CFE Exam Quiz 01

The following are examples of non covered or unallowable items that might be included in cost reports:
• Expenses for tax penalties, late charges, and promotional advertising
• Costs incurred from a related-party transaction with a mark-up over the costs incurred by the related party
• Expenses that are reimbursed under other programs (e.g., billable medical supplies and therapies)
• Excessive expenses such as hotel, food, and travel expenses for recreational events
• Luxury items (e.g., lavish furnishings, corporate planes, swimming pools, or spas)

Certain relationships between hospitals and physicians result in fraud to insurers and health care programs. Note that whether the relationship is improper often depends on whether the physician is employed by the institution. The following transactions are generally regarded as suspect:
• Payment of any sort of incentive by the hospital each time a physician refers a patient to the hospital
• Provision of free or significantly discounted billing, nursing, or other staff services
• Free training for a physician’s office staff in areas such as management techniques, coding, and laboratory techniques
• Guarantees that provide that, if the physician’s income fails to reach a predetermined level, the hospital will supplement the remainder up to a certain amount
• Low-interest or interest-free loans, or loans that may be forgiven if a physician refers patients to the hospital
• Payment of the cost of a physician’s travel and expenses for conferences
• Payment for a physician’s continuing education courses
• Coverage on the hospital’s group health insurance plan at an inappropriate or very low cost
• Payment for services, such as consultation at the hospital, that require few, if any, substantive duties by the physician or payment for services in excess of the fair market value of services rendered.

The following might indicate that a rent-a-patient scheme is occurring:
• A large influx of non-local patients to a particular clinic; including clusters of patients from a particular location.
• Several non-related procedures on a patient in a short period of time (e.g., a colonoscopy
• Numerous claims by a particular clinic for the following procedures: colonoscopies, septoplasties, circumcisions, and thoracoscopies with sympathectomy
• Parallel procedures on families (husbands, wives, and children) on the same day
• Extremely high staff salaries.
• Charging beyond the average market price for procedures, medical equipment, and devices.

When a patient account or other type of receivable has been determined to be uncollectible, the account is written off to bad debts. It becomes a fraudulent transaction when the account has been written-off prematurely and the balance is subsequently collected, with the proceeds going to the employee. In this scheme, the employee has the opportunity to collect the receivable and divert the funds to himself because companies typically do not keep track of old written-off accounts receivable. Often, old accounts receivable are assigned to a collection agency. These agencies typically are paid on a percentage of the collected amounts. Fraud schemes can be perpetrated by these agencies if the company does not monitor the method by which the agency receives old accounts and the collection process itself. The assignor organization needs to assure itself that the collection agency is being assigned only old accounts and not good accounts that can reasonably be expected to be paid within the normal course of business. Additionally, the organization needs to be sure that the collection agency cannot compromise the indebtedness so that collections are not reported. This would allow the collection agency to compromise indebtedness for its own collection and not remit amounts owed to the organization.

There are several features unique to special care facilities that make them particularly vulnerable to fraud:
• Unscrupulous providers can operate their schemes in volume because the patients are all in the same facility.
• Many patients in special care facilities do not have the legal capacity or ability to be responsible for their own financial affairs and, consequently, are not as likely to report fraud involving their care.
• In some instances, special care facilities make patient records available to outside providers who are not responsible for the direct care of the patient (sometimes in violation of regulations).
• In automated claims environments, scrutiny of the claims at the processor level is inadequate because the automated systems used do not accumulate data that would flag indications of improbably high charges or levels of service in a timely manner.
• Even when abusive practices are detected and prosecuted, repayment is rarely received from wrongdoers because they usually go out of business or deplete their resources so that they lack any resources to repay the funds.
• Patient personal funds are often controlled by the facility’s administration and are an inviting target for embezzlement. Individually, patients generally maintain a relatively small balance in their personal fund’s accounts. Collectively, however, these funds generate a considerable source of income for an unscrupulous special care facility operator or employee.

