Time Will Tell

Our client was a medium-sized company, which sold expensive luxury goods. The suspect was a 68-year old man, employed as the CFO. He had never been in legal trouble, but the evidence showed that the two-factor authentication authorizing the transfer was delivered to, and confirmed from his cellphone.

He denied all knowledge of the wire transfer, and could not explain why the MFA was executed from his phone. Our client didn’t know what to believe, so they hired Blackfish.

By comparing the bank’s transaction records with the CFO’s phone records, we discovered that there was a 1-hour time difference between the two. This meant that our client’s phone was apparently in another time zone, but we knew that was not true after forensically downloading his phone/location data. Through further investigation, we discovered that the office manager (who turned out to have a history of embezzlement) in the office had taken an opportunity to make a copy of the client’s SIM card one day when he had left his phone on his desk and stepped out of his office. To distance himself from the crime, he then sent the cloned SIM card to an associate in the next state, who then put it into a burner phone, essentially cloning the client’s phone. The office manager then used his inside knowledge to set up the wire transfer, and when the MFA was sent, the accomplice received the code and immediately authorized the transaction.

The office manager confessed after being confronted, given the opportunity to avoid police involvement as long as the money was recovered. He coordinated with the accomplice to have the money returned, at which point he was fired. Our clients recovered all but $10K, and were very happy with the results.