D. A type of software that, while not definitely malicious, has a suspicious or potentially unwanted aspect to it
A. A computer program that replicates itself and penetrates operating systems to spread malicious code to other computers
See pages 1.1424 in the Fraud Examiner’s Manual
A computer worm is a computer program that replicates itself and penetrates operating systems to spread malicious code to other computers.
Janice, a Certified Fraud Examiner (CFE) for a major insurance company, has received an anonymous tip that an employee in the claims department is processing claims for their own benefit during nonworking hours. To gather information about the validity of this tip, Janice should look at which of the following reports?
A. Manual override report
B. Address similarity report
C. Exception report
D. All of the above
D. All of the above
See pages 1.1123 in the Fraud Examiner’s Manual
Janice could look at several different types of reports to determine the validity of the tip. For instance, address similarity reports electronically compare multiple payments going to the same address. They are extremely useful because they might show a payment defalcation or funds going to another insurance company, broker, or fictitious payee. Additionally, the exception or manual override reports list all exceptions to normal electronic processing, thereby pointing out when a computer is being used outside the normal processing time, such as on the weekend.
A doctor provides services to both patients who pay directly and patients whose bills are paid by a government program. To make the services more attractive to patients outside the coverage of the government program, the doctor gives patients who pay directly a discount that is not applicable to patients under the program. Which of the following BEST describes the provider’s scheme?
A. Fictitious claim
B. Upcoding
C. Disparate price
D. Overutilization
C. Disparate price
See pages 1.1207-1.1208 in the Fraud Examiner’s Manual
Many government health care programs require that they receive the best available price that providers offer. In a disparate price scheme, providers charge some patients (e.g., those in direct payment situations) a lower rate than they charge the government. This disparate bill rate causes the government to pay a higher rate, in violation of regulations mandating that the government receive the lowest rate. In addition, some government health programs require that wholesale pharmacies provide the program at the average wholesale price. However, providers might manipulate their data and provide false information to the government program.
Which of the following BEST describes phishing?
A. A method for acquiring sensitive information by bypassing a computer system’s security using an undocumented operating system and network functions
B. A method for acquiring sensitive information in which an attacker hides near the target to gain unauthorized access to a computer system
C. A method for acquiring sensitive information needed to facilitate a specific scheme by searching through large quantities of available data
D. A method for acquiring sensitive information by falsely claiming through electronic communication to be from an entity with which the target does business
D. A method for acquiring sensitive information by falsely claiming through electronic communication to be from an entity with which the target does business
See pages 1.1407 in the Fraud Examiner’s Manual
Phishing is a type of social engineering scheme that involves impersonating a trusted individual or entity. Generally, phishers manipulate victims into providing sensitive information by falsely claiming to be from an actual business, bank, internet service provider (ISP), or other entity with which the target does business.
In this type of scam, phishers typically use emails to direct internet users to imitation websites that look legitimate, such as log-in portals for online banks, retailers, or government agencies. Phishers control these imitation websites and use them to steal sensitive information, such as bank account details and passwords. Other phishing schemes involve corrupted files that will install malware or allow the attackers access to a computer system once the victim downloads and opens the files.
Which of the following is a common red flag of elder fraud schemes?
A. New friends who appear suddenly and without prior mention
B. The discovery of signed or forged legal documents
C. Large bank account withdrawals with no explanation
D. All of the above
D. All of the above
See pages 1.1316 in the Fraud Examiner’s Manual
The following are some common red flags for elder fraud schemes. While the presence of any one of these circumstances does not necessarily indicate that elder fraud is occurring, individuals close to the older individuals should be aware of multiple occurrences of or patterns in these warning signs.
