Earmark CPE

Earn CPE Anytime, Anywhere

Fraud

When Bots Listen to Robots and Real Money Disappears

· ·

Picture this: a computer on stage playing songs to an audience of computers. No humans involved, just machines performing for machines in an endless digital loop. Yet somehow, millions of dollars change hands.

This isn’t science fiction. It’s happening right now on streaming platforms, and it’s just one of the mind-bending fraud schemes explored in this episode of Oh My Fraud. Host Caleb Newquist opens with a relatively new conspiracy theory called the Dead Internet, which suggests that most online activity, including posts, likes, followers, and streams, isn’t human anymore. It’s “bots talking to bots, talking to bots,” creating an information superhighway filled with self-driving cars that have destinations but no passengers.

But what happens when someone exploits this artificial ecosystem for real money? That’s exactly what we’re about to find out.

The $121 Million Email That Fooled Silicon Valley

Between 2013 and 2015, a Lithuanian man named Evaldas Rimašauskas pulled off something that shouldn’t have been possible. He convinced two of the world’s smartest companies, Google and Facebook, to wire him $121 million. His method wasn’t sophisticated hacking or complex algorithms. He simply pretended to be someone else.

Rimašauskas impersonated Quanta Computer, a real Taiwan-based hardware manufacturer that actually did business with both tech giants. He set up a company in Latvia under Quanta’s name and opened bank accounts in Latvia and Cyprus. Then his team got to work, calling Google and Facebook customer service lines to gather intelligence, including names of key employees, contact information, and other details that would make their lie believable.

Through phishing emails and what Caleb describes as “a maze of phony invoices, contracts, letters, and corporate stamps,” Rimašauskas created enough confusion to convince someone at Google to update the bank account they had on file for Quanta Computer. In 2013, Google sent $23 million to his account. Two years later, using the same playbook, Facebook wired him $98 million.

The money flowed through accounts across Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. And here’s the kicker: these amounts were so insignificant to Google and Facebook that they “went virtually unnoticed.” As Caleb puts it, “$23 million and $98 million aren’t even rounding errors on the amount of revenue for Google and Facebook. It’s less than pocket change.”

Eventually, someone at Google caught on. Rimašauskas was arrested in March 2017, extradited to the U.S. that August, and pleaded guilty to wire fraud in March 2019. He got five years in prison, and both companies got their money back.

From IT Mogul to Music “Producer” to Alleged Fraudster

Our second story shifts from simple impersonation to something far stranger. Meet Michael Smith, a 52-year-old with a resume that reads like three different people’s lives smashed together.

According to the research, Smith made his first fortune in the 1990s with an IT business where he allegedly wrote “one of the main fixes for the Y2K millennium software bug.” He then ran chains of medical clinics, which landed him in trouble in 2020 when he and two associates paid $900,000 to settle Medicare and Medicaid fraud allegations.

But here’s where it gets weird. At age 39, Smith decided to become a music industry player. Despite having no apparent musical background, he somehow ended up judging a BET hip-hop competition called “One Shot” alongside DJ Khaled, T.I., and Twista. As Wired magazine described it, he was “a relatively unknown record producer with a checkbook” among actual stars.

When Caleb asked producer Zach Frank if he’d ever heard of anyone building a successful music career starting in middle age, Zach’s response was telling: “It’s extremely, extremely rare. Not without money, at least.”

The Streaming Revolution and Its Discontents

To understand Smith’s alleged fraud, you need to understand how dramatically the music industry has changed. Zach, who comes from a family of professional musicians, explained how streaming completely upended the business model.

In the old days, people bought physical albums for $12-15 at stores like Tower Records. Artists made real money from album sales. Then came Napster and peer-to-peer sharing, which Caleb admits using extensively in college. “People were listening to all this music completely in its entirety for free,” he recalls.

Today’s streaming platforms like Spotify and Apple Music operate on a subscription model. Users pay monthly fees for unlimited access, and artists get fractions of pennies per stream. Spotify made $17 billion in 2024 and claims 70% goes to the music industry, but individual artists see almost nothing.

The numbers are staggering. According to Spotify’s former chief economist, more music is released every single day in 2025 than in the entire year of 1989. And here’s what makes it worse: bigger artists negotiate better deals, while smaller artists, as Zach puts it, “get screwed.”

Building an Army of Fake Listeners

This is the landscape Smith allegedly decided to exploit. Starting in 2017, he orchestrated what the Department of Justice calls a scheme to steal millions in royalties by fraudulently inflating music streams.

