TalkText to a human — (888) 965-5150Investigators Available Now
Client LoginOrder Services Online
Encyphir Risk Management
← Back to Blog
6 min read

Building an Insurance Fraud Case File That Holds Up

Jeremy Mason
Jeremy MasonDirector of Operations - Florida
April 10, 2026
Building an Insurance Fraud Case File That Holds Up

Table of contents

1. Start with a Reporting Template2. Build the Chronology as You Go3. Preserve Everything4. Make Exhibits Easy to Find5. Statements and Transcripts6. Red Flag and Scheme Analysis7. The Conclusion - and Its Proper Scope8. Handoff to Counsel and ProsecutionWhy Structure Matters9. Integrating Background and Asset Findings10. Coordinating Surveillance Logs with the Written File11. Digital Evidence and Social Media Captures12. Quality Control Before the File Leaves the Desk13. Maintaining the File After Delivery

Categories

Insurance FraudSIUCase Building

A fraud investigation only produces value if the resulting file can actually be used. It needs to support a denial, a rescission, a reduced-value settlement, a civil recovery action, or a criminal referral. Too many investigations produce good evidence in a disorganized form. That evidence then can't stand up in a coverage letter, a deposition, or a prosecutor's intake review. This post walks through how an insurance fraud case file should be built.

1. Start with a Reporting Template

Your SIU should have a standard reporting format. Ours does. The file should follow that template so adjusters, supervisors, defense counsel, and, when warranted, state fraud investigators can navigate it without hunting. Typical sections:

  • Case caption and assignment details
  • Executive summary
  • Investigation chronology
  • Interview summaries and statement transcripts
  • Field investigation narrative
  • Red flag and scheme analysis
  • Exhibits and evidence index
  • Conclusion and recommendation

2. Build the Chronology as You Go

The chronology is the spine of a fraud case file. Every entry should be time-stamped, sourced, and cross-referenced to an exhibit. A good rule: if it's in the narrative, it's in the chronology. The chronology should also read as a standalone document.

3. Preserve Everything

Insurance fraud investigations get attacked on chain-of-custody grounds all the time. Every photograph, video clip, document, recorded statement, and social media capture needs to be preserved in its original form with time-stamp metadata. See our admissible surveillance video post for the video side of this.

4. Make Exhibits Easy to Find

Exhibits should be numbered, indexed, and cross-referenced to both the narrative and the chronology. The worst fraud case file is one where the investigator's narrative makes excellent claims but the evidence behind those claims is buried. Index every photo, every statement, every document, and every video clip.

5. Statements and Transcripts

Recorded statements need to be preserved as the original audio file AND transcribed. The transcript goes in the file. The audio stays preserved in its original format. Any cleanup or timestamp correction gets documented separately. Our recorded statements post covers technique.

6. Red Flag and Scheme Analysis

Beyond "here is what we found," a good fraud case file ties the evidence back to a scheme typology. This does three things:

  1. Explains the pattern to someone who doesn't live in the file.
  2. Supports the conclusion that this is more than coincidence.
  3. Provides the basis for a fraud referral if the case goes that direction.

See insurance fraud red flags and common schemes for the standard typologies.

7. The Conclusion - and Its Proper Scope

An insurance fraud case file's conclusion should support the carrier's decision, not replace it. An investigator documents what was found and how it fits recognized schemes. The decision to deny, refer, or settle belongs to the carrier and counsel.

A good conclusion:

  • Summarizes the evidence
  • Ties it to red flag / scheme typologies
  • Identifies gaps and open items
  • Recommends next steps (EUO, examination under oath, criminal referral, additional investigation)

8. Handoff to Counsel and Prosecution

If the file will move to civil recovery or criminal referral, the recipients need to be able to pick up the file and run with it. That includes defense counsel and, in criminal referrals, the state fraud division. That means:

  • A cover memorandum explaining what the file contains
  • A clean evidence index
  • Original copies of everything preserved
  • Contact information for the investigators who worked the case and can testify

Why Structure Matters

A fraud case file is only as valuable as its reviewer's ability to use it. A fraud referral that arrives at a state fraud bureau in disorganized form gets declined even when the evidence is strong. The structure, then, is part of the evidence.

Our insurance fraud investigation services produce case files in carrier-SIU format. They include the structure, exhibits, and cross-references that civil and criminal action actually require.

9. Integrating Background and Asset Findings

A fraud case file that stops at the loss event tells only half the story. Prior claims history, undisclosed business interests, related-party transactions, and asset positioning often provide the motive and pattern evidence that transforms a suspicious claim into a provable one. A claimant reporting a catastrophic inventory loss looks different when the file shows three prior total-loss claims across two states under variant name spellings. It also looks different when the insured business was quietly transferring inventory to a related entity in the ninety days before the reported event.