Many facilities are dependent on outside sources of patient referrals, such as physicians or other clinicians. This dependence has led some hospitals to develop economic relationships in order to obtain referrals:
• Rewarding clinicians who refer patients by referring patients who need outpatient treatment to those clinicians
• Allowing allied health professionals who refer patients to provide therapy for their own patients at the hospital, while not referring allied professionals are not allowed to use the hospital
• Paying medical directors or other physicians an incentive bonus linked to the overall profitability of the hospital
• Paying a physician who is under contract to the hospital but who provides no services

Fraud examiners should look for the following red flags of fraud from psychiatric institutions:
• The treatment takes place far from the patient’s home.
• The patient is on disability.
• The provider’s credentials are questionable.
• Documentation of treatment is lacking.
• Ancillary services are not treatment-oriented.

A fraud examiner should be aware of the following indicators of fraud by insured individuals and beneficiaries under health care programs:
• Pressure by a claimant to pay a claim quickly
• Individuals who hand-deliver claims and insist on picking up their payment in-person
• Threats of legal action if a claim is not paid quickly
• Anonymous telephone or email inquiries regarding the status of a pending claim
• Identical claims for the same patient in different months or years
• Dates of service just prior to termination of coverage or just after coverage begins
• Services billed that do not appear to agree with the medical records
• Billing for services or equipment that are clearly unsuitable for the patient’s needs

The following methods are helpful for detecting insured and beneficiary schemes:
• Conduct utilization reviews of outpatient services to ensure that requested services are necessary.
• Flag future claims of aberrant providers or insureds.
• Develop automated programs that identify excessive charges for prescriptions or medical services above an acceptable level.
• Perform built-in claims to identify and reject duplicate submissions.

The following steps can be used to determine if a company is dealing with an employee who is defrauding the system:
• Pull high-value claim payments. Investigate all unusual patterns by verifying services.
• Review printouts for special payee codes to search for employees.
• Review printouts for a high number of adjusted claims per insured or beneficiary.
• Review printouts of recently canceled contracts for unusual claims activity just prior to cancellation.
• Review address change lists for employee names or unusual activity.

The following might indicate that a rent-a-patient scheme is occurring:
• Large influx of non-local patients to a particular clinic; including clusters of patients from a particular location
• Several non-related procedures on a patient in a short period of time (e.g., a colonoscopy and circumcision on one patient within a few days or even weeks)
• Numerous claims by a particular clinic for the following procedures: colonoscopies, endoscopies, septoplasties, circumcisions, and thoracoscopies with sympathectomy
• Parallel procedures on families (husbands, wives, and children) on the same day
• Extremely high staff salaries
• Charging beyond the average market price for procedures, medical equipment, and devices.

By their very nature, Ponzi schemes are prone to leaving a host of fraud indicators for those unaffected by the investment promoter’s fraudulent claims. Several red flags can help investigators uncover Ponzi schemes:
• Sounds too good to be true: If an investment sounds too good to be true, it probably is.
• Promises of low risk or high rewards: Promoters of Ponzi schemes typically promise implausibly high or quick returns with little risk. As all legitimate investments include some degree of risk, any guarantee that an investment will perform in a certain way is a clear signal that it might be part of a Ponzi scheme.
• History of consistent returns: Any firm that generates remarkably consistent returns regardless of market conditions should raise suspicions.
• High-pressure sales tactics: Reputable investment firms and agents do not push potential investors to act immediately, and legitimate investment opportunities are rarely that time-sensitive.
• The pressure to reinvest: Often, fraudsters keep Ponzi schemes alive by convincing investors to reinvest their profits rather than take a payout.
• Complex trading strategies: Legitimate agents should be able to provide clear explanations about their investment strategies. For obvious reasons, Ponzi-scheme boosters purposefully employ complicated strategies that confound unsophisticated investors.
• Lack of transparency or access: Secrecy surrounding the operations of a financial company should be an immediate warning sign. Ponzi operators are often unlicensed and their supposed investments are typically unregistered. Additionally, a lack of access to regular statements or an online account should trigger an alarm.
• Lack of segregation of duties: Investors should be wary of any financial manager who manages, administers, and retains custody of the fund in question.

