HAPTER 5

1
HAPTER 5
Original source By Marshall Romney
www.acis.pamplin.vt.edu/faculty/wallace/3504/Chapt
er5.ppt

• Computer Fraud and Security

2
INTRODUCTION

• Questions to be addressed in this chapter
• What is fraud, and how are frauds perpetrated?
• Who perpetrates fraud and why?
• What is computer fraud, and what forms does it
  take?
• What approaches and techniques are used to commit
  computer fraud?

3
INTRODUCTION

• Information systems are becoming increasingly
  more complex and society is becoming increasingly
  more dependent on these systems.
• Companies also face a growing risk of these
  systems being compromised.
• Recent surveys indicate 67 of companies suffered
  a security breach in the last year with almost
  60 reporting financial losses.

4
INTRODUCTION

• Include
• Fire or excessive heat
• Floods
• Earthquakes
• High winds
• War and terrorist attack
• When a natural or political disaster strikes,
  many companies can be affected at the same time.
• Example Bombing of the World Trade Center in
  NYC.
• The Defense Science Board has predicted that
  attacks on information systems by foreign
  countries, espionage agents, and terrorists will
  soon be widespread.

• Companies face four types of threats to their
  information systems
• Natural and political disasters

5
INTRODUCTION

• Include
• Hardware or software failures
• Software errors or bugs
• Operating system crashes
• Power outages and fluctuations
• Undetected data transmission errors
• Estimated annual economic losses due to software
  bugs 60 billion.
• 60 of companies studied had significant software
  errors in previous year.

• Companies face four types of threats to their
  information systems
• Natural and political disasters
• Software errors and equipment malfunction

6
INTRODUCTION

• Include
• Accidents caused by
• Human carelessness
• Failure to follow established procedures
• Poorly trained or supervised personnel
• Innocent errors or omissions
• Lost, destroyed, or misplaced data
• Logic errors
• Systems that do not meet needs or are incapable
  of performing intended tasks
• Information Systems Security Assn. estimates 65
  of security problems are caused by human error.

• Companies face four types of threats to their
  information systems
• Natural and political disasters
• Software errors and equipment malfunction
• Unintentional acts

7
INTRODUCTION

• Include
• Sabotage
• Computer fraud
• Misrepresentation, false use, or unauthorized
  disclosure of data
• Misappropriation of assets
• Financial statement fraud
• Information systems are increasingly vulnerable
  to these malicious attacks.

• Companies face four types of threats to their
  information systems
• Natural and political disasters
• Software errors and equipment malfunction
• Unintentional acts
• Intentional acts (computer crime)

8
THE FRAUD PROCESS

• Fraud is any and all means a person uses to gain
  an unfair advantage over another person.
• In most cases, to be considered fraudulent, an
  act must involve
• A false statement (oral or in writing)
• About a material fact
• Knowledge that the statement was false when it
  was uttered (which implies an intent to deceive)
• A victim relies on the statement
• And suffers injury or loss as a result

9
THE FRAUD PROCESS

• Since fraudsters dont make journal entries to
  record their frauds, we can only estimate the
  amount of losses caused by fraudulent acts
• The Association of Certified Fraud Examiners
  (ACFE) estimates that total fraud losses in the
  U.S. run around 6 of annual revenues or
  approximately 660 billion in 2004.
• More than we spend on education and roads in a
  year.
• 6 times what we pay for the criminal justice
  system.
• Income tax fraud (the difference between what
  taxpayers owe and what they pay to the
  government) is estimated to be over 200 billion
  per year.
• Fraud in the healthcare industry is estimated to
  exceed 100 billion a year.

10
THE FRAUD PROCESS

• Fraud against companies may be committed by an
  employee or an external party.
• Former and current employees (called
  knowledgeable insiders) are much more likely than
  non-employees to perpetrate frauds (and big ones)
  against companies.
• Largely owing to their understanding of the
  companys systems and its weaknesses, which
  enables them to commit the fraud and cover their
  tracks.
• Organizations must utilize controls to make it
  difficult for both insiders and outsiders to
  steal from the company.

11
Types of Frauds

• OTHER
• Intellectual property theft
• Financial institution fraud
• Check and credit card fraud
• Insurance fraud
• Healthcare fraud
• Bankruptcy fraud
• Tax fraud
• Securities fraud
• Money laundering
• Consumer fraud
• Computer and Internet fraud

• OCCUPATIONAL
• Fraudulent Statements
• Financial
• Non-financial
• Asset Misappropriation
• Theft of Cash
• Fraudulent disbursements
• Inventory and other assets
• Bribery and Corruption
• Bribery
• Illegal gratuities
• Economic extortion
• Conflict of interest

Information is from the ACFEs 2004 Report to the
Nation on Occupational Fraud and Abuse and from
the Fraud Examiners Manual, also published by
the ACFE.
12
THE FRAUD PROCESS

• Three types of occupational fraud
• Misappropriation of assets

• Involves theft, embezzlement, or misuse of
  company assets for personal gain.
• Examples include billing schemes, check
  tampering, skimming, and theft of inventory.
• In the 2004 Report to the Nation on Occupational
  Fraud and Abuse, 92.7 of occupational frauds
  involved asset misappropriation at a median cost
  of 93,000.