The mechanics were brilliant in their simplicity. First, Smith created thousands of bot accounts using fake email addresses and names. He even told a coconspirator to “make up names and addresses” but to “make sure everyone is over 18.” He paid $1.3 million in subscription fees because, as Zach explains, paid subscribers generate higher royalty rates than free users.

By October 2017, Smith had 1,040 bot accounts spread across 52 cloud service accounts. Each bot could stream about 636 songs per day, generating approximately 661,440 total daily streams. At half a cent per stream, that meant $3,307 daily, $99,000 monthly, or $1.2 million annually.

But Smith had a problem: he needed content. Lots of it.

When AI Makes Music for Bots to Hear

Initially, Smith used music catalogs from coconspirators and even tried selling his streaming service to other musicians desperate for plays. But as he wrote in May 2019, “I can’t run the bots without content and I need enough content so I don’t overrun each song. If we get too many streams on one song, it comes down.”

His solution? Artificial intelligence. Smith partnered with Alex Mitchell, CEO of an AI music company called Boomy, who began providing thousands of AI-generated songs each week.

The song and artist names were gloriously terrible. Song titles included “Zygotic Washstands,” “Zygoptera,” and “Calvinistic Dust.” Band names ranged from “Calm Knuckles” to “Camel Edible.” As Caleb jokes, “I don’t know what camel edibles are. Perhaps they are THC gummies for camels.”

To demonstrate just how far AI music has come, Zach used Udio.com during the podcast to generate two complete songs about Oh My Fraud in just 10-15 seconds. The results were unnervingly good, professional-sounding tracks that could easily pass for human-created music. “There’s a lot of AI music on Spotify at the moment without people knowing it’s AI,” Zach notes.

Smith used VPNs to hide that all streams came from one location and spread activity across thousands of songs to avoid detection. When flagged for “streaming abuse” in 2018, he protested: “We have no intentions of committing streaming fraud.”

By February 2024, Smith’s scheme had generated 4 billion streams and $12 million in royalties.

Folk Hero or Fraudster?

The reaction to Smith’s indictment has been surprisingly divided. Some see him as a criminal who stole from real artists through the “stream share” system, where royalties are distributed based on each rightsholder’s proportion of total streams. Others view him as a folk hero exposing an exploitative system.

The case raises uncomfortable questions. When the band Vulfpeck released an album of complete silence and asked fans to stream it while sleeping—earning $20,000 before Spotify banned them—was that fraud or performance art? As Zach asks, “If someone’s playing blank music, who are they to say that’s not real?”

Smith has hired the prestigious law firm that defended Diddy and plans to fight the charges vigorously. This will be the first major streaming fraud case fully litigated, potentially setting precedents for how we define fraud in digital spaces.

What We Learned

As Caleb reflects at the episode’s end, these cases reveal something profound about our digital economy. Google and Facebook, companies worth trillions with founders worth hundreds of billions, got tricked by simple schemes. A middle-aged entrepreneur with a checkbook created a phantom musical empire that earned millions.

For accounting professionals, these are warnings about the future of fraud detection. When documentation can be perfectly faked, when bots are indistinguishable from humans, when AI creates content that only machines consume, traditional audit procedures become obsolete.

These cases force us to confront questions about power, technology, and authenticity in the digital age. When companies make billions while creators earn pennies, algorithms determine value instead of human appreciation, and the line between real and artificial completely disappears, that’s when people start rooting for the fraudsters. Not because they’re right, but because the system itself feels so wrong.

Listen to the full episode to hear Caleb and Zach grapple with these questions, including those AI-generated songs that sound disturbingly human. Because in an age where machines create for machines while extracting real value from real people, understanding these frauds helps preserve what makes us human in an increasingly artificial world.

Deloitte’s $440,000 AI Fabrication Scandal Exposes the Accounting Profession’s Deepest Fears

· ·

A startup founder discovered $2.1 million in embezzlement by his co-founder in just 18 minutes using Claude AI. The company’s internal auditors, external auditors, and even the CFO had completely missed it. Meanwhile, Deloitte was forced to refund the Australian government hundreds of thousands of dollars after delivering a report filled with AI-generated fabrications.

In this episode of The Accounting Podcast, hosts Blake Oliver and David Leary dig into these stories. They explore how AI is both exposing massive frauds and creating embarrassing failures, examine the chaos from the government shutdown, and question whether traditional accounting services still matter when 86% of major companies use broken charts that nobody even notices.

When AI Catches What Humans Miss (And Creates What Shouldn’t Exist)

The accounting profession is experiencing an AI identity crisis. On one hand, artificial intelligence can spot complex fraud that teams of professionals completely miss. On the other hand, professionals are using it to generate work that looks legitimate but is actually riddled with fabrications.