- Outstanding bills
- Disconnection notices for unpaid utilities
- Large bank account withdrawals with no explanation
- New friends who appear suddenly and without prior mention
- The discovery of signed or forged legal documents (e.g., power of attorney [POA]) that the older individual is not aware of
- Another caregiver asking probing or unexpected questions about the older individual’s spending habits
- The older individual missing property or belongings
- The discovery of financial decisions or arrangements that the older individual is unaware of (e.g., the opening of an account in the person’s name)
All the following are examples of schemes that specifically target older individuals EXCEPT:
A. A fraudster informs an individual that they won a prize but must pay a sum of money before they can receive it.
B. A fraudster convinces a victim that their computer has a virus and offers unnecessary repair services in exchange for a fee.
C. A fraudster offers to eliminate an individual’s credit card debt after the individual pays for the service with their card.
D. A fraudster pretends to be the victim’s grandchild and requests money to help with a difficult financial situation.
C. A fraudster offers to eliminate an individual’s credit card debt after the individual pays for the service with their card.
See pages 1.1308, 1.1313-1.1315 in the Fraud Examiner’s Manual
Elder fraud, also known as elder financial abuse, includes different types of consumer fraud schemes perpetrated against older individuals.
In a tech-support scheme, a fraudster attempts to convince victims to pay for unnecessary computer services to repair nonexistent viruses or other problems. The scheme usually begins with a fraudster calling a victim and claiming to be a computer technician working for a well-known tech company (e.g., Microsoft or Apple). Alternatively, the victim might be tricked into calling the fraudster directly via pop-up messages warning about nonexistent computer problems. Once the victim is speaking to the fraudster by phone, the fraudster generally instructs the victim to download and launch software that gives the fraudster remote access to the victim’s computer. The fraudster proceeds to perform phony diagnostic tests on the victim’s computer, falsely claims to have detected viruses or other problems, and offers to fix the victim’s computer for a fee. In addition to collecting a fee for unnecessary services, the fraudster might install spyware onto the victim’s computer.
In a grandparent scheme, a scammer calls an older individual and asks if the individual knows who is calling. When the grandparent guesses the name of a grandchild, the scammer pretends to be that grandchild. The scammer claims to be in a financial bind and asks if the grandparent can send money via the internet or a money transfer service. The scammer urges the grandparent to avoid telling anyone about the situation. Once scammers receive the money, they continue to contact the grandparent for more money.
In a sweepstake and prize scheme, fraudsters inform older individuals they won a prize but must pay a fee to receive it. The fraudsters then convince their victims that they can eventually win the grand prize if they send them another fee. This cycle continues until the victims become aware of the scheme or are no longer able to send fees because they have depleted their savings.
A scheme in which a fraudster offers to eliminate an individual’s credit card debt after the individual pays for the service with their card is an example of a credit card debt elimination scheme. Although anyone could be a target of this kind of fraud, such schemes generally do not specifically target older individuals.
ABC Bank recently acquired a new portfolio of consumer loans. Because this loan portfolio is experiencing a default rate that is higher than normal, management has asked Bradley, a Certified Fraud Examiner (CFE), to evaluate the portfolio. Bradley notices that the loan package was sold without recourse to the broker, the brokerage fee was high relative to other purchases, and the broker is no longer in business. Which of the following types of schemes has Bradley MOST LIKELY uncovered?
A. Daisy chain fraud
B. Letter of credit fraud
C. Money transfer fraud
D. Brokered loan fraud
D. Brokered loan fraud
See pages 1.947 in the Fraud Examiner’s Manual
Loan brokering applies to either packages of individual residential (consumer) loans or single commercial loans. A variation of a brokered loan is loan participation, whereby multiple parties purchase and have interests in a loan or a package of loans. The fraud schemes associated with brokered loans or loan participation generally involve selling phony loans (packages) or selling participations in loans that have not been properly underwritten. Normally, a large fee is charged for these brokered loans. With residential loan packages, the broker sells the package, takes the money, and disappears. Brokered loans are not usually sold with any recourse to the broker. Therefore, the purchaser must look to the borrower and the underlying collateral for debt satisfaction. With loan participations, the lead bank generally performs the underwriting. However, this does not relieve the participating bank from its obligation to perform due diligence.
