The internet is a treasure trove of open source information: We all leave detailed trails of our lives on social media, professional networking platforms, and online forums. For forensic accountants, all of this material can be instrumental in conducting investigations. Cynthia Hetherington is a longtime investigator who has helped accountants and accounting firms conduct open source investigations for nearly three decades. In this podcast, we talk to her about how to navigate the almost limitless amount of information on the internet, some of it deliberately falsified, and how forensic accountants can protect themselves from inadvertently violating someone’s privacy.
What you’ll learn from this podcast:
- What open source information is and why forensic accountants need to use it.
- How to assess and verify the validity of information on the internet.
- Where to find open source information for use in forensic investigations.
- What to do if you accidentally expose someone’s private data.
- What the future of open source investigations looks like.
Play the episode below or read the edited transcript:
To comment on this podcast or to suggest an idea for another podcast, contact Drew Adamek, a JofA magazine senior editor, at Andrew.Adamek@aicpa-cima.com.
Drew Adamek: The internet has transformed our world into a sea of open source information. From social media to professional networking platforms, the internet is awash with nearly limitless information on billions of people, companies, and organizations. For forensic accountants, this digital landscape presents a gold mine of investigative material. But how to navigate the overwhelming size and complexity of all that available information?
For more than 25 years, Cynthia Hetherington has been helping accountants and accounting firms navigate the complex and evolving world of cyber investigations. As the head of the Hetherington Group, based in New Jersey, she has led investigations into fraud, asset recovery, and corporate due diligence.
I'm Journal of Accountancy senior editor Drew Adamek, and today I'll be talking with Cynthia about how forensic accountants can use open source information to become better, smarter investigators, how to verify open source material, and what to do when you encounter information that you should not have.
Cynthia, thank you so much for joining us.
Cynthia Hetherington: Drew, it's my pleasure.
Adamek: What is open source investigative material, and why would a forensic accountant need to use it?
Hetherington: Open source investigative intelligence, material, research as I like to look at it, are sources that are found — commonly accepted today — sources found on the internet that make themselves available to any searcher, and the deeper you can go into it, the better the content. But some great examples of open sources are public records, business documents, SEC filings, people's public proclamations on social media. And then those more traditional open sources might have been the garbage on the curb, the hearsay conversation you overhear at the airport, and other real tenuous bits of information that we build leads from. And then from leads, we hope to build intelligence and then evidence.
Adamek: And how often in your work do you need to rely on open source intelligence?
Hetherington: Drew, my practice here at the Hetherington Group is completely based on open source investigations. If we go back to the school days, you might call it secondary research. There's primary research, which is interview, interrogation, and first-hand experience, and then secondary research, which is the research you do post-event. So, everything that my company does in support of accountant firms or groups that are involved in larger-scale investigations is open source. So, we've built all the support material for that. Today's common investigator, including the forensic accountant, spends probably about 50 percent of their time, if not more, in open source searching.
Adamek: More specifically, what are some of the brand names that my audience might recognize as open source investigative material?
Hetherington: The number one resource for open source investigators is Google, common search engines, and search resources that we use for everything from online investigations of multimillion-dollar lawsuits to finding your next Aruba hotspot location. The nature of open source is that it's not directed as a tool towards anything. Now, when we get into the tools of the business and products that you would actually buy and bring into your office to help do your research, then those open source tools will be Thomson Reuters, LexisNexis, LifeRaft, DarkOwl. These are database providers that aggregate open sources, documents you find on the internet, into cohesive fast-finding report styles that we can do quick due diligences with.
Adamek: We have this sense, or I have this sense rather, of the information on the internet either being unreliable or too dispersed to be useful. How do you, practically, make the wide range of information available on the internet useful?
Hetherington: Not only is the information on the internet so widely dispersed — granted, it's beyond sipping from a fire hose. We're sipping from an ocean of information that's ever changing and so dynamic that it's hard to put your thumb down to make an assertion of a document. And then on top of it, we have false information, which is now traditionally known as “fake news,” and misleading information. So where does a forensic accountant come in and say, "I need to narrow this down to these facts"?
The first thing that a forensic accountant is going to do to build their arsenal, to make them smarter researchers and smarter online investigators is they’re going build their skill set. They're going to find trusted vendors, trusted websites, trusted sources for content, such as AICPA being a trusted website to learn more about accounting in the United States, to learn more about accounting internationally. You know, I can trust that AICPA is going to have good quality information associated with it, not accountants-R-us.com, So we make value judgments based on the source of the information.
From there, we now have to narrow down that large volume, that ocean of water. So you have continual sites that are proving themselves over and over again to being valuable, or provisional source types, such as knowing to use public records, such as knowing and respecting that social media is a source for investigations, but it's something that you have to bring into your report in a guarded way.