Unlike some fraudsters who steal as a result of a perceived need, most identity thieves make a living stealing identities for profit or, at the very least, to supplement their incomes generously. Although he can be an employee, friend, or relative, the fraudster usually falls into one or more of the following profiles:
• Been convicted, served time in prison, wishes to conceal his identity
• Been convicted, served time in prison, and is looking for a “safer” way to commit a crime and stay out of prison
• College student looking for an “easy” way to work his way through school
• Landlord
• Rental car agent
• Undocumented immigrant needing an identity
• Illegal telemarketer

While an individual might think that he is careful with his personal information, in reality, a lot of information can be easily found and acquired by identity thieves without him even realizing it. An innocent inquiry for the most basic of information, such as verifying an address or mother’s maiden name for a banker’s files can be the start of a financial nightmare. The most common ways information is obtained are:
• Sorting through discarded trash
• Shoulder surfing
• Searching through coworkers’ desk drawers
• Stealing incoming or outgoing mail
• Using an accomplice within the organization
• Soliciting identifiers through false job application schemes
• Checking utility companies, health clubs, and schools
• Examining certifications and licenses placed on workplace walls
• Using pretext, ruse, or gag calls
• Looking at rental and loan applications
• Consulting public records
• Using the Internet

There are many ways that fraud examiner can track down an identity thief. Some require the assistance of law enforcement, while others do not. Examples of techniques that have been successfully used to catch an identity thief are:
• Establish surveillance of the address in question.
• Have overnight delivery services “flag” the address in question.
• Obtain a subpoena or court order for the telephone records for the telephone(s) being used by the perpetrator.
• Contact credit bureaus and have them “flag” the true account holder’s file.
• Obtain videos from retailers showing the perpetrator making purchases using the victim’s identity.
• Obtain a copy of the perpetrator’s picture on the fictitious driver’s license.
• Track down addresses and telephone numbers that do not belong to the victim but show up in the person’s file.

How do you protect yourself and your clients from identity theft? Some useful methods are:
• Before providing personal information, make sure the individual or business requesting it has a valid reason for requiring the information.
• Never write your credit card numbers or government identification number on checks or on the outside of envelopes.
• Don’t give account numbers over the telephone or to persons/companies with which you are not familiar.
• Don’t use mobile phones, cordless phones, unsecured Wi-Fi, or email to transmit financial or private personal information.
• Keep all financial documents in a secure place.
• If you have your driver’s license information pre-printed on your checks, shred canceled checks before discarding them.
• Check your financial information regularly, looking for what should and shouldn’t be there.
• Obtain a copy of your credit report on a regular basis.
• Shred pre-approved credit applications.
• Have yourself taken off of pre-screened lists.
• Mail bills from the post office or your business location.
• Consider having your name and telephone number removed from the telephone directory or having the address removed.
• Don’t provide personal information over the telephone unless you initiated the call and know with whom you are speaking.
• If telemarketing companies call, tell them that you want to be on their “do-not-call” list.
• Keep your birth certificate in a safe place.
• Choose passwords that are difficult to figure out, and use different passwords for all accounts.
• Change passwords and PIN codes often.
• Don’t put your government identification number on any document that you are not legally required to.
• Shred any papers with financial information and identifiers rather than simply throwing them in the trash.

How do you protect yourself and your clients from identity theft? Some useful methods are:
• Before providing personal information, make sure the individual or business requesting it has a valid reason for requiring the information.
• Never write your credit card numbers or government identification number on checks or on the outside of envelopes.
• Don’t give account numbers over the telephone or to persons/companies with which you are not familiar.
• Don’t use mobile phones, cordless phones, unsecured Wi-Fi, or email to transmit financial or private personal information.
• Keep all financial documents in a secure place.
• If you have your driver’s license information pre-printed on your checks, shred canceled checks before discarding them.
• Check your financial information regularly, looking for what should and shouldn’t be there.
• Obtain a copy of your credit report on a regular basis.
• Shred pre-approved credit applications.
• Have yourself taken off of pre-screened lists.
• Mail bills from the post office or your business location.
• Consider having your name and telephone number removed from the telephone directory or having the address removed.
• Don’t provide personal information over the telephone unless you initiated the call and know with whom you are speaking.
• If telemarketing companies call, tell them that you want to be on their “do-not-call” list.
• Keep your birth certificate in a safe place.
• Choose passwords that are difficult to figure out, and use different passwords for all accounts.
• Change passwords and PIN codes often.
• Don’t put your government identification number on any document that you are not legally required to.
• Shred any papers with financial information and identifiers rather than simply throwing them in the trash.