All the following are best practices for ensuring separation of duties within the information systems department and between IT and business unit personnel EXCEPT:
A. Only programmers should be server administrators.
B. End users should not have access to production data outside the scope of their normal job duties.
C. Program developers should not be responsible for testing programs.
D. IT departments should not overlap with information user departments.
A. Only programmers should be server administrators.
See pages 1.1454-1.1456 in the Fraud Examiner’s Manual
Separation of duties is a key element in a well-designed internal control system, and it is fundamental to data security. There are various options for achieving separation of duties in information security, and the options vary depending on department responsibilities. For example, some of the best practices for ensuring separation of duties within the information systems department and between IT and business unit personnel include:
- Programmers should not have unsupervised access to production programs or have access to production data sets (data files).
- IT personnel’s access to production data should be limited.
- Application system users should only be granted access to those functions and data required for their job duties.
- Program developers should be separated from program testers.
- System users should not have direct access to program source code.
- Computer operators should not perform computer programming.
- Development staff should not have access to production data.
- Development staff should not access system-level technology or database management systems.
- End users should not have access to production data outside the scope of their normal job duties.
- End users or system operators should not have direct access to program source code.
- Programmers should not be server administrators or database administrators.
- IT departments should be separated from information user departments.
- Functions involving the creation, installation, and administration of software programs should be assigned to different individuals.
- Managers at all levels should review existing and planned processes and systems to ensure proper separation of duties.
- Employees’ access to documents should be limited to those that correspond with their related job tasks.
Publicly available information that anyone can lawfully obtain by request, purchase, or observation is known as which of the following?
A. Wide-source information
B. Free-source information
C. Confidential-source information
D. Open-source information
D. Open-source information
See pages 1.704 in the Fraud Examiner’s Manual
Open-source information is information in the public domain; it can be defined as publicly available data “that anyone can lawfully obtain by request, purchase, or observation.”
Jeremy is involved in an automobile accident but does not have insurance. To be reimbursed for the damages, he gets insurance, waits a short time, and then reports the vehicle as having been in an accident. He has committed an insurance scam known as _____________.
A. Churning
B. Past posting
C. Ditching
D. None of the above
B. Past posting
See pages 1.1105 in the Fraud Examiner’s Manual
Past posting is a scheme in which a person is involved in an automobile accident but does not have insurance. After the accident, the person gets insurance, waits a short time, and then reports the vehicle as having been damaged in some manner, thus collecting for the damage previously incurred.
Mario, an employee of a person-to-person (P2P) payment company, has been writing down the account numbers and passwords of customer accounts with the intent of fraudulently using them to pay for items he purchases online. Mario is engaging in:
A. Check fraud
B. Electronic funds transfer fraud
C. Credit card transfer fraud
D. None of the above
B. Electronic funds transfer fraud
See pages 1.1036 in the Fraud Examiner’s Manual
Mario is committing an electronic funds transfer (EFT) scheme by misappropriating customers’ account and password information.
There are several ways in which fraud can be perpetrated through the electronic transfer of funds. Potential sources of fraud include the following:
- A biller might send a bill for services not rendered or for goods never sent.
- A person who has obtained information about another person’s bank account might instruct a biller to obtain payment from the other person’s account.
- A hacker might obtain passwords and usernames from an aggregator and use that information to direct transfers from a consumer’s bank account.
- An employee at the site providing electronic bill presentment and payment (EBPP) services who knows consumers’ usernames and passwords might use that information to direct transfers from consumers’ bank accounts.
- A bank employee might use customer information to direct transfers from a customer’s account.
Which of the following is a common scheme perpetrated by suppliers of durable medical equipment (DME)?
A. Falsifying prescriptions for medical equipment
B. Billing for equipment rental after it is returned
C. Intentionally providing excessive equipment
D. All of the above
D. All of the above
See pages 1.1208-1.1209 in the Fraud Examiner’s Manual
The term durable medical equipment (DME) refers to medical equipment that can withstand repeated use, such as wheelchairs and specialized patient beds. Fraud schemes perpetrated by DME suppliers frequently involve:
- Falsified prescriptions for DME
- Intentionally providing excessive DME
- DME not being delivered
- Billing for DME rental beyond when the DME is returned
- Billing for DME not covered by the insurance policy or health care program
- Scooter scams (i.e., billing for electric-powered wheelchairs that are either unnecessary or are of poorer quality than the model billed for)
When fabricating a counterfeit payment card, which of the following is the MOST DIFFICULT facet to reproduce?