Let’s start with Deloitte’s spectacular failure. The Big Four firm charged the Australian government $440,000 AUD (about $290,000 USD) for a 237-page report on welfare compliance systems. The problem? It contained over 20 AI-generated errors, including completely made-up quotes from federal court judgments and references to non-existent academic papers.

Chris Rudge, a Sydney University researcher, spotted the errors immediately. One fabrication attributed a non-existent book to constitutional law professor Lisa Burton Crawford on a topic completely outside her field. “I instantaneously knew it was either hallucinated by AI or the world’s best kept secret because I’d never heard of the book, and it sounded preposterous,” Rudge said.

Even after getting caught, Deloitte insisted its findings and recommendations were still valid. This prompted Australian Labor Senator Deborah O’Neill to observe that Deloitte has “a human intelligence problem.”

But here’s where it gets interesting. While Deloitte was using AI to create fake references, a startup founder used it to uncover real fraud. He exported his company’s QuickBooks data into Claude AI and asked one simple question: “What’s wrong with this picture?”

In just 18 minutes, the AI found what everyone else had missed: 17 fake companies routing $2.1 million to his co-founder’s personal accounts through shell companies. The AI spotted patterns humans overlooked, including fake vendors paid on 23-day cycles while real vendors were paid on 28-day cycles, and payment amounts that followed Fibonacci sequences, which humans subconsciously create when making up numbers.

The founder has since turned this into a business, selling AI-powered fraud detection prompts for $10,000 each to 47 clients. He’s probably making more money from his fraud-detection business than from his original startup.

As Leary points out, this creates both an opportunity and a threat for accounting firms. “The real risk of AI taking accounting jobs isn’t that AI will take the job away. Clients are just going to say, ‘I can do that myself. I don’t need to pay somebody $400,000 to do a half-assed ChatGPT thing.’”

Government Shutdown: When Critical Systems Break Down

The conversation then turned to the government shutdown’s impact on air travel and tax services. The situation has become genuinely dangerous, with cascading failures that reveal how fragile our systems really are.

Air traffic controller-related delays jumped from a typical 5% to 53% as workers called in sick rather than work without pay. Oliver experienced this firsthand when his flight was delayed for hours with no official explanation, though flight attendants privately blamed air traffic control shortages.

The scariest incident happened at Burbank Airport in Los Angeles, where the tower went completely unmanned. “When that happens, there is a backup procedure, which is that the pilots have to do their own air traffic control,” Oliver explains. “They get on a shared frequency and have to communicate with each other. There’s no intermediary. So that not only slows things down. It also creates risk. There’s a huge risk of these planes crashing into each other because they miscommunicate.”

The economic impact is staggering. The US Travel Association estimates $1 billion in weekly losses to the travel economy. Over 750,000 federal workers have been furloughed, while more than a million work without pay. For TSA screeners earning an average of $51,000, the situation is untenable. “If they don’t get paid, they are not paying their bills,” Oliver notes. “They’re going to go drive for Uber to pay the bills.”

The IRS shutdown creates serious problems for accountants. Nearly half of IRS staff have been furloughed. While electronic returns continue processing and automated refunds still flow, human support has collapsed. Phone support is essentially gone, paper returns sit unprocessed, and audits have stopped. Yet interest and penalties continue to accrue, and all deadlines remain in effect.

Adding to the chaos, Trump fired over 4,100 federal workers instead of furloughing them. The Treasury alone lost 1,446 employees, including about 1,300 IRS workers. “It’s the first time in modern history that mass firings have happened during a funding lapse,” Oliver observes.

The administration also created a new “CEO of the IRS” position to bypass Senate confirmation, appointing Frank Bisignano, former CEO of Fiserv, who still owns about $300 million in company stock. This creates obvious conflicts of interest, especially since Fiserv is involved in launching digital stablecoin initiatives. “This is why you have to have hearings. You can’t just appoint somebody to a position,” Leary emphasizes.

When Independence Becomes a Joke

Next, Oliver and Leary discussed how financial entanglements are destroying audit independence while regulators focus on trivial violations.

Take BDO’s current crisis as an example. The firm took a $1.3 billion loan at approximately 9% interest from Apollo Global Management to finance its employee stock ownership plan. The debt forced the company to lay off employees, freeze travel, and conduct emergency cost reviews across all divisions.