13
THE FRAUD PROCESS

• Three types of occupational fraud
• Misappropriation of assets
• Corruption

• Corruption involves the wrongful use of a
  position, contrary to the responsibilities of
  that position, to procure a benefit.
• Examples include kickback schemes and conflict of
  interest schemes.
• About 30.1 of occupational frauds include
  corruption schemes at a median cost of 250,000.

14
THE FRAUD PROCESS

• Three types of occupational fraud
• Misappropriation of assets
• Corruption
• Fraudulent statements

• Financial statement fraud involves misstating the
  financial condition of an entity by intentionally
  misstating amounts or disclosures in order to
  deceive users.
• Financial statements can be misstated as a result
  of intentional efforts to deceive or as a result
  of undetected asset misappropriations that are so
  large that they cause misstatement.
• About 7.9 of occupational frauds involve
  fraudulent statements at a median cost of 1
  million. (The median pales in comparison to the
  maximum cost.)

15
WHO COMMITS FRAUD AND WHY

• Financial statement fraud is distinct from other
  types of fraud in that the individuals who commit
  the fraud are not the direct beneficiaries.
• The company is the direct beneficiary.
• The perpetrators are typically indirect
  beneficiaries.

16
THE FRAUD PROCESS

• Fraud perpetrators are often referred to as
  white-collar criminals.
• Researchers have compared the psychological and
  demographic characteristics of three groups of
  people
• White-collar criminals
• Violent criminals
• The general public
• They found
• Significant differences between violent and
  white-collar criminals.
• Few differences between white-collar criminals
  and the general public.

17
WHO COMMITS FRAUD AND WHY

• Criminologist Donald Cressey, interviewed 200
  convicted white-collar criminals in an attempt to
  determine the common threads in their crimes. As
  a result of his research, he determined that
  three factors were present in the commission of
  each crime. These three factors have come to be
  known as the fraud triangle.
• Pressure
• Opportunity
• Rationalization

18
The Fraud TriangleDonald Cressey
Pressure
Opportunity
Rationalization
19
WHO COMMITS FRAUD AND WHY

• Pressure
• Cressey referred to this pressure as a perceived
  non-shareable need.
• The pressure could be related to finances,
  emotions, lifestyle, or some combination.

20
PRESSURES THAT LEAD TO EMPLOYEE FRAUD

• EMOTIONAL
• Greed
• Unrecognized performance
• Job dissatisfaction
• Fear of losing job
• Power or control
• Pride or ambition
• Beating the system
• Frustration
• Non-conformity
• Envy, resentment
• Arrogance, dominance
• Non-rules oriented

• LIFESTYLE
• Support gambling habit
• Drug or alcohol addiction
• Support sexual relationships
• Family/peer pressure

• FINANCIAL
• Living beyond means
• High personal debt/expenses
• Inadequate salary/income
• Poor credit ratings
• Heavy financial losses
• Bad investments
• Tax avoidance
• Meet unreasonable quotas/goals

21
WHO COMMITS FRAUD AND WHY

• Whats important here is the perception of the
  pressure.
• There might be a number of people who could and
  would help a tentative fraudster out of his
  financial woes.
• But as long as he perceives that he cannot share
  his burden, the pressure is present.
• Research has also found that an individuals
  propensity to commit fraud is more related to how
  much he worries about his financial position than
  his actual position.
• The millionaire who frets a lot about his
  financial condition is more likely to commit
  fraud than the guy who doesnt have two dimes to
  rub together but isnt worried about it.

22
WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that allows
  an individual to
• Commit the fraud
• Conceal the fraud
• Convert the proceeds

23
WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and
  effort and leaves more evidence than the actual
  theft or misrepresentation.
• Examples of concealment efforts
• Charge a stolen asset to an expense account or to
  an account receivable that is about to be written
  off.
• Create a ghost employee who receives an extra
  paycheck.
• Lapping.
• Kiting.

24
WHO COMMITS FRAUD AND WHY

• Unless the target of the theft is cash, then the
  stolen goods must be converted to cash or some
  form that is beneficial to the perpetrator.
• Checks can be converted through alterations,
  forged endorsements, check washing, etc.
• Non-cash assets can be sold (online auctions are
  a favorite forum) or returned to the company for
  cash.