A. The hologram
B. The embossed numbers
C. The card thickness
D. The magnetic strip
A. The hologram
See pages 1.1016 in the Fraud Examiner’s Manual
The hologram is the most difficult aspect of a payment card to reproduce. True holograms use a lenticular refraction process; counterfeits generally consist of reflective materials, usually foil with an image stamped on it. These decals are attached to the card’s surface rather than fixed into the plastic, as is the case with legitimate cards. Some fraudulent holograms do not change colors—as legitimate ones do—when viewed from various angles.
Which of the following health care frauds would BEST be described as a fictitious services scheme?
A. A doctor uses the identifying information of patients the doctor has never serviced to bill an insurer or health care program.
B. A patient who is not covered under a health care program pretends to be a covered party to receive medical services.
C. A patient fraudulently reports symptoms they do not actually have to receive a prescription.
D. A doctor intentionally submits a bill to an insurer or health care program using improper codes for the services provided.
A. A doctor uses the identifying information of patients the doctor has never serviced to bill an insurer or health care program.
See pages 1.1206 in the Fraud Examiner’s Manual
In a fictitious services scheme, legitimate health care providers charge or bill a health care program for services that were not rendered at all. Often, the providers submit bills for patients they have never seen but whose private patient information they purchased from someone involved in identity theft or someone who otherwise improperly obtained it.
Which of the following real estate loan schemes MOST ACCURATELY describes an air loan?
A. A property developer applying for a loan submits instances of previous development experience that are fictitious or that they had no part in.
B. A fraudster files fraudulent property transfer documents with the property owner’s forged signature and then takes out a loan using the property as collateral.
C. A loan applicant falsifies their income sources to qualify for a mortgage.
D. A builder, in collusion with an appraiser and other real estate insiders, fraudulently applies for a loan to construct a building on a nonexistent property and keeps the proceeds.
D. A builder, in collusion with an appraiser and other real estate insiders, fraudulently applies for a loan to construct a building on a nonexistent property and keeps the proceeds.
See pages 1.927-1.928 in the Fraud Examiner’s Manual
An air loan is a loan for a nonexistent property—with air symbolizing the loan’s fraudulent absence of collateral. Most or all of the documentation is fabricated, including the borrower, the property ownership documents, and the appraisal. This type of scheme involves a high level of collusion, and perpetrators might even set up a fictitious office with people pretending to be participants in the transaction, such as the borrower’s employer, the appraiser, and the credit agency. Usually, air loans go into early payment default. Since there are no actual properties on which to foreclose, the losses on these loans can be enormous.
Which of the following is the MOST ACCURATE definition of a Trojan horse?
A. A type of software that collects and reports information about a computer user without the user’s knowledge or consent
B. A software program that contains various instructions that are executed every time a computer is turned on
C. A program or command procedure that appears useful but contains hidden code that causes damage
D. A virus that changes its structure to avoid detection
C. A program or command procedure that appears useful but contains hidden code that causes damage
See pages 1.1425 in the Fraud Examiner’s Manual
A Trojan horse is a program or command procedure that appears useful but contains hidden code that causes damage. When the hidden code in a Trojan horse is activated, it performs some unwanted or harmful function. Often, viruses and worms attach themselves to other legitimate programs, becoming Trojan horses and spreading to other systems.
A financial fund operator who insists that investors continually reinvest their profits, rather than take payouts, is a red flag of a Ponzi scheme.
A. True
B. False
A. True
See pages 1.1338 in the Fraud Examiner’s Manual
The following are red flags of Ponzi schemes:
- Sounds too good to be true—If an investment opportunity seems suspiciously better than it should be, then it is probably a Ponzi scheme.