But while BDO was giving First Brands a clean audit opinion, Apollo was actively shorting the company. First Brands collapsed months after BDO’s clean audit. “If I’m BDO and I audit a company that is being shorted by a company I took a $1 billion loan from, where’s the independence?” Leary asks. “What is the fraud triangle? Opportunity, rationalization, and financial pressure. All the parts of the fraud triangle are here.”

Meanwhile, EY is celebrating a “dramatic audit quality turnaround,” with its deficiency rate dropping from 46% in 2022 to below 10% in 2025. They achieved this miracle by firing 132 public company audit clients. In other words, the problematic audits didn’t disappear. They just moved to Deloitte and KPMG. “Have we actually achieved anything here? Or have we just shifted the bad audits somewhere else?” Oliver wonders.

The hosts also discussed a new scheme where crypto promoters target CPA firm clients. The Truevestment Bitcoin Legacy Fund wants CPAs to help raise $150 million from their clients, which institutional investors will then match before merging into a Nasdaq entity—essentially a SPAC wrapped in Bitcoin speculation.

The marketing compares buying Bitcoin today to “buying the Dow at 900.” But as Leary points out, when the Dow was at 900 in the mid-1960s, it consisted of companies like AT&T and General Electric—”companies that made things” and created real value, not speculation.

Why Nobody Cares About Financial Reports Anymore

Perhaps the most damning revelation from the podcast’s recent news roundup is that 86% of major companies are using broken charts in their financial reports. A CPA Journal study found bar charts with misleading axes, pie slices that don’t match percentages, and deliberate distortions to exaggerate performance. Of 1,584 charts reviewed, 12% had fatal flaws that completely misrepresented the data.

“The fact that so many of them have errors and nobody’s pointing them out indicates to me that nobody’s reading them,” Oliver observes. Indeed, 10-K filings get downloaded an average of just a few dozen times.

The hosts even shared a bizarre example where social media bots criticizing Cracker Barrel’s new logo caused the stock price to tank. According to Wall Street Journal data, 44.5% of posts about the logo change were from bots. “Maybe nobody cares about your charts because nobody even cares about the financial statements,” Leary suggests.

What This Means for Your Firm

The key insight from Hector Garcia stuck with David: “AI is never going to do perfect accounting, but it’s going to do it good enough.” For most clients, “good enough” financials that they can generate themselves might be perfectly adequate.

Accounting professionals can embrace AI for meaningful fraud detection and insights, or watch clients realize they can generate “good enough” work themselves. As this episode of The Accounting Podcast makes clear, the traditional value proposition of professional accounting services is crumbling. The firms that survive will be those that identify and deliver human value that transcends what AI can do: strategic insight, ethical judgment, and genuine expertise that no algorithm can replicate.

Listen to this episode to understand not just the challenges facing accounting, but what you need to do differently starting today.

The Shadow Economy of Stolen Points That Nobody Talks About

· ·

While you carefully track every penny in your bank account, there’s $100 billion sitting unprotected in forgotten loyalty accounts worldwide. That eye-opening number comes from Kim Sutherland, global head of fraud and identity at LexisNexis Risk Solutions, who recently joined host Caleb Newquist on the Oh My Fraud podcast to discuss the growing threat of rewards and loyalty fraud.

This episode is a perfect companion to the show’s previous exploration of reward program fraud cases, with insights from someone whose team analyzes 120 billion transactions annually. Sutherland pulls back the curtain on how loyalty programs—those everyday rewards we collect at coffee shops and airlines—are a prime target for sophisticated fraud operations.

The $13 Billion Digital Currency You’re Ignoring

The global loyalty management market now exceeds $13 billion, and it’s everywhere you look. As Sutherland explains, “Almost every type of company you interact with has some type of a program to reward their existing customers.” From airlines and credit cards to restaurants, hair salons, auto mechanics, and even schools, businesses use these programs to strengthen customer relationships.

The average person belongs to anywhere from 16 to 20 loyalty programs, but they actively monitor only a fraction of them. This gap creates a perfect opportunity for fraudsters. “They understand the value of each of those rewards points, and they pay more attention to the ones you’re not paying attention to,” Sutherland warns.

These aren’t just marketing gimmicks anymore. “Loyalty points are a form of digital currency,” Sutherland says. People treat them like savings accounts, letting balances grow and planning vacations around accumulated miles. However, your bank account has federal protection and robust security. Your coffee shop points? Not so much.

When Newquist mentions his Starbucks app, calling it “a mini bank within that company,” he highlights a crucial point. These companies handle customer funds and issue digital currency but operate without the strict oversight required of traditional financial institutions.