Drew, I’ve got to tell you, AICPA has been working at the direction of several lead forensic accountants, well-established accountants within their ranks, and they've created a forensic task force, a technology task force that they invited me on. And we have been working in the last year on a quick reference guide that any of our members or any of our associates can download and use to learn some of the bits and bites about how to do this for themselves.
Because they talk about all the forensic stuff, the tech stuff, the websites to visit, how to verify a source, because it can be complicated. It can be overwhelming, especially when you didn't come out of college in the last 10 years getting taught this trade craft, and now this is completely — I mean, this is not just 10 percent of my work involves internet searching; 50, 60, 70 percent of your accountants are sitting behind a browser window today doing their accounting work.
Adamek: We also have this idea that everything is available on the internet, but are there things that you won't find in open sources?
Hetherington: Drew, what you won't find in open source material, what you shouldn't find, are personal finances, health data, protected information, what's known as personal identifying information. That should not be accessible. So Social Security numbers, dates of birth, all the protected information that's out there should be private or put in secret servers somewhere. It shouldn't be accessible.
However, with the data breaches and the data leaks we have, a lot of your protected information is out there. And it can happen that an accountant or an online investigator can come across this information while they're doing open source searching.
Adamek: And that leads me to a logical question. Are there privacy risks that forensic accountants should be taking into consideration as they're conducting this kind of research?
Hetherington: Absolutely. Accountants and new investigators to this field should be respectful of the country laws that they have in place. In the United States we have Gramm-Leach-Bliley. We have the Fair Credit Reporting Act, Driver’s Privacy Protection Act. We also need to be aware of country acts, even Europe's GDPR. We have to be conscious of all the different laws that protect personal private information.
With that said, open source is still information available in open servers. So you go to www. — whatever — .com, and all of a sudden someone's home address and their date of birth are sitting there. Is the accountant responsible for that or not as they gather it? I can't speak for the legal community or the accounting community, but for the investigative community, we would use the information. We would cite the source that we found it on. If we know it to be information that shouldn't be shared, we will redact the information within our own reports, but we will make the client aware that that information is there, that it is accessible.
It's a very tenuous position to be in, so I would tell any accountant that is in this field, if you come across something that appears to be incredibly sensitive, like someone's health records or their Social Security numbers or other pieces of information, do not repeat the information you have found in your reports. But because you found it in an open, unprotected area, you can make mention of it, if nothing else, for protective purposes. This document is sitting here on this server, and they perhaps don't realize it's not behind a firewall.
Adamek: There’s this old adage that on the internet, no one knows you’re a dog. How can you vet information that you find or find information about people who don't want to be found?
Hetherington: Interestingly enough, I just had an article I wrote about defaulting fake news. How do you figure out what's real and what isn't real on the internet? Because the trend in the next five years is going to be deliberately putting false information to mislead even reputable journalists down the wrong path, because it's just so easy to do these days. So how do we stop the misalignment of bad information? And then how do we support the accountants who are using the internet to conduct research to not pull down bad data for their reports? And that is always by verifying the source.
Go to the source. Where did this information come from? Well, it came from a reputable service. AICPA.org says this is the fact. Well, that's an association. I recognize the web address. It's the one that I use to log into and see what my association chapter is up to. I consider this a valuable source, and I will use and quote them.
But if it came from, again, Accounting Consultants R Us says this, I’m going to guard my report, I’m going to point out where the source came from, I’m going to document that I’m not aware of the source being a vetted or known source, and I’m going to consider it hearsay.
As I mentioned on our call earlier, there's hearsay, there's intelligence, and then there's evidence. And evidence has the highest criteria of authenticity. Evidence means it's a public record filed within a court system. Evidence is a first-hand video recording of an interview. Evidence is the smoking gun in the guy's hand and a body underneath him. Intelligence is the summation that these things all occurred and they're from expected resources and vetted resources and people you know, appreciate, and respect. And hearsay is just, "I saw it on Facebook." And it's exactly — you take it for what it is. It could be true. It's probably true. Maybe it's not true.
If you could tag the information you take off the internet, off of open source searches, in those three boxes: hearsay, intelligence, and evidence, you can really help build a stronger report and have more confidence in the reports that you're writing based on your findings and how you merit them to be valuable or not.
Adamek: Say you are a forensic accountant and you are investigating a suspected case of fraud, how would you go about finding all of the online, or as many of the online personas of your investigative target as possible?
Hetherington: This is a great question. How do we get ourselves involved in a case and locate all those personas that are out there and find every last bit of information that we can locate on a subject? And this is a case that comes through often. So, a forensic accountant gets Bob Smith. Well, let's make it a little easier, Bob Smitheson, as his case. Well how can you start narrowing down to the Bob Smitheson that you need to find?