- Promises of low risk or high rewards—Promoters of Ponzi schemes typically promise implausibly high or quick returns with little risk. As all legitimate investments include some risk, any guarantee that an investment will perform in a certain way is a clear signal that it might be part of a Ponzi scheme.
- History of consistent returns—Any firm that generates remarkably consistent returns regardless of market conditions should raise suspicions.
- High-pressure sales tactics—Reputable investment firms and agents do not push potential investors to act immediately, and legitimate investment opportunities are rarely that time sensitive.
- Pressure to reinvest—Often, fraudsters keep Ponzi schemes going by convincing investors to reinvest their profits rather than take a payout.
- Complex trading strategies—Legitimate agents should be able to provide clear explanations about their investment strategies. For obvious reasons, Ponzi-scheme boosters purposefully employ complicated strategies that confound unsophisticated investors.
- Lack of transparency or access—Secrecy surrounding the operations of a financial company should be an immediate warning sign. Ponzi operators are often unlicensed, and their supposed investments are typically unregistered. Additionally, a lack of access to regular statements or an online account should trigger alarm.
- Lack of separation of duties—Investors should be wary of any financial manager who manages, administers, and retains custody of the fund in question.
Research and development (R&D) personnel often inadvertently divulge confidential information through which of the following?
A. Hiring outside academic professionals
B. Discussions with colleagues at conferences
C. Articles written for industry journals
D. All of the above
D. All of the above
See pages 1.712 in the Fraud Examiner’s Manual
Often, intelligence professionals target research and development (R&D) employees because their positions generally involve the communication of information. For example, many R&D employees attend or participate in trade shows, conferences, or other industry functions where it is common to network with other professionals in their field and exchange ideas. Such events provide intelligence spies with the opportunity to learn key product- or project-related details simply by listening to a presentation or asking the right questions.
R&D employees’ publications are also a good source of information for intelligence professionals. Researchers sometimes inadvertently include sensitive project details when writing articles about their findings for industry journals or other mediums. This is particularly true in the case of academic professionals who might be hired by a company to perform research or conduct a study. If a company hires an academician to conduct research, management must ensure that the academician understands the need to keep the results confidential. In addition, management must ensure that the academician’s use of teaching assistants or graduate students is minimal and that those individuals understand the confidentiality requirements.
Visitors to a company’s facilities should be allowed unrestricted access as long as they have signed in as a visitor in the company’s logbook and have been issued a visitor’s badge.
A. True
B. False
B. False
See pages 1.754 in the Fraud Examiner’s Manual
Management should monitor and limit visitor access. Visitors should be required to sign in and out of an organization logbook. It is considered a best practice to issue each visitor a badge that identifies them as a nonemployee. Also, visitors should be escorted by a host for the entirety of their visit and not be allowed into areas containing sensitive information. Additionally, locks on doors leading to secure areas should be changed or reprogrammed regularly, especially if an employee has recently quit or been terminated.
To prevent contract and procurement fraud, companies should implement a continuous monitoring program to monitor their procurement activities.
A. True
B. False
A. True
See pages 1.1535 in the Fraud Examiner’s Manual
It is important for companies to implement a continuous, self-auditing program to monitor the performance of their procurement activities. Continuous monitoring uses data analytics on a perpetual basis, thereby allowing management to identify and report fraudulent activity more rapidly.
Not every company that runs its business using a pyramid structure is operating an illegal pyramid scheme.
A. True
B. False
A. True
See pages 1.1339 in the Fraud Examiner’s Manual
Not all organizations with a pyramid structure are engaging in illegal activity. Some legitimate merchandising companies use a pyramid structure to rank and determine the compensation of their employee-owners. A pyramid structure becomes an illegal pyramid scheme when the recruitment of new members takes precedence over the product or service that the company is ostensibly promoting. The more members that are recruited, the higher the investor is purported to rise in the ranks of the enterprise and the more money the investor is supposed to make.