The dark web has turned these points into a tradable commodity. Sutherland says stolen points have specific dollar values attached and are bought and sold alongside other illegal goods. It’s not just individual criminals either. Fraud has become a business with specialized roles, training programs, and sophisticated operations.

How Criminals Harvest Your Digital Rewards

Account takeover leads the fraud playbook, and it’s devastatingly simple. While you legitimately earn points through purchases, criminals break into your dormant accounts. They either transfer your points to accounts they control or drain them for purchases before you notice.

Because loyalty accounts lack the security of traditional financial accounts, “there is more opportunity for someone to do an account takeover,” Sutherland explains.

The numbers are alarming. Sutherland reports nearly 100% year-over-year growth in loyalty-based fraud across different industries and regions. On the dark web, these stolen points trade like currency. And fraudsters operate like niche service lines—some steal data, others monetize it, and still others provide technical infrastructure.

Synthetic identity fraud takes things to another level. Criminals combine pieces of real information, such as your name, someone else’s address, another person’s phone number, to create fake identities. These synthetic identities can operate for years, building credit and accumulating points across dozens of programs.

“The real problem with synthetic identity fraud is, even if your name had been used, you may never know you were part of the creation,” Sutherland warns. There’s no real victim to report the crime, making detection extremely difficult. These fake identities might start with a jewelry store loyalty program, build credibility, then work up to valuable airline or credit card rewards.

Insider threats add another layer of risk. Travel agents booking trips might divert clients’ points to personal accounts. Employees with system access could redistribute points. Third-party agents in real estate or auto sales can siphon off points customers never knew existed.

The technical sophistication is striking. Fraudsters use device farms—racks of phones running automated scripts—to manage thousands of fake accounts. They employ burner phones, throwaway email addresses, and test security responses by making small account changes before executing major thefts.

The Impossible Balance Between Security and Convenience

“The best form of authentication is one a consumer uses,” Sutherland observes, highlighting the core challenge facing businesses. Companies must balance three competing priorities: privacy, security, and convenience. For consumers, convenience almost always wins.

Unlike employees who follow whatever security protocols their employers require, consumers simply abandon programs that make redemption difficult. As a result, even if businesses implement bank-level security, doing so could destroy the convenience that makes these programs attractive.

The solution Sutherland recommends is passive security measures that work in the background. Companies embed sophisticated tools in mobile apps that analyze device behavior without disrupting user experience. Is the device jailbroken? Has it been associated with previous fraud? Is it moving naturally, or is it part of a static device farm?

Despite technological advances including biometric authentication, AI fraud models, and emerging digital credentials, Sutherland says, “The biggest challenge is still identity verification.” After 20 years of trying, verifying that someone is who they claim to be remains unsolved.

Fighting Back Through Collaboration

Forward-thinking companies now treat loyalty fraud as a brand reputation issue rather than a compliance checkbox. “It is truly trying to ensure that consumers can trust what they’re doing,” Sutherland explains, noting that customers immediately take to social media when something goes wrong.

The response has become increasingly collaborative. Organizations create “fusion centers” where fraud, cybersecurity, and anti-money laundering teams work together. Through LexisNexis’s proprietary network, businesses share fraud intelligence across industries and borders. For example, banks in Singapore share patterns with UK retailers and major financial institutions collaborate on emerging threats.

This cooperation is essential because, as Sutherland notes, “Fraud does not stay within any country. We see the same fraudsters transacting in the US and in France and in South Africa.”

Companies focus on key vulnerability points, particularly when customers change account details. Something as simple as updating an email address or phone number can trigger an account takeover if proper verification isn’t in place. Yet each additional security step risks losing customers to competitors.

What This Means for Accounting Professionals

With $100 billion in unused points, nearly 100% annual growth in loyalty fraud, and criminals operating sophisticated international networks, this is an emerging category of financial crime that could impact your clients.

For businesses, a major loyalty breach can lead to financial loss and potential brand devastation in an era of instant social media backlash. For individuals, compromised loyalty accounts often serve as gateways to broader identity theft, especially through synthetic identity techniques.

Most concerning is that companies can’t simply apply traditional banking security models to loyalty programs. The convenience consumers demand conflicts with the security these digital assets require. As programs expand into every corner of commerce and younger generations treat points as legitimate currency, the attacks will continue.

Accounting professionals should recognize loyalty programs for what they’ve become: an unregulated digital currency that criminals actively exploit. While we’ve been protecting traditional accounts, fraudsters have built infrastructure to harvest value from the rewards programs we ignore.

