Turning OSINT Into Smarter Asset Recovery
/Artificial intelligence (AI) has transformed how fraud examiners gather information, but it has also changed how fraudsters operate. During her session on open-source intelligence (OSINT) and asset recovery at the 37th Annual ACFE Global Fraud Conference, Cynthia Hetherington, CFE, founder and CEO of Hetherington Group, asked attendees to rethink how they approach investigations in an era where information is abundant and digital footprints and online activity can reveal emerging risk before fraud occurs.
The session focused on using OSINT to identify, trace and recover stolen assets. Hetherington argued that OSINT’s greatest value lies in helping organizations anticipate risk by combining publicly available information with monitoring and critical-thinking techniques.
AI Changes the Investigative Landscape
“AI isn’t optional,” Hetherington said, emphasizing that fraud examiners must understand how to use AI as part of their investigative toolkit while recognizing its limitations. As AI makes information readily available, says Hetherington, the real challenge isn’t finding information but vetting that information for accurate and trustworthiness.
Hetherington described OSINT as both a noun and a verb. While it refers to intelligence gathered from publicly available information, it’s also an investigative process that requires curiosity, skepticism and analytical thinking. She told conference attendees that most professionals were never formally taught how to conduct research, making it increasingly important to develop strong investigative habits as technology continues to reshape the information landscape.
To illustrate her point, Hetherington showed attendees an AI-generated image and asked them to identify clues that revealed it was artificial. The exercise underscored a broader lesson: fraud examiners can no longer take digital content at face value. Combating confirmation bias and validating information carefully have become essential skills in an environment where manipulated content is becoming more difficult to detect.
“Now that any answer is available,” she said, “it’s a matter of vetting the answers.”
Identifying Risk Before It Escalates
Although the session focused on asset tracing and recovery, Hetherington said that OSINT’s greatest value often appears before assets disappear. Organizations that continuously monitor publicly available information can identify warning signs, emerging threats and reputational risks before they become larger losses.
She pointed to social media as one of the most valuable — and overlooked — sources of information. OSINT extends beyond public records, she explained, encompassing conversations, behaviors and patterns that can provide insight into organizational vulnerabilities.
One example involved an employee who posted a video on TikTok about unionization efforts, turning an internal issue into a nationwide reputational challenge that resulted in customer losses. In contrast, Hetherington cited Starbucks’ response to the 2018 arrest of two Black men in a Philadelphia store, noting that the company immediately closed stores across the county for anti-bias training before social media momentum could amplify the crisis. The comparison showed how organizations that recognize and respond to public sentiment early are often better positioned to manage reputational risk.
Hetherington also discussed the growing influence of coordinated online campaigns and digital influence operations, describing influencers and psychological operations, or “psyops,” as some of the most powerful drivers of public opinion. Viral social media posts have fueled panic buying during supply chain disruptions, while digital marketplaces such as Facebook Marketplace and Craigslist have become targets for fraud despite anti-fraud efforts by Airbnb, VRBO, Uber and Lyft. She said that fraud professionals must focus their understanding not only on financial crimes but also on the methods in which information spreads online and shapes real-world behavior.
“People go on social media to be seen,” Hetherington said. “But what they really want is to be heard.”
She encouraged attendees to think about digital footprints. While some individuals attempt to erase or carefully curate their online presence, others unintentionally reveal valuable information through posts. Vendors, business partners and even friends may unknowingly disclose details that help investigators piece together relationships, timelines and hidden assets. In many cases, she said, OSINT allows investigators to act before a situation escalates into a full-scale crisis.
Understanding Asset Theft Before It Happens
The discussion then shifted to protecting organizational assets before theft occurs. Hetherington emphasized that asset recovery begins with understanding exactly what an organization owns and maintaining thorough records. She encouraged organizations to develop strong accounting systems and inventories that can support insurance claims and recovery efforts following a loss.
"Theft isn't a store problem," she said. "It's a network problem."
Rather than viewing theft as an isolated event, Hetherington encouraged attendees to identify weaknesses throughout an organization. Sometimes, she noted, fraud occurs because someone left a door unlocked or made an impulsive decision during a stressful day.
Asset theft continues to evolve as organizations contend with global pandemics, natural disasters, changing regulations and the rapid adoption of AI. Insider threats remain among the most significant risks, while physical theft increasingly targets retail shelves, gift cards, unsecured parking lots and supply chains. Hetherington also encouraged fraud professionals to become more familiar with cryptocurrency as digital assets continue to play a larger role in financial crime investigations.
Preventing theft requires controls that combine physical security measures with employee awareness and intelligence gathering. Hetherington recommended practical safeguards such as GPS tracking, alternate transportation routes, employee training and collaboration across departments to identify emerging patterns before they develop into larger incidents.
Building a Proactive Fraud Response
Throughout the presentation, Hetherington stressed that organizations should build systems that continuously monitor warning signs and establish clear protocols for escalating concerns. She recommended creating reporting procedures that include severity levels, color-coded risk ratings, and regular intelligence briefings to keep leaders informed of developing threats.
Google Alerts, reverse image searches and routine monitoring of publicly available information can help investigators detect suspicious activity earlier while supporting more informed decision-making.
Hetherington also encouraged attendees to borrow techniques from military and law enforcement by regularly conducting simulations rather than waiting for a real crisis to expose weaknesses.
"I believe in war-rooming," she said. "Military and police are so good because they are constantly training. Fraud professionals do not constantly train or simulate crises until they are faced with one."
Organizations should determine in advance what they’d protect first during a crisis, she said, whether that’s people, financial assets, operations, customer relationships or reputation. Those conversations become more difficult when they occur during an active incident instead of beforehand.
Ultimately, Hetherington argued that OSINT is now an essential capability for organizations seeking to stay ahead of modern fraud. As AI reshapes both criminal activity and investigations, fraud professionals must become more disciplined researchers, more skeptical consumers of information and more proactive in monitoring the digital environment.
"AI is like gravity," Hetherington said. "It's everywhere."
For today’s fraud examiners, understanding that reality may be one of the most valuable and current investigative skills.
