VisuaLinks Summary
Terrorist Financing Analysis Example
When performing advanced analytics for different types of domains, whether for law enforcement, intelligence, or commercial fraud purposes, there tend to be common types of objects that form the foundation of the networks. Many times, people use the same address, the same identification number (e.g., a driver's license, passport, state ID), and most often a phone number. In fact, in a number of domains, especially in finance and banking, the phone number tends to be one of the most consistent elements for exposing distributed networks for people trying to avoid detection.
Keep in mind that phone numbers are frequently recycled by the telecommunication companies. It is therefore important to know the time frame of the data collection. In as little a six (6) months, a phone number can be canceled and reassigned to another person. If there are other commonalities, such as similar names, then the phone number is most likely valid and will expose a hidden network.
Many times, an investigation starts with a known entity - a suspect, or a target of interest. In this example, a "tip" of possible terrorist financing was generated based on a Suspicious Activity Report (SAR) filed with the U.S. Department of Treasury. Working with law enforcement personnel, the tip was investigated to determine the overall threat. The following shows the first level of data.
The tip was originally filed by a bank because they observed a large number of wire transfers to the Middle East by one of their clients. These were initially reported to a field office for a large federal agency, but no additional detail or information turned up. The narrative for the SAR (a description of the suspicious activity as reported by the bank) mentioned that the activity seemed strange for "a small wireless reseller."
The next level of connections, shown below, reveals an address and a phone number for the suspect. This information is contained on the SAR (transaction) filed - thus, this diagram shows the entire detail for the SAR and, at this point, no additional information is known about the suspect based on the data provided (which is what the field office concluded).
Using the VisuaLinks Database Walk feature, the investigator expanded the network one additional level. Since each transaction is filed independent of every other, there is a chance to find networks based on the common use of the same values (e.g., names, addresses, accounts, ID numbers, and phone numbers). In this case, the investigator hits the jackpot. The next diagram shows there were two additional suspects connected to the phone number.
Analyzing this simple bit of data, investigators found that the same suspect was wiring money to different counties in the Middle East. To cover his tracks, he was using variations of the company names such as Wireless Cell, Inc, Wireless Cellular Corp, etc. Additionally, he used a different EIN/SSN (not shown) in two different states at multiple bank branches. Ultimately, the mistake that tied the network together was the reuse of the phone number on the transactions; the cell number of the suspect was recorded on each of the different SAR reports.
The next diagram shows a final expansion of the network. From these two additional suspects, there were five (5) additional SARs that confirmed the transfer of money to the Middle East. Law enforcement was easily able to construct the networks within VisuaLinks using the basic data provided. In fact, the overall network was exposed based on a simple bit of info that other investigators had missed using traditional approaches as well as other software packages.
The three suspects turned out to be branch companies that may be legit, but have different names (though similar) and different EIN/SSNs. These are company names and the suspect's name isn't directly listed on any of the transactions, though it does come up in one of the narratives. The other SAR filings had similar wire activity and one was filed because deposits for the store showed a significant amount of cash in $20, $50 and $100 bills but very few checks/credit card receipts - which is highly unusual for a cellular phone business.
There is additional supporting evidence in the narrative of one of the SARs, mentioning the account number of the original SAR as an account that he would use to transfer a large amount of money back and forth. Once again, it was not in the account section but the narrative. Overall, this shows a good example of how new types of patterns can be exposed within complex volumes of data.
|
- VisuaLinks Summary - 18 page Full Doc/Printable PDF