This is where insurance background and asset investigations become part of the case file rather than a separate work product. The following records should be attached as exhibits and referenced in the chronology alongside the field investigation:

  • Prior claim database results
  • Corporate filings
  • UCC records
  • Property records
  • Bankruptcy filings
  • Civil litigation history

When a reviewer sees that the claimant's prior three fire losses, the incorporation of a shell entity sixty days pre-loss, and the surveillance observations all appear on the same chronology, the inference becomes difficult to dismiss as coincidence. Keep the underlying database printouts in the exhibit file, not just a summary. Counsel will want to see the source records when they prepare for examination under oath.

10. Coordinating Surveillance Logs with the Written File

Surveillance is often the strongest evidence in a disability, workers' compensation, or bodily injury fraud file. But that only holds if the logs and the video are integrated cleanly into the written record. Each surveillance date should appear in the chronology with a pointer to the corresponding video exhibit, the investigator's field notes, and any still captures pulled for the narrative. If the claimant alleges an inability to lift more than ten pounds and the video shows him loading landscaping equipment into a truck bed, the narrative should cite the exhibit number, the timestamp within the clip, and the corresponding line in the recorded statement or examination under oath where the limitation was asserted.

Our surveillance and activity checks are documented with that kind of cross-reference built in. The surveillance log is not a standalone document. It is a component of the larger file, keyed to the claimant's own statements so the contradiction is visible on the page. For workers' compensation and AOE/COE matters, the file should also reconcile surveillance observations with the medical record, the job description, and the claimed mechanism of injury. A claimant performing activities inconsistent with restrictions is one finding. A claimant performing activities inconsistent with the mechanism he reported to the treating physician is a different and more powerful finding. The file should make both visible.

11. Digital Evidence and Social Media Captures

Modern fraud files almost always include a digital component. Social media posts, marketplace listings, gig-economy activity, geolocation metadata embedded in photos, and messaging app content can corroborate or contradict a claimant's version of events. The challenge is preserving this material in a form that survives authentication challenges. A screenshot pasted into a Word document is not evidence. It is a picture of evidence, and opposing counsel will treat it accordingly.

Captures should be preserved using forensically sound methods:

  • Full-page archives with URL and capture timestamp
  • Original image downloads with EXIF data intact
  • Where possible, archived copies through services that produce hash-verified records

When a claimant deletes a post after receiving a reservation of rights letter, the original capture with preserved metadata is what keeps the evidence alive. For complex digital matters, particularly those involving device data, cloud accounts, or allegations of staged electronic communications, a referral to digital forensics should happen early, before the claimant has reason to start scrubbing. The case file should document when the capture was made, who made it, what tool was used, and where the original preserved copy resides.

12. Quality Control Before the File Leaves the Desk

Before a fraud case file goes to the carrier, counsel, or a state fraud bureau, it should pass an internal review by an investigator other than the case handler. Fresh eyes catch problems like:

  • Missing exhibit numbers
  • Chronology entries that reference exhibits that were renumbered
  • Transcripts that don't match the audio
  • Narrative statements that overreach the underlying evidence

This second-reader review is the single most effective safeguard against the kind of embarrassing inconsistency that defense counsel uses to impeach an entire investigation.

The review should check several things specifically. Every factual assertion in the narrative should trace to an exhibit or a chronology entry. Every exhibit should be referenced at least once in the narrative or chronology. Orphan exhibits signal that something was pulled but never used, which invites questions about selective presentation. The executive summary should not contain any fact that does not also appear, with citation, in the body. The conclusion should identify gaps honestly rather than paper over them. A file that acknowledges what it does not know is more credible than one that pretends to know everything.

13. Maintaining the File After Delivery

A fraud case file is rarely static once it leaves the investigator's desk. Examinations under oath produce new testimony that needs to be cross-referenced. Additional claims surface. Defense counsel requests supplemental investigation. The file should be maintained as a living record, with version control, dated supplements, and a clear indication of what was in the original delivery versus what was added later. When a matter reaches deposition two years after the initial report, the investigator needs to testify from a file that shows exactly what was known, when, and from what source.

Carriers and law firms that work with us on recurring matters often request a standing protocol for file maintenance: how supplements are added, how original deliverables are preserved unchanged, how superseded versions are retained. If your organization is building out SIU capacity or retaining outside investigators for the first time, contact us to discuss how case file standards can be established at the start of the engagement rather than reconstructed later. A fraud program built on consistent file structure produces better outcomes at every stage, from the initial coverage decision through civil recovery and, when the facts warrant it, criminal prosecution.

Related posts

Auto Insurance Fraud: Staged Accidents, Arson, and Owner Give-Ups

Auto Insurance Fraud: Staged Accidents, Arson, and Owner Give-Ups

Jeremy MasonJeremy Mason
Apr 5, 2026
Disability Fraud Investigations: LTD, STD, and SSDI

Disability Fraud Investigations: LTD, STD, and SSDI

Craig BiggsCraig Biggs
Apr 8, 2026
Hard vs. Soft Insurance Fraud: What's the Difference?

Hard vs. Soft Insurance Fraud: What's the Difference?

Ruby ParkRuby Park
Apr 3, 2026