Listen to the full Oh My Fraud episode with Kim Sutherland to learn specific red flags for loyalty fraud, discover emerging authentication technologies that could protect clients, and understand why those forgotten rewards programs might be your clients’ biggest vulnerability. Because in a world where your morning coffee purchase contributes to a $13 billion shadow economy, treating digital rewards with the same seriousness as traditional currency is just professional prudence.

Your Crypto Loss Might Not Be Deductible (Even Though Your Neighbor’s Is)

· ·

When someone loses $100,000 to a cryptocurrency scammer, the financial blow is devastating. But finding out whether that loss is tax-deductible means navigating rules written decades before anyone imagined digital theft.

In this episode of Tax in Action, host Jeremy Wells, EA, CPA, tackles a confusing area of tax practice: theft losses. While theft has existed forever, the digital age creates entirely new ways for criminals to steal—from “pig butchering” scams to romance frauds—that challenge how we apply old tax laws to new crimes.

The Three Categories That Determine Everything

Before helping clients who’ve been scammed, tax professionals need to understand which of three categories their loss falls into. This distinction can mean the difference between a valuable deduction and no tax relief at all.

Under IRC Section 165, losses fall into three buckets. Losses from a trade or business and losses from transactions entered into for profit—even outside a business—are generally deductible. However, personal losses not connected to business or profit-seeking are the problem area.

The Tax Cuts and Jobs Act eliminated personal casualty and theft losses for 2018 through 2025. The only exception is losses from federally declared disasters. As Wells explains, this even includes theft during disasters, like the looting that happened after Hurricane Katrina when “there was just a general lack of any sort of law enforcement.”

This means two neighbors could lose the same amount to the same scammer, but only the one who was investing for profit gets a deduction. The retiree who sent money for personal reasons? They’re out of luck.

The Three-Part Test Every Practitioner Must Know

Beyond figuring out the category of the loss, Wells explains that courts have developed three essential criteria for any theft loss claim.

First, the theft must have occurred under state law where the loss happened. This requirement isn’t in the tax code or regulations; it comes from court cases trying to define “theft” when the IRS never did. The 1956 Edwards v. Bromberg case said federal courts must look to state law, but as Wells notes, that creates “probably about 50 different definitions, one for each state.”

Second, you must be able to determine the amount lost. For cash or stocks, this is straightforward. But for jewelry or collectibles? You’ll need insurance records, appraisals, or reasonable estimates. Proving value becomes nearly impossible without documentation from before the theft..

Third, you need to know when the taxpayer discovered the loss. This is crucial because it’s not when the theft happened, but when the victim realized it. Wells emphasizes: “That could be the same day, maybe a few hours later. It could be a few days later. It could be weeks, months, or even years later.”

The courts are clear about one thing: simple disappearance isn’t theft. Wells shares the Allen v. Commissioner case, where someone lost jewelry in a museum. Despite searching everywhere, publishing newspaper ads, and filing police reports, the court denied the deduction. Why? The taxpayer couldn’t prove someone actually stole it rather than it just being lost.

Timing Is Everything (And It’s Complicated)

The timing of theft losses works differently than most people expect, especially with digital assets and cryptocurrency.

A theft loss is deductible in the year you discover it; not when it actually happened. But Wells stresses a major catch: if you have a “reasonable prospect of recovery” through insurance or lawsuits, you can’t claim the loss yet. You must wait until you know with “reasonable certainty” whether you’ll be reimbursed.

“It’s not that you go ahead and claim it, and then wait until you receive the reimbursement,” Wells clarifies. “You have to wait until the outcome of that process is actually either known or within a reasonable certainty.”

With cryptocurrency scams, you might have three different dates spread over years: when the theft occurred, when you discovered it, and when you know recovery is impossible. Each delay pushes your potential deduction further into the future.

When Corporate Fraud Doesn’t Count as Theft

Surprisingly, even massive corporate fraud doesn’t create theft losses for shareholders. Wells uses Enron as an example. Investors lost everything due to “fraudulent and illegal activity,” but for tax purposes, these remain capital losses, not theft losses.

The 1975 Payne v. Commissioner case established this rule. Corporate executives don’t have “specific intent to deprive that particular shareholder” of their money. Even when executives commit crimes that destroy your portfolio, you haven’t been “robbed” in the tax law sense.

This distinction matters enormously for crypto investors. When an exchange halts withdrawals or a platform gets “hacked,” you need to determine whether it’s actual theft (potentially deductible if for profit) or platform failure (capital loss at best).

Five Modern Scams and the Profit Motive Test

In 2025, the IRS Chief Counsel addressed five common scams that don’t fit the traditional Ponzi scheme mold. The key factor? Whether victims had a profit motive.