How do you protect yourself and your clients from identity theft? Some useful methods are:
• Before providing personal information, make sure the individual or business requesting it has a valid reason for requiring the information.
• Never write your credit card numbers or government identification number on checks or on the outside of envelopes.
• Don’t give account numbers over the telephone or to persons/companies with which you are not familiar.
• Don’t use mobile phones, cordless phones, unsecured Wi-Fi, or email to transmit financial or private personal information.
• Keep all financial documents in a secure place.
• If you have your driver’s license information pre-printed on your checks, shred canceled checks before discarding them.
• Check your financial information regularly, looking for what should and shouldn’t be there.
• Obtain a copy of your credit report on a regular basis.
• Shred pre-approved credit applications.
• Have yourself taken off of pre-screened lists.
• Mail bills from the post office or your business location.
• Consider having your name and telephone number removed from the telephone directory or having the address removed.
• Don’t provide personal information over the telephone unless you initiated the call and know with whom you are speaking.
• If telemarketing companies call, tell them that you want to be on their “do-not-call” list.
• Keep your birth certificate in a safe place.
• Choose passwords that are difficult to figure out, and use different passwords for all accounts.
• Change passwords and PIN codes often.
• Don’t put your government identification number on any document that you are not legally required to.
• Shred any papers with financial information and identifiers rather than simply throwing them in the trash.

• Start keeping detailed records.
• File a police report with your local law enforcement agency and keep a copy of that report. Many banks and credit agencies require such a report before they will acknowledge that a theft has occurred.
• If your wallet or purse is stolen, immediately cancel your credit and debit cards and get replacements.
• Put a “stop payment” on all lost or stolen checks.
• Report unauthorized charges and accounts to the appropriate credit issuers and credit bureaus immediately by phone and in writing. Change account numbers or close all accounts that are affected by the fraudulent activity.
• Check for and repair further breaches of your identity.
• Notify law enforcement agencies (e.g., Federal Trade Commission or Federal Bureau of Investigation in the United States).
• Contact the primary credit reporting bureaus to have a security alert or freeze placed on your credit report, and request a copy of your credit report and review it for unauthorized account activity.

Hacking refers to the use of technology to gain unauthorized access to sensitive information on a computer system. The desire to gain unauthorized access to computer systems can be prompted by several motives, from simple curiosity—as exemplified by many hackers—to computer sabotage or espionage. Intentional and unjustified access by a person not authorized by the owners or operators of a system might often constitute criminal behavior. Unauthorized access creates the opportunity to cause additional unintended damage to data, system crashes, or impediments to legitimate system users. Often, however, hacking is motivated by profit. There are several types of hackers. Black-hat hackers are malicious hackers who infiltrate computer systems for criminal purposes. Conversely, white-hat hackers are well-intentioned hackers who are hired to identify weaknesses in an organization’s network before they are exploited by malicious hackers. Hacktivists are politically motivated hackers; they commit cybercrimes, including data breaches, to gain publicity, earn public support, gather new members, embarrass their targets, and so on. Hackers use various ways to gain unauthorized access to computer systems. Often, unauthorized access is accomplished from a remote location using one of several means. The perpetrator might be able to take advantage of lax security measures to gain access or might find loopholes in existing security measures or system procedures. Frequently, attackers gain unauthorized access by impersonating legitimate system users; this is especially common in systems where users employ common passwords or maintenance passwords found in the system itself.

