Subscribe & Save!
Subscribe now and save 50% off the cover price of the Indianapolis Monthly magazine.

Catching The Couple Who Conned Amazon

When Amazon noticed a massive scheme to defraud the company happening near Muncie, identifying the culprits required a combination of Big Data research and old-fashioned detective work.

Back in 1995, when Don Howard first joined the Indiana State Police as a road trooper, he didn’t even have a computer in his patrol car. Every time a suspect fled or a robbery was in progress, Howard and his fellow officers had to call the details in to the station. But in the 10 years since he joined the agency’s criminal investigations unit as a detective, crime-fighting technology has advanced exponentially—as has the tech used to commit the felonies. Today, in addition to chasing murderers, thieves, and kidnappers, Howard and his cohorts have to stay ahead of hackers, identity thieves, and online fraudsters. That requires a constant reassessment of policing tools and approaches. “With the state police,” says Howard, “you see changes almost monthly.”

In the spring of 2017, Howard got a call that would test every bit of his accrued skills and those of the Indiana law-enforcement apparatus at large. Online retail giant Amazon contacted the ISP to report that someone in Central Indiana had been defrauding the company for years, stealing and reselling thousands of consumer electronics in what would later be determined a $1.2 million scheme.

Cracking the case would shine a national spotlight on the way law enforcement plies its trade in the Internet Age and help shape the methods of attacking digital crime. It involved a combination of state-of-the-art Big Data analysis and gumshoe detective work. More than anything, though, solving this particular caper required something that’s not always as commonplace, in the past or present, as it ought to be in the U.S.—interagency cooperation., Inc., currently sits at No. 5 on the Fortune 500 list, with annual revenue approaching $233 billion. At its peak last year, the company sold more than 100 million products—everything from books to tablecloths to shoe trees—in a single day. That’s more than 1,157 items per second.

With that sort of volume, the company has adopted a somewhat lenient—and trusting—return policy. For instance, buyers can report any product damaged or malfunctioning and have a replacement shipped to them immediately, without question, even before Amazon receives the faulty original item back from the customer. If the algorithm red-flags a particular member for potential abuse of that policy, like requesting too many refunds or sending back the wrong items, the account is suspended until a human representative decides whether or not there was an intentional violation, in which case the account may be suspended or reported to the authorities.

Starting in 2014, Amazon (which declined to comment for this story) noticed a series of fishy transactions taking place in and around Muncie. Over the course of nearly two years, more than 2,700 electronics products—GoPro digital cameras, Apple laptops, Samsung smartwatches, and Microsoft tablets—had been ordered on different accounts and shipped to the area, only to be reported as having arrived damaged or dysfunctional. Amazon promptly sent replacements at no charge, but never received the original, supposedly faulty items. In each case, the accounts were closed by the consumer before Amazon could take action. The company’s control department noticed a pattern in the addresses attached to the hundreds of accounts. That’s when they decided to call Howard and the ISP.

Over the course of nearly two years, more than 2,700 electronics products—GoPro digital cameras, Apple laptops, Samsung smartwatches, and Microsoft tablets—had been ordered on different accounts and shipped to the area, only to be reported as having arrived damaged or dysfunctional.

At this early stage, all Amazon had was a bulging cache of data—addresses, gift- and credit-card numbers, and IP addresses for the computers where each transaction had originated—connected to hundreds of presumably fake accounts. The company reached out to and worked closely with an ISP Organized Crime and Corruption Unit that typically looks into long-term financial crimes, political corruption, and investment scams. The task force consists of cops like Howard and their counterparts with the Internal Revenue Service Criminal Investigations team. While Howard and the police have the street presence to gather evidence and track suspects, they’re limited when it comes to analyzing and deciphering that amount of information. That’s where people like Jason Hays, a special agent with IRS-CI unit since 2009, came in. “It helps to have multiple people looking at the problem in different ways,” says Hays.

An accounting and computer science major, Hays typically works on tax crimes and money-laundering schemes. He dove into the Amazon data and was struck by the scale of the operation, not only all of the IP addresses, but the dozens of the physical addresses involved—the sheer volume of packages moving through carriers like UPS, FedEx, and the mail. He reached out to the U.S. Postal Service, which assigned the case to Laura Carter, a postal inspector who’s been tackling mail theft and mail fraud for 24 years.

From the beginning, the team worked closely with Nick Linder at the U.S. Attorney’s Office for the Southern District of Indiana in downtown Indianapolis. “The postal service was looking at all of this going through the mail, the IRS had tremendous capacity to analyze data, and the ISP had great on-the-ground presence,” Linder says. “All three came together. Amazon knew it was being defrauded and couldn’t stop it. They have Big Data; we have the search warrants.”

