Why Fraud Investigators Can’t Overlook Email
Adam Garside and Adam Brun
Communication is shifting to mobile and apps, but email remains vital to effective e-discovery.
As business communications increasingly migrate to text messaging, WhatsApp, Slack and other applications, those tools naturally come into scope when investigating corporate fraud. Combine this trend with the increasing number of high-profile investigations in regulated industries—where pertinent emails are exposed and laid out in the public domain—and it would be reasonable to predict that those engaging in fraud and misconduct would choose to move incriminating conversations off email altogether.
But in our experience, even in our most recent investigations, email remains one of the most valuable sources of information. Whilst many of the communications related to a fraud might be reserved for mediums perceived as more secure and private, email almost always provides the key details and corroborating information required to uncover facts and establish a timeline.
We’re not arguing that new tools and applications are not gaining a larger share of communications. And it’s true that e-discovery on those platforms can be complicated: many feature end-to-end encryption, and accessing their data typically requires access to an employee’s personal mobile device, which can be difficult to obtain without that individual’s permission. Further, the data those platforms contain is controlled by social media companies, app developers and other third-party organisations.
But while the most pertinent communications may be beyond an investigator’s reach, much of the evidence they need to construct narratives and timelines around corporate fraud can still be found in email. For one thing, in any fraud investigation commenced today or any time in the next few years, it’s quite likely that the underlying behavior began at a time when email was still the favored communication tool.
Even if the behavior started more recently, or if those involved confined all of their communications about the fraud to outside applications, they almost certainly continued to use email for routine business purposes. Contacts, travel arrangements and people’s whereabouts—the very details that investigators need to piece together and corroborate corporate fraud cases—regularly get uploaded to a company’s Outlook servers.
Any investigation strategy that doesn’t prioritise the collection of email risks losing critical information at the outset of a fraud inquiry. To avoid such a misstep, business leaders who suspect malfeasance should set aside preconceptions about the value of various communications and take two crucial steps.
1) Collect and preserve email and other electronic assets as soon as you become aware of (or even suspect) the potential for fraud.
One of the first things the involved employees will do when they get wind of an investigation is destroy electronic documents—including emails. The sooner you move to preserve and collect what’s left, the easier it will be to identify what’s missing and start hunting for it. Legal holds and data-deletion prevention measures on mail servers also can be highly useful in preserving email and other important documents.
We have heard some concerns that the European Union’s General Data Protection Regulation can be an obstacle to early data collection. But the UK’s Data Protection Act of 2018 and other legislation contain exemptions that are likely to apply when the processing activity is in connection with current or prospective legal proceedings, or in connection with the prevention or detection of crime.
2) Search the cloud and company-owned devices.
A company’s cloud will contain multitudes of relevant information—email, calendars, office documents—which are easily captured by e-discovery. Cloud systems like OneDrive and instant-messaging platforms such as Skype also possess valuable information and can quickly be placed on legal hold.
Data that can’t be recovered or that doesn’t live on the cloud may live on company devices used by employees and third parties, so it's important to take images of those devices as soon as practicable. Doing so can reveal many types of relevant information for investigators. These include browsing histories, documents, types of USB devices that have been connected, where the device has been and social media histories.
As investigators and e-discovery practitioners, our job is not to discriminate between information sources, but to collect and analyse potentially relevant material in corporate fraud matters. Today, and for the foreseeable future, much of that material is still likely to reside in email.