We usually know a few things about good old Bob. We know maybe where he works, because the employer called you, and he wants a discreet investigation done on Bob Smitheson. We think Bob is stealing money from the company, writing his own little checks or taking money out of the lunch money out of the cafeteria. But we're not convinced completely, and so we want to make sure this is done discreetly, because if we're wrong, we don't want to jeopardize our relationship. So, I have to find out everything about Bob Smitheson.
I know where he works, so I will combine my search — even in Google. You do not need to get an expensive fancy database to do this, but you can go to Google and you can say Bob Smitheson and the company you work for. And more than likely you will find at the very least his LinkedIn account. Now from there we can start developing other leads. From there we could start saying, "Well, it looks like he obviously works at the ABC Company. We know that, and that's located in Foxborough, Massachusetts, so I'm gonna now look for all the Bob Smithesons in the Foxborough area. What else do I know about Foxborough? Foxborough is the home of the New England Patriots. So maybe I'll look for Bob Smitheson and the word Patriots. And I start doing those word combinations with his name to try to ferret out all the potential links.
Now, Drew, another aspect of social media finding is that many of the accounts are interlinked with each other. Bob may have started — gosh, Bob could have started with a Myspace account many years ago, and then when Facebook came out, he went over to Facebook and created his profile there and he abandoned his Myspace account. So it's still sitting there. So we might find older accounts. We'll also find that on his Facebook account he might reference his Twitter account or his Instagram account, because they'll be within links or the actual content of what he's posted in the last year. "Hey, check out my new Instagram account." Or a link right in the profile now that says, "I put my little tweets here, the opinions are my own, but if you want to see my blog, visit Bob Smitheson Patriots Fan-blog.com. So all the accounts get interlinked, and it really is an asymmetrical way of investigations.
This is the very nonlinear type of search, because linear would tell me — I would go into Accurint or TLO or CLEAR. I would pull his background report based on his name and his Social Security number, address. Then I would go from those databases to the internet and I would start looking up his addresses, name. That's a very check-the-box kind of investigation, and it's absolutely appropriate in certain cases, but if I have to find his social media footprint, you have to really reach out like an octopus trying on tap shoes in six different directions at the same time.
So you have to be a critical thinker who can handle looking at multiple pages, multiple screens, and multiple personas. Because you see Bob may also have a love of the Patriots on one page and a hate of them on another. So you have to be prepared to see all those different views. It's a skill set that you develop as you start doing casework and you really get into this. Frankly, that's why forensic accounting firms call us, because we do this all day long, day and night, where we couldn't add two plus two with three calculators and an entire accounting firm. It's our skill set.
Adamek: How would you recommend that forensic accountants regularly incorporate open source intelligence into their investigative practices?
Hetherington: The forensic accountant and open source investigations go hand-in-hand. And the real rationality for me to make that statement with such authority is that the AICPA's team members came to me a year ago, a non-accountant — certainly I've worked with forensic accountants for decades, but I'm not an accountant. I work and support their work. But they came to me and they said, "We need to know what open source intelligence investigators are doing, because forensic accountants do this today. And we need to understand the better practices and the trade craft and how we can get ourselves to this side of the swing versus what we've been traditionally doing. So, I know that you're doing this. I know this is part and parcel of what your work is." And I would say in all my assertiveness, "You're going be doing this every single case."
This is on par with when computer forensics started coming up in the late ’80s and the early ’90s. It wasn't what we were doing. We were all doing one-rate systems probably back then, and all of a sudden computers started coming into the offices. And then the accounting firms at the time are saying, "Hey, how many computer forensics people do we really need on board? When does a computer become part of our investigation?" Today, you couldn't possibly imagine a forensic accountant case coming through without computers involved. This is just the extension, and quite frankly much easier than computer forensics.
So, open source is in every single case. There's always going to be a lead out there. There's always going to be some hearsay that needs to be looked at. And now with social media so prevalent, and so unprotected — I want to stress this. Social media posts are unprotected information. That's international, global. You can look at social media posts anywhere in the world and as long as someone puts out in an open profile for anybody and everybody to see — if you're just clicking around your mouse and you're going to see it, that's open source.
So of all the world's protected information, social media has now really opened up our case abilities and our investigative reach to such unimaginable points. So, we really have an aspect now that we can take full advantage of. I honestly couldn't imagine an investigative group of forensic accountants not using social media and open source today. I just can't imagine that that group still exists in today's investigative needs.
Adamek: Cynthia, thank you so much for joining us.
Hetherington: Well, thank you, Drew. This has been a lot of fun. I hope that everyone checks out the AICPA’s quick guide. It should be out sometime, I believe in 2020, our quick reference guide for doing this type of work. And you can always call or reach out to me if you have any questions.
Adamek: I'm Journal of Accountancy senior editor Drew Adamek, and today I've been talking with Cynthia Hetherington about how forensic accountants can use open source information to become better, smarter investigators. For more information, please visit our website. Thank you for listening.