romney_ch05.ppt

(1)

C

HAPTER 5

(2)

INTRODUCTION

• Questions to be addressed in this chapter:

– What is fraud, and how are frauds

perpetrated?

– Who perpetrates fraud and why?

– What is computer fraud, and what forms does

it take?

(3)

INTRODUCTION

• Information systems are becoming

increasingly more complex and society is

becoming increasingly more dependent on

these systems.

– Companies also face a growing risk of these

systems being compromised.

– Recent surveys indicate 67% of companies

(4)

INTRODUCTION

• Companies face four types of threats to

their information systems:

–

Natural and political disasters

• Include:

– Fire or excessive heat

– Floods

– Earthquakes

– High winds

– War and terrorist attack

• When a natural or political disaster strikes, many companies can be affected at the same time.

– Example: Bombing of the World Trade Center in NY.

• The Defense Science Board has predicted that attacks on

(5)

INTRODUCTION

• Companies face four types of threats to

their information systems:

– Natural and political disasters

–

Software errors and equipment

malfunction

• Include:

– Hardware or software failures

– Software errors or bugs

– Operating system crashes

– Power outages and fluctuations

– Undetected data transmission errors

• Estimated annual economic losses due to software

bugs = $60 billion.

(6)

INTRODUCTION

• Companies face four types of threats to

their information systems:

– Natural and political disasters

– Software errors and equipment malfunction

–

_{Unintentional acts}

• Include

– Accidents caused by:

• Human carelessness

• Failure to follow established procedures

• Poorly trained or supervised personnel

– Innocent errors or omissions

– Lost, destroyed, or misplaced data

– Logic errors

(7)

INTRODUCTION

• Companies face four types of threats to

their information systems:

– Natural and political disasters

– Software errors and equipment malfunction

– Unintentional acts

–

Intentional acts (computer crime)

• Include:

– Sabotage

– Computer fraud

– Misrepresentation, false use, or unauthorized disclosure of data

– Misappropriation of assets

– Financial statement fraud

(8)

INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

– Approaches to computer fraud

– Specific techniques used to commit computer

fraud

(9)

INTRODUCTION

• In this chapter we’ll discuss:

–

The fraud process

– Why fraud occurs

– Approaches to computer fraud

– Specific techniques used to commit computer

fraud

(10)

THE FRAUD PROCESS

• Fraud

is any and all means a person uses to

gain an unfair advantage over another person.

• In most cases, to be considered fraudulent, an

act must involve:

– A false statement (oral or in writing)

– About a material fact

– Knowledge that the statement was false when it was

uttered (which implies an intent to deceive)

– A victim relies on the statement

– And suffers injury or loss as a result

• The definition is the same whether it is a criminal or civil fraud case.

– The only difference is the burden of proof required.

• Criminal case: beyond a reasonable doubt.

(11)

THE FRAUD PROCESS

• Because fraudsters don’t make journal entries to

record their frauds, we can only estimate the

amount of losses caused by fraudulent acts:

– The Association of Certified Fraud Examiners (ACFE)

estimates that total fraud losses in the United States

run around 6% of annual revenues or approximately

$660 billion in 2004.

• More than we spend on education and roads in a year. • Six times what we pay for the criminal justice system.

– Income tax fraud (the difference between what

taxpayers owe and what they pay to the government)

is estimated to be over $200 billion per year.

(12)

THE FRAUD PROCESS

• Fraud against companies may be committed by

an employee or an external party.

– Former and current employees (called

knowledgeable insiders) are much more likely than

non-employees to perpetrate frauds (and big ones)

against companies.

• Largely owing to their understanding of the company’s

systems and its weaknesses, which enables them to commit the fraud and cover their tracks.

– Organizations must utilize controls to make it difficult

for both insiders and outsiders to steal from the

(13)

THE FRAUD PROCESS

• Fraud perpetrators are often referred to as

white-collar criminals

.

– Distinguishes them from violent criminals,

although some white-collar crime can

ultimately have violent outcomes, such as:

• Perpetrators or their victims committing suicide.

• Healthcare patients killed because of alteration of

(14)

THE FRAUD PROCESS

• Three types of occupational fraud:

–

Misappropriation of assets

• Involves theft, embezzlement, or misuse of company assets for personal gain.