Deductible scams (entered into for profit) include:

  • Pig butchering scams work by “fattening up” victims. Scammers start with small investments that show big returns. Victims invest more and more until the scammer disappears with everything. Because victims expected investment returns, the loss is deductible.
  • Compromised account scams involve criminals convincing victims their accounts need securing. Since victims move investment funds expecting to preserve them, the profit motive remains intact.
  • Phishing scams use fake websites to steal login credentials for investment accounts. Again, the investment nature preserves deductibility.

Non-deductible scams (personal losses) include:

  • Romance scams create fake relationships before asking for funds, often for medical emergencies. There’s no profit expectation; just personal generosity. As Wells emphasizes, “There’s no expectation of profit here. So that makes the theft loss nondeductible.”
  • Kidnapping scams involve fake ransom or bail demands. These are fear-motivated, not profit-motivated, making them personal and nondeductible.

The cruel irony? Two victims could withdraw the same amount from identical IRAs and send it to the same overseas account. But only the one expecting investment returns gets a deduction. The one motivated by love or fear gets nothing—plus they owe tax on the IRA withdrawal.

Lessons from the Experts Who Got It Wrong

Wells ends with a humbling case: Booth v. Commissioner. The taxpayer bought Civil War-era land rights that turned out to be invalid, then got sued after selling them to someone else.

Eighteen Tax Court judges split 10-8 on whether this was theft loss or capital loss. The Ninth Circuit reversed them, saying it was both. When Wells polled tax professionals, only 13% got it right.

“There are a lot of smart tax people out there and they can disagree and they can even be wrong,” Wells reflects. “The important part is that we keep thinking about these issues.”

What This Means for Your Practice

For tax professionals dealing with theft losses, three things matter most:

  1. Document profit motive upfront—not after the loss. The client’s intention when entering the transaction determines deductibility.
  1. Track timing carefully. Discovery dates and recovery efforts affect when (or if) clients can claim losses. This might mean waiting years.
  1. Know the current guidance. The IRS issues new interpretations as scams evolve. What wasn’t deductible yesterday might be tomorrow.

The collision between 1950s legal precedents and 2020s digital crimes creates daily challenges. While the basic rules haven’t changed in 70 years, applying them to cryptocurrency scams and online fraud requires both historical knowledge and modern insight.

For clients devastated by digital-age theft, understanding these rules helps you identify opportunities where they exist and provide clarity where they don’t.

Ready to master these distinctions? Listen to Jeremy Wells’ complete analysis in this episode of Tax in Action, where he breaks down additional examples, Form 4684 reporting details, and why even seasoned professionals struggle with these issues.

Your Airline Miles Are Worth $74 Billion and Hackers Know It

· ·

Ever check your airline miles balance and think, “I should probably use those someday”? Well, fraudsters aren’t waiting. While you casually ignore those reward points, criminals are actively hunting for these digital treasures that have somehow become worth more than the companies that create them.

In this episode of Oh My Fraud, host Caleb Newquist explores the surprisingly vulnerable world of loyalty and rewards programs, revealing how the points flooding your inbox have become prime targets for fraud schemes that affect everyone from frequent fliers to wholesale club members.

The Accidental Billion-Dollar Asset Class

When United Airlines started tracking customers in the 1950s, it gave out plaques and promotional materials—basically corporate swag. Fast-forward to today, and rewards programs look entirely different. American Airlines generated $6.5 billion from its AAdvantage program in 2023 alone—not from selling tickets, but from selling miles.

The economics are almost absurd. As Newquist points out in the episode, airlines create miles for about half a cent each. They’re database entries. Then they turn around and sell these digital tokens to credit card partners for two to three cents per mile. That’s a 400% to 600% markup on something that costs virtually nothing.

“The hilarious thing is that these aren’t tangible,” Newquist observes. “They’re just made up. They’re just digital assets created out of thin air.”

The combined loyalty programs of United, American, and Delta are worth $73.8 billion. Think about that: these made-up points are sometimes worth more than the airlines themselves. And McKinsey estimates 30 trillion unredeemed miles sit in passenger accounts globally. That’s enough for every airline passenger on Earth to take a free one-way flight.

But here’s where things get dicey. Despite sitting on this massive pile of value, major airlines, including Southwest, American, Frontier, and Alaska, don’t offer two-factor authentication for account access. These companies spend millions on aircraft safety but can’t implement basic security that’s been standard in banking for over a decade.