25
WHO COMMITS FRAUD AND WHY

• There are many opportunities that enable fraud.
  Some of the most common are
• Lack of internal controls
• Failure to enforce controls (the most prevalent
  reason)
• Excessive trust in key employees
• Incompetent supervisory personnel
• Inattention to details
• Inadequate staff

26
WHO COMMITS FRAUD AND WHY

• Management may allow fraud by
• Not getting involved in the design or enforcement
  of internal controls
• Inattention or carelessness
• Overriding controls and/or
• Using their power to compel subordinates to carry
  out the fraud.

27
WHO COMMITS FRAUD AND WHY

• How many people do you know who regard themselves
  as being unprincipled or sleazy?
• It is important to understand that fraudsters do
  not regard themselves as unprincipled.
• In general, they regard themselves as highly
  principled individuals.
• That view of themselves is important to them.
• The only way they can commit their frauds and
  maintain their self image as principled
  individuals is to create rationalizations that
  recast their actions as morally acceptable
  behaviors.

28
WHO COMMITS FRAUD AND WHY

• These rationalizations take many forms,
  including
• I was just borrowing the money.
• It wasnt really hurting anyone. (Corporations
  are often seen as non-persons, therefore crimes
  against them are not hurting anyone.)
• Everybody does it.
• Ive worked for them for 35 years and been
  underpaid all that time. I wasnt stealing I
  was only taking what was owed to me.
• I didnt take it for myself. I needed it to pay
  my childs medical bills.

29
WHO COMMITS FRAUD AND WHY

• Creators of worms and viruses often use
  rationalizations like
• The malicious code helped expose security flaws,
  so I did a good service.
• It was an accident.
• It was not my faultjust an experiment that went
  bad.
• It was the users fault because they didnt keep
  their security up to date.
• If the code didnt alter or delete any of their
  files, then whats the problem?

30
WHO COMMITS FRAUD AND WHY

• Fraud occurs when
• People have perceived, non-shareable pressures
• The opportunity gateway is left open and
• They can rationalize their actions to reduce the
  moral impact in their minds (i.e., they have low
  integrity).
• Fraud is much less likely to occur when
• There is low pressure, low opportunity, and high
  integrity.
• Unfortunately, there is usually a mixture of
  these forces in play, and it can be very
  difficult to determine the pressures that may
  apply to an individual and the rationalizations
  he/she may be able to produce.

31
APPROACHES TO COMPUTER FRAUD

• The U.S. Department of Justice defines computer
  fraud as any illegal act for which knowledge of
  computer technology is essential for its
• Perpetration
• Investigation or
• Prosecution.

32
APPROACHES TO COMPUTER FRAUD

• In using a computer, fraud perpetrators can
  steal
• More of something
• In less time
• With less effort
• They may also leave very little evidence, which
  can make these crimes more difficult to detect.

33
APPROACHES TO COMPUTER FRAUD

• Perpetrators of computer fraud tend to be younger
  and possess more computer knowledge, experience,
  and skills.
• Hackers and computer fraud perps tend to be more
  motivated by
• Curiosity
• A quest for knowledge
• The desire to learn how things work
• The challenge of beating the system

34
APPROACHES TO COMPUTER FRAUD

• Computer systems are particularly vulnerable to
  computer crimes for several reasons
• Company databases can be huge and access
  privileges can be difficult to create and
  enforce. Consequently, individuals can steal,
  destroy, or alter massive amounts of data in very
  little time.
• Organizations often want employees, customers,
  suppliers, and others to have access to their
  system from inside the organization and without.
  This access also creates vulnerability.
• Computer programs only need to be altered once,
  and they will operate that way until
• The system is no longer in use or
• Someone notices.

35
APPROACHES TO COMPUTER FRAUD

• Modern systems are accessed by PCs, which are
  inherently more vulnerable to security risks and
  difficult to control.
• It is hard to control physical access to each PC.
• PCs are portable, and if they are stolen, the
  data and access capabilities go with them.
• PCs tend to be located in user departments, where
  one person may perform multiple functions that
  should be segregated.
• PC users tend to be more oblivious to security
  concerns.

36
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Perpetrators have devised many methods to commit
  computer fraud and abuse. These include
• Data diddling
• Data leakage
• Denial of service attacks
• Eavesdropping
• Email threats
• Email forgery (aka, spoofing)
• Hacking
• Phreaking
• Hijacking
• Identity theft

37
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Perpetrators have devised many methods to commit
  computer fraud and abuse. These include
• Internet misinformation
• Internet terrorism
• Logic time bombs
• Masquerading or impersonation
• Packet sniffers
• Password cracking
• Phishing
• Piggybacking
• Round-down technique
• Salami technique

38
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Example of a website produced for a phishing scam.

39
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Perpetrators have devised many methods to commit
  computer fraud and abuse. These include
• Social engineering
• Software piracy
• Spamming
• Spyware
• Keystroke loggers
• Trap doors
• Trojan horse
• War dialing
• War driving

40
COMPUTER FRAUD AND ABUSE TECHNIQUES

• Perpetrators have devised many methods to commit
  computer fraud and abuse. These include
• Virus
• Worms