• Examples include billing schemes, check tampering, skimming, and theft of inventory.

(15)

THE FRAUD PROCESS

• Three types of occupational fraud:

– Misappropriation of assets

–

Corruption

• Corruption involves the wrongful use of a position, contrary to the responsibilities of that position, to procure a benefit.

• Examples include kickback schemes and conflict of interest schemes.

• About 30.1% of occupational frauds include corruption schemes at a median cost of

(16)

THE FRAUD PROCESS

• Three types of occupational fraud:

– Misappropriation of assets

– Corruption

–

Fraudulent statements

• Financial statement fraud involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users.

(17)

THE FRAUD PROCESS

• A typical employee fraud has a number of important elements or characteristics:

– The fraud perpetrator must gain the trust or confidence of the person or company being defrauded in order to commit and conceal the fraud.

– Instead of using a gun, knife, or physical force, fraudsters use weapons of deceit and misinformation.

– Frauds tend to start as the result of a perceived need on the part of the employee and then escalate from need to greed. Most

fraudsters can’t stop once they get started, and their frauds grow in size.

– The fraudsters often grow careless or overconfident over time. – Fraudsters tend to spend what they steal. Very few save it.

(18)

THE FRAUD PROCESS

• The National Commission on Fraudulent

Financial Reporting (

aka,

the Treadway

Commission) defined

fraudulent financial

reporting

as intentional or reckless conduct,

whether by act or omission, that results in

materially misleading financial statements.

• Financial statements can be falsified to:

– Deceive investors and creditors

– Cause a company’s stock price to rise

– Meet cash flow needs

(19)

THE FRAUD PROCESS

• Fraudulent financial reporting is of great

concern to independent auditors, because

undetected frauds lead to half of the

lawsuits against auditors.

(20)

THE FRAUD PROCESS

• Common approaches to “cooking the

books” include:

– Recording fictitious revenues

– Recording revenues prematurely

– Recording expenses in later periods

– Overstating inventories or fixed assets

(WorldCom)

(21)

THE FRAUD PROCESS

• The Treadway Commission recommended four

actions to reduce the possibility of fraudulent

financial reporting:

– Establish an organizational environment that

contributes to the integrity of the financial reporting

process.

– Identify and understand the factors that lead to

fraudulent financial reporting.

– Assess the risk of fraudulent financial reporting within

the company.

– Design and implement internal controls to provide

reasonable assurance that fraudulent financial

(22)

THE FRAUD PROCESS

• SAS 99: The Auditor’s Responsibility to

Detect Fraud

– In 1997, SAS-82,

Consideration of Fraud in a

Financial Statement Audit

, was issued to

(23)

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002. SAS-99 requires auditors to:

–

Understand fraud

• Auditors can’t effectively audit something they don’t understand.

• SAS-99 also indicated that auditors are not lawyers and “do not make legal determinations of whether fraud has occurred.”

• The external auditor’s interest specifically relates to acts that result in a material misstatement of the financial statements.

(24)

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002. SAS-99 requires auditors to:

– Understand fraud

–

Discuss the risks of material fraudulent

misstatements

(25)

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

–

Obtain information

• The audit team must gather evidence about the existence of fraud by:

– Looking for fraud risk factors

– Testing company records

– Asking management, the audit committee, and others if they know of any past or current fraud or of fraud risks the

organization faces.

(26)

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

–

Identify, assess, and respond to risks

• Use the gathered information to identify, assess, and respond to risks.

(27)

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

–

Evaluate the results of their audit tests

• Auditors must assess the risk of fraud throughout the audit.

• When the audit is complete, they must evaluate whether any identified misstatements indicate the presence of fraud.

(28)

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

– Evaluate the results of their audit tests

–

Communicate findings

(29)

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

– Evaluate the results of their audit tests

– Communicate findings

(30)

THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in

December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

– Evaluate the results of their audit tests

– Communicate findings

– Document their audit work

–

Incorporate a technology focus

(31)

INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

–

Why fraud occurs

– Approaches to computer fraud

– Specific techniques used to commit computer

fraud

(32)

WHO COMMITS FRAUD AND WHY

• Researchers have compared the psychological and

demographic characteristics of three groups of people:

– White-collar criminals – Violent criminals

– The general public

• They found:

– Significant differences between violent and white-collar criminals.