Social engineering is a method for gaining unauthorized access to a computer system in which the attacker deceives victims into disclosing personal information or convinces them to commit acts that facilitate the attacker’s intended scheme. Often, social engineering schemes attack companies, and when carrying out these attacks, the attacker tricks one of the target company’s employees into revealing information. The hacker might assume a number of different guises to accomplish this deception. He might pose as a new or temporary worker and ask IT employees for a password so that he can begin work. Alternatively, he might pose as someone in a position of authority and intimidate employees into revealing confidential information. Deception, however, is not always required. In large corporations, attackers can take advantage of certain anonymity among employees. By donning office attire, they can blend into the crowd and peruse the premises, providing them with an opportunity to obtain a password written down at an employee’s desk. To prepare for social engineering schemes, the attacker might search a company’s dumpster for relevant documents, such as internal telephone directories and correspondence.

To review, malware is an umbrella term for any kind of malicious software, including viruses, worms, Trojans, and spyware. Malware can infect computer systems from many sources. Some of the more common carriers of malware include:
• Unknown or unchecked application software
• Infected websites
• Banner ads
• Software or media employees bring to work
• Files downloaded from the Internet
• Infected software from vendors and suppliers
• Uncontrolled and shared program applications
• Demonstration software
• Freeware and shareware files
• Email attachments

By using strings of code, virus programmers can infect a computer with a virus through various means (e.g., downloads, email, portable media, or websites) and then watch their work spread. Viruses can be designed to modify infected systems in various ways.

Modifications caused by viruses include making a copy of the virus program, which can then go on to infect other programs. Like its biological counterpart, a computer virus can replicate itself and cause damage to its host. Moreover, a computer virus can spread from one computer to another. Thus, unsuspecting users who swap disks or send programs to one another over a network can spread the infection from computer to computer. In a network environment, the ability to access applications and system services on other computers provides a perfect culture for the spread of a virus. A virus can do anything that other programs do; the only difference is that it attaches itself to another program and secretly executes itself every time the host program is run. Once a virus begins executing, it can perform any number of functions, including erasing files and programs.

Considered a subclass of a virus, a computer worm is a malicious self-replicating computer program that penetrates operating systems to spread malicious code to other computers. Worms have many of the same effects on a system as computer viruses. A worm is self-contained but, unlike a virus, does not need to be part of another program to propagate itself—a worm can spread by itself. Worms are often designed to exploit the file transmission capabilities of computers (e.g., email) and are almost always spread through email, networks, and online chat. In addition to replication, worms are designed to perform a variety of functions, such as deleting files on a host system or sending documents via email. Worms may be multi-headed and carry other executables as a payload. But even in the absence of such a payload, a worm can wreak havoc just with the network traffic generated by its reproduction. For example, Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R, and Shimgapi, was a computer worm that became the fastest spreading email worm, causing the Internet to slow down at the peak of its spread in January 2004. Worms can also carry backdoors as payloads, and once a system is infected with such worms, the compromised systems are used for various functions such as spamming or to collect information located on the host. Like viruses, worms can infect the boot sector. Similarly, network worms use network connections to spread from system to system. Once active within a system, a network worm can behave like a computer virus or bacteria (i.e., programs that do not explicitly damage any files or other data), implant Trojan horse programs, or perform any number of disruptive or destructive actions. Network worms are designed to penetrate systems—the worm attempts to plant replicas of itself on other computers in a network. And although these programs can exist without damaging files, they reproduce at rapid speeds, saturating networks and causing them to collapse.

Crimeware is not a type of malware, but rather a classification of malware denoted by its intent to facilitate criminal behavior. Crimeware can be described as malware designed to simplify or automate online criminal activities, such as programs to fraudulently obtain financial gain from the affected user or other third parties. Crimeware might result in any of the following:
• Theft of private information
• Identity theft
• Financial losses through the theft of online passwords
• Financial losses through accessing online services
• Invasion of privacy
• Loss of productivity because of system slowdowns, system errors, and so on
• Unwanted advertising (e.g., spam or pop-ups)