In some ways, the internet has changed everything. In others, it hasn’t changed much at all. The web now offers would-be scammers unprecedented anonymity. But the crooks still leave a trail. “You’re still trying to find who does what, just like you’re dusting for prints,” Linder says. “Now you’re looking for digital fingerprints. The volume of data and the ability to mask identities has increased, but when you use a computer, you leave fingerprints everywhere.” Those prints are IP addresses—unique sets of numbers assigned to every device connected to any computer network. These digital markers do not identify the person punching the keys, but they do confirm the location of the keyboard at the time of use, be it a home, the library, or a coffee shop.

While Hays filtered through the IPs linked to this case, postal inspector Carter traced the physical addresses, which included apartments, houses, post offices, and even shipping distribution centers where packages were apparently picked up before going out on the delivery trucks. She noticed that many of the addresses Amazon pulled were actually slight variations of the same addresses. For instance, one account would be based at an Indy UPS Store at “101 E. Main St.” and another would be for the same store, only at “101 E. Maiiin St.”—a misspelling that Amazon’s computer system would have considered a unique address for a presumably unique account, but that a human postal worker would recognize as the same place and manually direct the packages accordingly. Using this method, the culprits were able to create more than 700 individual Amazon accounts. “With automation, you don’t always catch that,” Carter says. “You had to have somebody physically look at it.”

“You’re still trying to find who does what, just like you’re dusting for prints,” Linder says. “Now you’re looking for digital fingerprints. The volume of data and the ability to mask identities has increased, but when you use a computer, you leave fingerprints everywhere.”

As Hays and Carter pinned addresses, both virtual and actual, Howard and the ISP were checking out those places in person. They staked out locations, looked for surveillance video, and chatted with witnesses. It didn’t take long to zero in on two suspects.

Erin and Leah Finan, both 38, were a married couple living in the Muncie area. Erin had recently been convicted of theft in Madison County and check deception in Delaware County, where Leah had also been charged with theft and check deception. As Howard, Hays, and Carter started physically following the Finans through their day, the seasoned detectives were struck not just by the technical complexity of the scam, but by the amount of time and effort the couple expended to keep the operation moving.

“This was their 9-to-5 job,” says Hays, who, with other investigators, tailed the two picking up hundreds of packages from retail shipping stores and distribution centers all over the state. In fact, it was this physical exertion that eventually led to the Finans’ undoing. “As good as a job as they did [staying anonymous], as well as they planned it out, there were areas where they had to put themselves out there and take a risk,” Hays adds. “It just takes one mistake.”

Though none of the law enforcement agents will talk about specific miscues, the Finans made several, giving the investigators a chance to go back to Linder at the U.S. Attorney’s Office, who sought the necessary warrants. The Finans were arrested in May 2017.

A few months after their arrest, the Finans pleaded guilty to federal mail fraud and money laundering. They confessed to having created hundreds of fake Amazon accounts and stealing more than 2,700 items. They retrieved the stolen goods from retail shipping stores and sold them to a third party, Danijel Glumac of Indianapolis, who also pleaded guilty to money laundering and selling the items. In just over two years, the couple made about $750,000 from the scheme. Erin Finan was sentenced to 71 months in prison; Leah to 68 months; Glumac to 24 months. The three were also ordered to pay full restitution of $1,218,504 back to Amazon.

“It grew on its own,” says Erin Finan, during a phone interview from the Federal Correctional Institution in Ashland, Kentucky. “It grew from need to greed. We knew we were beyond the legality, but we were in too deep. It was a stupid idea, and it cost me five years.”

But the Finans certainly won’t be the last to try defrauding companies through the internet. Authorities are treating this investigation and prosecution as a prime example of how cooperation between agencies can stop these schemes. In October 2017, U.S. Attorney for the Southern District of Indiana Josh J. Minkler announced a plan to bolster the District’s response to such crimes. He cited the Finan case as a demonstration of the commitment to partnering with federal and local law enforcement.

For U.S. Attorney Linder, the Amazon theft represents a new category of crime that’s expanding rapidly. “The internet has allowed criminals to be more anonymous, and it’s increased the scale of small-time frauds,” he says.

For the investigators who worked the case, the successful resolution is a reminder that no matter how far technology advances—both on the criminal and investigation sides—there’s still no replacement for old-fashioned detective work.