(33)

WHO COMMITS FRAUD AND WHY

• White-collar criminals tend to mirror the general

public in:

– Education

– Age

– Religion

– Marriage

(34)

WHO COMMITS FRAUD AND WHY

• Perpetrators of computer fraud tend to be

younger and possess more computer

knowledge, experience, and skills.

• Hackers and computer fraud perps tend to be

more motivated by:

– Curiosity

– A quest for knowledge

(35)

WHO COMMITS FRAUD AND WHY

• They may view their actions as a game rather than

dishonest behavior.

• Another motivation may be to gain stature in the hacking

community.

• Some see themselves as revolutionaries spreading a

message of anarchy and freedom.

• But a growing number want to profit financially. To do so,

they may sell data to:

– Spammers

(36)

WHO COMMITS FRAUD AND WHY

• Some fraud perpetrators are disgruntled and

unhappy with their jobs and are seeking revenge

against their employers.

• Others are regarded as ideal, hard-working

employees in positions of trust.

• Most have no prior criminal record.

(37)

WHO COMMITS FRAUD AND WHY

• Criminologist Donald Cressey, interviewed 200+

convicted white-collar criminals in an attempt to

determine the common threads in their crimes.

As a result of his research, he determined that

three factors were present in the commission of

each crime. These three factors have come to

be known as the fraud triangle.

(38)

The “Fraud Triangle”

Donald Cressey

Pr

es

su

re

O

pp

(39)

The “Fraud Triangle”

Donald Cressey

Pr

es

su

re

Pr

es

su

re

O

pp

(40)

WHO COMMITS FRAUD AND WHY

• _Pressure

– Cressey referred to this pressure as a

“perceived non-shareable need.”

– The pressure could be related to

(41)

WHO COMMITS FRAUD AND WHY

• The most common pressures were:

-

Not being able to pay one’s debts, nor admit it to

one’s employer, family, or friends (which makes it

non-shareable).

(42)

WHO COMMITS FRAUD AND WHY

• The most common pressures were:

-

Not being able to pay one’s debts, nor admit it to

one’s employer, family, or friends (which makes in

non-shareable).

-

Fear of loss of status because of a personal

failure

_• _{Example would be mismanagement of}

(43)

WHO COMMITS FRAUD AND WHY

• The most common pressures were:

-

Not being able to pay one’s debts, nor admit it to

one’s employer, family, or friends (which makes in

non-shareable).

-

Fear of loss of status because of a personal failure

-

Business reversals

(44)

WHO COMMITS FRAUD AND WHY

• The most common pressures were:

-

Not being able to pay one’s debts, nor admit it to

one’s employer, family, or friends (which makes in

non-shareable).

-

Fear of loss of status because of a personal failure

-

Business reversals

-

Physical isolation

• When an individual is isolated,

physically or psychologically, almost any pressure becomes

(45)

WHO COMMITS FRAUD AND WHY

• The most common pressures were:

-

Not being able to pay one’s debts, nor admit it to

one’s employer, family, or friends (which makes in

non-shareable).

-

Fear of loss of status because of a personal failure

-

Business reversals

-

Physical isolation

-

Status gaining

• Many frauds are motivated by nothing more than a perceived need to keep up with the Joneses.

(46)

WHO COMMITS FRAUD AND WHY

• The most common pressures were:

-

Not being able to pay one’s debts, nor admit it to

one’s employer, family, or friends (which makes in

non-shareable).

-

Fear of loss of status because of a personal failure

-

Business reversals

-

Physical isolation

-

Status gaining

-

Difficulties in employer-employee relations

(47)

WHO COMMITS FRAUD AND WHY

• What’s important here is the

perception

of the

pressure.

– There might be a number of people who could and would

help a tentative fraudster out of his financial woes.

– But as long as he perceives that he cannot share his

burden, the pressure is present.

– Research has also found that an individual’s propensity to

commit fraud is more related to how much he worries

about his financial position than his actual position.