The following are some symptoms that might indicate a malware infection:
• The system suddenly, and for no apparent reason, slows down its response time to commands.
• The computer stops responding or locks up frequently.
• The computer crashes then restarts every few minutes.
• The computer restarts on its own.
• The computer does not run as usual.
• The computer experiences a sudden and sometimes dramatic decrease in free space.
• The size of some files increases.
• The operating system or other programs and applications begin behaving in unpredictable ways.
• Files cannot be accessed or are suddenly erased with no warning

The following are some symptoms that might indicate a malware infection:
• There has been a change in the length of executable files, a change in their content, or a change in their file date or time stamps.
• Disks or disk drives are inaccessible.
• An attachment that was recently opened has a double extension, such as a .jpg, .vbs, .gif, or .exe extension.
• The system does not boot up.
• There are unusual graphics and messages.
• The user cannot access a hard disk drive.
• There are unexplained and repeated maintenance repairs.
• There are unexplained changes to memory.
• System or data files disappear or become fragmented.
• Items cannot be printed correctly.
• Unusual error messages appear.
• Menus and dialog boxes are distorted.
• New icons, which are not associated with any new programs, appear on the desktop.
• Programs experience unexplained changes in size.
• The antivirus program is disabled for no reason.
• The antivirus program cannot be restarted.
• Antivirus program displays messages stating that a virus has been encountered.
• The Web browser’s home page is changed automatically.
• When performing an Internet search, the Web browser visits a strange site.
• The user is unable to stop the excessive popup windows that appear without cause.
• The user receives a lot of bounced back email.
• There is evidence that emails are being sent without the user’s knowledge.
• Unusual and unexpected toolbars appear in the system’s Web browser.

The following are some symptoms that might indicate a malware infection:
• There has been a change in the length of executable files, a change in their content, or a change in their file date or time stamps.
• Disks or disk drives are inaccessible.
• An attachment that was recently opened has a double extension, such as a .jpg, .vbs, .gif, or .exe extension.
• The system does not boot up.
• There are unusual graphics and messages.
• The user cannot access a hard disk drive.
• There are unexplained and repeated maintenance repairs.
• There are unexplained changes to memory.
• System or data files disappear or become fragmented.
• Items cannot be printed correctly.
• Unusual error messages appear.
• Menus and dialog boxes are distorted.
• New icons, which are not associated with any new programs, appear on the desktop.
• Programs experience unexplained changes in size.
• The antivirus program is disabled for no reason.
• The antivirus program cannot be restarted.
• Antivirus program displays messages stating that a virus has been encountered.
• The Web browser’s home page is changed automatically.
• When performing an Internet search, the Web browser visits a strange site.
• The user is unable to stop the excessive popup windows that appear without cause.
• The user receives a lot of bounced back email.
• There is evidence that emails are being sent without the user’s knowledge.
• Unusual and unexpected toolbars appear in the system’s Web browser.

Prevention is the best approach to combating viruses and other malicious software. Although prevention efforts can reduce the number of successful attacks, absolute protection is generally impossible to achieve. But even so, the following measures can help avoid infection from a malicious program:
• Use anti-malware software to scan all incoming email messages and files.
• Regularly update virus definitions in anti-malware programs.
• Use precaution when opening emails from acquaintances.
• Do not open email attachments unless they are from trusted sources.
• Only download files from reputable sources.
• Regularly update the operating system.
• Regularly updated with the latest security patches available for the operating system, software, browser, and email programs.
• Ensure that there is a clean boot disk to facilitate testing with antivirus software.
• Use a firewall and keep it turned on.
• Consider testing all computer software on an isolated system before loading it.
• In a network environment, do not place untested programs on the server.
• Secure the computer against unauthorized access from external threats such as hackers.
• Keep backup copies of production data files and computer software in a secure location.
• Scan pre-formatted storage devices before using them.
• Consider preventing the system from booting with a removable storage device; this might prevent accidental infection.
• Establish corporate policies and an employee-education program to inform employees of how malware is introduced and what to do if malware is suspected.
• Encourage employees to protect their home systems as well. Many malware infections result from employees bringing infected storage devices or files from home.