When Your Miles Take an Unexpected Trip

The human cost of this security gap becomes painfully clear through recent victims’ stories. In July 2024, multiple Alaska Airlines customers woke up to drained accounts. One victim lost 150,000 miles, worth about $1,900. Another reported on Reddit that hackers stole over 200,000 miles. The points were being used to book luxury hotels in Abu Dhabi.

Gabrielle Bernardini, a writer for The Points Guy, discovered her Southwest account had been hacked when she received an email confirming a Hampton Inn reservation in Kalamazoo, Michigan—a booking she never made. The fraudster burned through 17,100 points, worth about $240.

Through persistence, Bernardini got her points back. But Southwest made it clear they were only doing it as a “gesture of goodwill” and a “one-time exception.” Their actual policy? “Southwest is not responsible for unauthorized access to a member’s account and will not replace stolen points.” Newquist confirmed that’s still the policy today.

Clint Henderson’s American Airlines nightmare went even further. Fraudsters drained hundreds of thousands of his AAdvantage miles for car rentals. Recovery meant jumping through incredible hoops. American required a new email address for his new account and demanded a PDF or screenshot of his police report. When Henderson went to file the police report, the NYPD’s online system was down. He had to visit a precinct physically, then was told that he couldn’t have a copy of his report until a detective intervened the next day.

Even with proof of fraud, the car rental company that accepted the stolen points simply refused to refund them. Henderson eventually got his miles back from American, but the whole ordeal revealed just how messy these situations can become.

From Sam’s Club to the Gas Pump

The problem isn’t limited to airlines. In May 2024, Sacramento County authorities arrested 38-year-old Inam Rasool after discovering he’d been systematically draining other customers’ Sam’s Club accounts. What started as an attempt to leave with $1,000 in unpaid merchandise turned into something bigger.

Store personnel began monitoring his return visits and uncovered a sophisticated operation. Rasool used stolen Sam’s Cash rewards to buy merchandise, resell it online. When police searched his home, they found over $25,000 worth of electronics, medications, pet food, hygiene products, supplements, and snacks. They also found shipping supplies, a computer, and a label printer for his online sales operation.

Meanwhile, in Peters Township, Pennsylvania, 18-year-old Paul Kostanich was hitting Giant Eagle fuel perks accounts. Video showed him visiting gas stations almost daily, holding his phone to barcode scanners to activate stolen points from different accounts. He admitted to hacking about 20 accounts and faced 58 charges, including identity theft.

One victim’s reaction captured the general disbelief, “I could never imagine someone hacking a Giant Eagle Perks card. I mean, really?”

Why This Keeps Happening

The problem is, rewards programs were never designed as financial assets—they’re marketing tools that accidentally became valuable. As Newquist explains, “They’re just a marketing gimmick developed by corporations that they hope will get us to spend more money with them. And it just so happens that they’re very, very good at doing that.”

From a corporate perspective, the math works out. If rewards fraud costs the industry $1 to $3 billion annually, but these programs generate over $70 billion for just the top airlines, that’s less than 5% lost to fraud. For many companies, it’s just a cost of doing business, especially when they can push losses onto consumers through terms of service that disclaim responsibility.

This creates what Newquist calls a perfect storm for fraudsters. You’ve got valuable assets with minimal protection, companies that won’t pursue prosecution, and victims left holding an empty bag while corporations point to fine print.

Protecting Your Points (Since No One Else Will)

So what can you do? Newquist offers practical advice with characteristic honesty.

First, change your passwords for rewards accounts. “I know you’d have to be a cerebral freak to generate a different password for virtually every account.” But at least make them different from your banking passwords.

Second, use two-factor authentication wherever it’s available. “Is it tedious? Yes. Does it save your bacon 99.9% of the time? Also, yes.”

Third, consider a password manager. Yes, the big ones have been hacked, but the benefits of managing unique passwords outweigh the risks.

Finally, actually check your accounts occasionally. Don’t be obsessive, but treat them with the same attention you’d give a bank balance.

The Bottom Line

Those rewards points you’ve accumulated aren’t just marketing fluff; they’re real value with real vulnerabilities. Companies have created a $74 billion economy from thin air, then washed their hands of responsibility when that value gets stolen.

For accounting professionals, this is a masterclass in risk transfer. For everyone else, it’s a wake-up call. In a world where teenagers systematically drain fuel perks and hackers book Abu Dhabi hotels with your miles, ignorance is an invitation.
Listen to the full episode above for Newquist’s complete investigation, including more cases and why he thinks these programs are essentially “legal money laundering” schemes. And maybe check your rewards balances while you’re at it. Just in case someone in Abu Dhabi isn’t already enjoying them.