(48)

WHO COMMITS FRAUD AND WHY

• Financial statement fraud is distinct from other

types of fraud in that the individuals who commit

the fraud are not the direct beneficiaries.

– The company is the direct beneficiary.

(49)

WHO COMMITS FRAUD AND WHY

• In the case of financial statement frauds, common

pressures include:

– To prop up earnings or stock price so that management can: • Receive performance-related compensation.

• Preserve or improve personal wealth held in company stock or stock options.

• Keep their jobs.

– To cover the inability to generate cash flow. – To obtain financing.

– To appear to comply with bond covenants or other agreements. – May be opposite of propping up earnings in cases involving

(50)

The “Fraud Triangle”

Donald Cressey

Pr

es

su

re

O

pp

ort

_un

ity

O

pp

(51)

WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that

allows an individual to:

– Commit the fraud

– Conceal the fraud

(52)

WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that

allows an individual to:

–

Commit the fraud

– Conceal the fraud

(53)

WHO COMMITS FRAUD AND WHY

• Committing the fraud might involve acts

such as:

– Misappropriating assets.

– Issuing deceptive financial statements.

– Accepting a bribe in order to make an

(54)

WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that

allows an individual to:

– Commit the fraud

–

Conceal the fraud

(55)

WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and

effort and leaves more evidence than the actual

theft or misrepresentation.

• Examples of concealment efforts:

(56)

WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and

effort and leaves more evidence than the actual

theft or misrepresentation.

• Examples of concealment efforts:

– Charge a stolen asset to an expense account or to an

account receivable that is about to be written off.

(57)

WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and

effort and leaves more evidence than the actual

theft or misrepresentation.

• Examples of concealment efforts:

– Charge a stolen asset to an expense account or to an

account receivable that is about to be written off.

– Create a ghost employee who receives an extra

paycheck.

–

Lapping.

• Steal a payment from Customer A.

• Apply Customer B’s payment to Customer A’s account so Customer A won’t get a late notice.

(58)

WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and

effort and leaves more evidence than the actual

theft or misrepresentation.

• Examples of concealment efforts:

– Charge a stolen asset to an expense account or to an

account receivable that is about to be written off.

– Create a ghost employee who receives an extra

paycheck.

– Lapping.

–

Kiting.

• Creates “cash” by transferring money between banks.

• Requires multiple bank accounts.

• Basic scheme:

– Write a check on the account of Bank A.

– Bank A doesn’t have sufficient funds to cover the

check, so write a check from an account in Bank B to be deposited in Bank A.

– Bank B doesn’t have sufficient funds to cover the

(59)

WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that

allows an individual to:

– Commit the fraud

– Conceal the fraud

(60)

WHO COMMITS FRAUD AND WHY

• Unless the target of the theft is cash, then

the stolen goods must be converted to

cash or some form that is beneficial to the

perpetrator.

– Checks can be converted through alterations,

forged endorsements, check washing, etc.

– Non-cash assets can be sold (online auctions

are a favorite forum) or returned to the

(61)

WHO COMMITS FRAUD AND WHY

• If the fraud is a financial statement fraud,

then the gains received may include:

– I have to keep my job.

– The value of my stock or stock options rose.

– I received a raise, promotion, or bonus.

(62)

• There are many opportunities that enable fraud.

Some of the most common are:

– Lack of internal controls

– Failure to enforce controls (the most prevalent

reason)

– Excessive trust in key employees

– Incompetent supervisory personnel

– Inattention to details

– Inadequate staff

• Click here for a comprehensive list of

opportunities.

(63)

WHO COMMITS FRAUD AND WHY

• Internal controls that may be lacking or

un-enforced include:

– Authorization procedures

– Clear lines of authority

– Adequate supervision

– Adequate documents and records

– A system to safeguard assets

– Independent checks on performance

– Separation of duties

(64)

WHO COMMITS FRAUD AND WHY

• Management may allow fraud by:

– Not getting involved in the design or

enforcement of internal controls;

– Inattention or carelessness;

– Overriding controls; and/or

(65)

The “Fraud Triangle”

Donald Cressey

Pr

es

su

re

O

pp

(66)

WHO COMMITS FRAUD AND WHY

• How many people do you know who regard

themselves as being unprincipled or sleazy?

• It is important to understand that fraudsters do

not regard themselves as unprincipled.

– In general, they regard themselves as highly

principled individuals.

– That view of themselves is important to them.

– The only way they can commit their frauds and

(67)

WHO COMMITS FRAUD AND WHY

• These rationalizations take many forms,

including:

– I was just borrowing the money.

– It wasn’t really hurting anyone. (Corporations are

often seen as non-persons, therefore crimes against

them are not hurting “anyone.”)

– Everybody does it.

– I’ve worked for them for 35 years and been underpaid

all that time. I wasn’t stealing; I was only taking what

was owed to me.

(68)

WHO COMMITS FRAUD AND WHY

• Creators of worms and viruses often use

rationalizations like:

– The malicious code helped expose security flaws, so I

did a good service.

– It was an accident.

– It was not my fault—just an experiment that went bad.

– It was the user’s fault because they didn’t keep their

security up to date.

(69)

WHO COMMITS FRAUD AND WHY

• Fraud occurs when:

– People have perceived, non-shareable pressures; – The opportunity gateway is left open; and

– They can rationalize their actions to reduce the moral impact in their minds (i.e., they have low integrity).

• Fraud is much less likely to occur when:

– There is low pressure, low opportunity, and high integrity.

• Unfortunately, there is usually a mixture of these forces

in play, and it can be very difficult to determine the

(70)

INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

–

Approaches to computer fraud

– Specific techniques used to commit computer

fraud

(71)

APPROACHES TO COMPUTER FRAUD

• The U.S. Department of Justice defines

computer fraud

as any illegal act for

which knowledge of computer technology

is essential for its:

– Perpetration;

(72)

APPROACHES TO COMPUTER FRAUD

• Computer fraud includes the following:

– Unauthorized theft, use, access, modification,

copying, and destruction of software or data.

– Theft of money by altering computer records.

– Theft of computer time.

– Theft or destruction of computer hardware.

– Use or the conspiracy to use computer

resources to commit a felony.

(73)

APPROACHES TO COMPUTER FRAUD

• In using a computer, fraud perpetrators

can steal:

– More of something

– In less time

– With less effort

• They may also leave very little evidence,

which can make these crimes more

(74)

APPROACHES TO COMPUTER FRAUD

• Computer systems are particularly vulnerable to

computer crimes for several reasons:

– Company databases can be huge and access

privileges can be difficult to create and enforce.

Consequently, individuals can steal, destroy, or alter

massive amounts of data in very little time.

– Organizations often want employees, customers,

suppliers, and others to have access to their system

from inside the organization and without. This access

also creates vulnerability.

– Computer programs only need to be altered once,

and they will operate that way until:

(75)

APPROACHES TO COMPUTER FRAUD

– Modern systems are accessed by PCs, which

are inherently more vulnerable to security

risks and difficult to control.

• It is hard to control physical access to each PC.

• PCs are portable, and if they are stolen, the data

and access capabilities go with them.

• PCs tend to be located in user departments, where

one person may perform multiple functions that

should be segregated.

(76)

APPROACHES TO COMPUTER FRAUD

– Computer systems face a number of unique

challenges:

• Reliability (accuracy and completeness)

• Equipment failure

• Environmental dependency (power, water damage,

fire)

• Vulnerability to electromagnetic interference and

interruption

(77)

APPROACHES TO COMPUTER FRAUD

(78)

APPROACHES TO COMPUTER FRAUD

• These frauds cost billions of dollars each

year, and their frequency is increasing

because:

– Not everyone agrees on what constitutes

computer fraud.

• Many don’t believe that taking an unlicensed copy

of software is computer fraud. (It is and can result

in prosecution.)

(79)

APPROACHES TO COMPUTER FRAUD

– Many computer frauds go undetected.

– An estimated 80–90% of frauds that are

uncovered are not reported because of fear

of:

• Adverse publicity

• Copycats

• Loss of customer confidence

– There are a growing number of competent

(80)

APPROACHES TO COMPUTER FRAUD

– Some folks believe “it can’t happen to us.”

– Many networks have a low level of security.

– Instructions on how to perpetrate computer

crimes and abuses are readily available on

the Internet.

– Law enforcement is unable to keep up with

the growing number of frauds.

(81)

APPROACHES TO COMPUTER FRAUD

• Economic espionage

, the theft of

information and intellectual property, is

growing especially fast.

• This growth has led to the need for

(82)

APPROACHES TO COMPUTER FRAUD

• Computer fraud classification

– Frauds can be categorized according to the

data processing model:

• Input

• Processor

• Computer instructions

• Stored data

(83)

COMPUTER FRAUD CLASSIFICATIONS

Processor

Fraud

Input

Fraud

Output

Fraud

Data

Fraud

(84)

COMPUTER FRAUD CLASSIFICATIONS

Processor

Fraud

Input

Fraud

Output

Fraud

Data

Fraud

(85)

APPROACHES TO COMPUTER FRAUD

• Input Fraud

– The simplest and most common way to commit a fraud is to alter computer input.

• Requires little computer skills

• Perpetrator only needs to understand how the system operates

– Can take a number of forms, including: • Disbursement frauds

• The perpetrator causes a company to:

– Pay too much for ordered goods; or

(86)

APPROACHES TO COMPUTER FRAUD

• Input Fraud

• Requires little computer skills.

• Perpetrator only needs to understand how the system operates.

– Can take a number of forms, including: • Disbursement frauds

• Inventory frauds

(87)

APPROACHES TO COMPUTER FRAUD

• Input Fraud

• Perpetrator only need to understand how the system operates

• Inventory frauds • Payroll frauds

• Perpetrators may enter data to:

– Increase their salaries.

– Create a fictitious employee.

– Retain a terminated employee on the records.

• In the latter two instances, the perpetrator

(88)

APPROACHES TO COMPUTER FRAUD

• Input Fraud

• Inventory frauds • Payroll frauds

• Cash receipt frauds

• The perpetrator hides the theft by falsifying system input.

• EXAMPLE: Cash of $200 is received. The

(89)

APPROACHES TO COMPUTER FRAUD

• Input Fraud

• Inventory frauds • Payroll frauds

• Cash receipt frauds

(90)

COMPUTER FRAUD CLASSIFICATIONS

Processor

Fraud

Input

Fraud

Output

Fraud

Data

Fraud

(91)

APPROACHES TO COMPUTER FRAUD

• Processor fraud

– Involves computer fraud committed through

unauthorized system use.

– Includes theft of computer time and services.

– Incidents could involve employees:

• Surfing the Internet;

• Using the company computer to conduct personal business; or

(92)

APPROACHES TO COMPUTER FRAUD

• In one example, an agriculture college at a major state

university was experiencing very sluggish performance from

its server.

• Upon investigating, IT personnel discovered that an individual

outside the United States had effectively hijacked the

college’s server to both store some of his/her research data

and process it.

• The college eliminated the individual’s data and blocked

future access to the system.

• The individual subsequently contacted college personnel to

protest the destruction of the data.

• Demonstrates both:

– How a processor fraud can be committed.

(93)

COMPUTER FRAUD CLASSIFICATIONS

Processor

Fraud

Input

Fraud

Output

Fraud

Data

Fraud

(94)

APPROACHES TO COMPUTER FRAUD

• Computer instructions fraud

– Involves tampering with the software that

processes company data.

– May include:

• Modifying the software

• Making illegal copies

• Using it in an unauthorized manner

– Also might include developing a software

program or module to carry out an

(95)

APPROACHES TO COMPUTER FRAUD

• Computer instruction fraud used to be one of the

least common types of frauds because it

required specialized knowledge about computer

programming beyond the scope of most users.

• Today these frauds are more frequent—courtesy

of Web pages that instruct users on how to

(96)

COMPUTER FRAUD CLASSIFICATIONS

Processor

Fraud

Input

Fraud

Output

Fraud

Data

Fraud

(97)

APPROACHES TO COMPUTER FRAUD

• Data fraud

– Involves:

• Altering or damaging a company’s data files; or • Copying, using, or searching the data files without

authorization.

– In many cases, disgruntled employees have

scrambled, altered, or destroyed data files.

– Theft of data often occurs so that perpetrators can

sell the data.

• Most identity thefts occur when insiders in financial

(98)

COMPUTER FRAUD CLASSIFICATIONS

Processor

Fraud

Input

Fraud

Output

Fraud

Data

Fraud

(99)

APPROACHES TO COMPUTER FRAUD

• Output fraud

– Involves stealing or misusing system output.

– Output is usually displayed on a screen or printed on

paper.

– Unless properly safeguarded, screen output can

easily be read from a remote location using

inexpensive electronic gear.

– This output is also subject to prying eyes and

unauthorized copying.

(100)

INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

– Approaches to computer fraud

–

_{Specific techniques used to commit}

computer fraud

(101)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

• Changing data before, during, or after it is entered into the system.

(102)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

(103)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Denial of service attacks

• An attacker overloads and shuts down an Internet service provider’s email system by sending email bombs at a rate of thousands per second—often from randomly generated email addresses.

(104)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

• Carried out as follows:

– The attacker infects dozens of computers that have broadband

Internet access with denial-of-service programs. These infected computers are the zombies.

– The attacker then activates the

denial-of-service programs, and the zombies send pings (emails or

requests for data) to the target

server. The victim responds to each, not realizing they have fictitious

return addresses, and waits for responses that don’t come.

– While the victim waits, system performance degrades until the system freezes up or crashes.

(105)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

• Experts estimate there as many as 5,000 denial-of-service attacks weekly in the United States.

(106)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Denial of service attacks

 Eavesdropping

• Perpetrators surreptitiously observe

private communications or transmission of data.

• Equipment to commit these “electronic wiretaps” is readily available at

(107)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

• A threatening message is sent to a victim to induce the victim to do something that would make it possible to be defrauded.

• Several banks in the Midwest were contacted by an overseas perpetrator who indicated that:

– He had broken into their computer system and obtained personal and banking information about all of the bank’s customers.

(108)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

 Email forgery (aka, spoofing)

• Involves sending an email message that appears to have come from someone other than the actual sender.

• Email spoofers may:

– Claim to be system administrators and ask users to change their

passwords to specific values.

(109)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

 Email forgery (aka, spoofing)

 Hacking

• Unauthorized access to and use of computer systems—usually by means of a personal computer and a telecommunications

network.

• Most hackers break into systems using known flaws in operating systems, applications programs, or access controls.

• Some are not very malevolent and mainly motivated by curiosity and a desire to overcome a challenge.

(110)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

 Hacking

 Phreaking

• Hacking that attacks phone systems and uses phone lines to transmit viruses

and to access, steal, and destroy data.

• They also steal telephone services and may break into voice mail systems.

(111)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

 Hacking

 Phreaking

 Hijacking

• Involves gaining control of someone else’s computer to carry out illicit

(112)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

 Hacking

 Phreaking

 Hijacking

 Identity theft

• Assuming someone’s identity, typically for economic gain, by illegally obtaining and using confidential information such as the person’s social security number, bank account number, or credit card number.

• Identity thieves benefit financially by:

– Taking funds out of the victim’s bank account.

– Taking out mortgages or other loans under the victim’s identity.

– Taking out credit cards and running up large balances.

• If the thief is careful and ensures that bills and notices are sent to an address he controls, the scheme may be

(113)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

 Hacking

 Phreaking

 Hijacking

• Victims can usually clear their credit, but the effort requires a significant amount of time and expense.

• Identity theft was made a federal offense in 1998, but it is a growing crime industry.

• One U.S. postal inspector, whose job duties involved

(114)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

 Hacking

 Phreaking

 Hijacking

 Identity theft

• Identity thieves can steal corporate or individual identities by:

– Shoulder surfing

• Watching people enter telephone calling card numbers or credit card numbers or listening to communications as they provide this

information to sales clerks or others.

– Scavenging or dumpster diving

• Searching corporate or personal records by rifling garbage cans,

communal trash bins, and city dumps for documents with confidential company information.

• May also look for personal information such as checks, credit card statements, bank statements, tax returns, discarded applications for pre-approved credit cards, or other records that contain social security numbers, names, addresses, phone numbers, and other data that allow them to assume an identity.

– Redirecting mail

• Intercepting mail and having it delivered to a location where others can access it.

(115)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Data diddling

 Data leakage

 Eavesdropping

 Email threats

 Hacking

 Phreaking

 Hijacking

• The U.S. Department of Justice suggests the following four ways to minimize the chances of being victimized by identity theft:

– Do not give out corporate or personal information unless there is a good reason to trust the person to whom it is given.

– Check financial information regularly for what should be there, as well as for what should not be there.

– Periodically review your credit report.

(116)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Internet misinformation

• Using the Internet to spread false or misleading information about people or companies.

• May involve:

– Planting inflammatory messages in online chat rooms.

– Websites with misinformation.

– Pretending to be someone else online and making inflammatory comments that will be attributed to that person.

– A “pump-and-dump” occurs when an individual spreads

(117)

run-COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Internet misinformation

• Another common form of Internet misinformation is the spreading of “urban legends”—often by innocently forwarding emails.

– Urban legends may often include damaging implications about company products, such as a recent email suggesting that certain lipsticks contain lead or that using plastic cookware in the

microwave can cause cancer.

– Before forwarding any emails with negative information about

individuals, companies, or their products, it’s a good idea to check the veracity of the information first.

– Emails with urban legends often attribute their “facts” to credible sources, such as the federal government, Stanford University

researchers, the FBI, etc.

(118)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Internet misinformation

 Internet terrorism

• Hackers use the Internet to disrupt electronic commerce and destroy company and individual communications.

(119)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Internet terrorism

 Logic time bombs

• A program that lies idle until triggered by some circumstance or a particular time.

• Once triggered, it sabotages the system, destroying programs, data, or both.

• Usually written by disgruntled programmers.

(120)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Logic time bombs

 Masquerading or impersonation

• The perpetrator gains access to the system by pretending to be an authorized user.

• The perpetrator must know the legitimate user’s ID and password.

(121)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Masquerading or impersonation

 Packet sniffers

• Programs that capture data from information packets as they travel over the Internet or company networks.

(122)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Password cracking

(123)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Password cracking

 Phishing

• Sending out a spoofed email that appears to come from a

legitimate company, such as a financial institution. eBay, PayPal, and banks are commonly spoofed.

• The recipient is advised that information or a security check is needed on his account, and advised to click on a link to the company’s website to provide the information.

• The link connects the individual to a Website that is an imitation of the spoofed company’s actual Website. These counterfeit

(124)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Phishing

• One newly graduated college student recently took a job in

California and deposited his first paycheck of approximately $5,000 in the bank.

• That same night, he received an email from the bank, inviting him to click on the link in the email to set up online banking for his new bank account.

• He followed directions and provided the requested information to set up online banking.

(125)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Phishing

• As a rule of thumb, it is a good idea not to click on any link provided in an email and to go directly to the Website instead.

• PayPal, whose email address is commonly spoofed for phishing scams, offers the following advice:

– If PayPal ever sends you an email, they will include your first and last name in the salutation of the email.

– If you need to enter PayPal’s Website, type “https:” in the URL instead of “http:” in order to enter on the company’s secured server.

(126)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Phishing

 _{In 2004, a phishing-related scam took place in South America with}

respect to three large South American banks. Once an individual opened the related email, a script was downloaded on their

computer. The script would alter the individual’s Web browser so that if the user entered the URL of one of these three banks, the browser would redirect them to a counterfeit Website for that bank. The oblivious user would provide ID and password information,

(127)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Phishing

• Consumer Reports suggests that if you have any questions about the legitimacy of a Website, you should try entering the wrong

(128)

COMPUTER FRAUD AND ABUSE

TECHNIQUES

(129)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Phishing

 Piggybacking

• Tapping into a telecommunications line and latching onto a legitimate user before that user logs into a system.

(130)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Phishing

 Piggybacking

 Round-down technique

• Made famous in the movie,

Office Space.

(131)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Packet sniffers

 Phishing

 Piggybacking

 Round-down technique

• Involves the theft of tiny slices of money over a period of time.

(132)

COMPUTER FRAUD AND ABUSE

TECHNIQUES



Perpetrators have devised many methods to commit

computer fraud and abuse. These include:

 Social engineering

• Perpetrators trick employees into giving them information they need to get into the system.

• A perpetrator might call an employee and indicate he is the systems administrator and needs to get the