Computer Fraud & Abuse

Computer Fraud & Abuse
ACC 444 Enterprise Process Analysis

1
Computer Fraud and Abuse
2
INTRODUCTION
Information systems are becoming increasingly more
complex and society is becoming increasingly more
dependent on these systems.
Companies also face a growing risk of these
systems being compromised.
Recent surveys indicate 67% of companies suffered
a security breach in the last year with almost 60%
reporting financial losses.
5
INTRODUCTION
In this chapter well discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer fraud
Ways companies can deter and detect computer
fraud
6
THE FRAUD PROCESS
Fraud is any and all means a person uses to gain an unfair
advantage over another person.
Since fraudsters dont make journal entries to record their frauds,
we can only estimate the amount of losses caused by fraudulent
acts. In the 2014 Report To The Nations, The Association of
Certified Fraud Examiners (ACFE) estimates that:
The typical organization loses 5% of its annual revenue to
fraud. Applied to the estimated 2013 Gross World Product, this
figure translates to a potential total fraud loss of more than
$3.7 trillion.
The median loss caused by the occupational fraud cases was
$145,000. 24% of the frauds involved losses of at least $1
million.

7
THE FRAUD PROCESS
Fraud against companies may be committed by an employee or an
external party.
Former and current employees (called knowledgeable
insiders) are much more likely than non-employees to
perpetrate frauds (and big ones) against companies.
a) Largely owing to their understanding of the companys
systems and its weaknesses, which enables them to
commit the fraud and cover their tracks.
Organizations must utilize controls to make it difficult for both
insiders and outsiders to steal from the company.
10
THE FRAUD PROCESS
Three types of occupational fraud:
Misappropriation of assets
Corruption
Fraudulent statements
Financial statement fraud involves misstating the financial condition of an entity
by intentionally misstating amounts or disclosures in order to deceive users.
Financial statements can be misstated as a result of intentional efforts to deceive
or as a result of undetected asset misappropriations that are so large that they
cause misstatement.
In the 2014 Report to the Nation on Occupational Fraud and Abuse, about 9% of
occupational frauds involve fraudulent statements at a median cost of $1 million.
(The median pales in comparison to the maximum cost.)
11
THE FRAUD PROCESS
Examples of other fraud schemes:
Money Laundering (concealment of the origins of illegally obtained
money, typically by means of transfers involving foreign banks or
legitimate businesses)
Ponzi (an investment scheme that pays unreasonably high returns to
the investors from money invested by later investors)
Kiting (creating cash through the transfer of money between
banks) also a common way to hide a theft
Lapping (stealing cash from customer A and then using customer B's
balance to pay customer A's accounts receivable) also another
common way to hide a theft
Besides Kiting & Lapping, theft of cash is typically hidden by charging the
stolen item to an expense account.

12
THE FRAUD PROCESS
A typical employee fraud has a number of important elements or
characteristics:
The fraud perpetrator must gain the trust or confidence of the person
or company being defrauded in order to commit and conceal the
fraud.
Frauds tend to start as the result of a perceived need on the part of
the employee and then escalate from need to greed. Most fraudsters
cant stop once they get started, and their frauds grow in size.
The fraudsters often grow careless or overconfident over time.
Fraudsters tend to spend what they steal. Very few save it.
In time, the sheer magnitude of the frauds may lead to detection.
The most significant contributing factor in most employee frauds is
the absence of internal controls and/or the failure to enforce existing
controls.
15
INTRODUCTION
The fraud process
Why fraud occurs
fraud
16
WHO COMMITS FRAUD AND WHY
Researchers have compared the psychological and demographic
characteristics of three groups of people:
White-collar criminals
Violent criminals
The general public
They found:
Significant differences between violent and white-collar criminals.
Few differences between white-collar criminals and the general
public.
White-collar criminals tend to mirror the general public in:
Education
Age
Religion
Marriage
Length of employment
Psychological makeup
20
WHO COMMITS FRAUD AND WHY
Criminologist Donald Cressey, interviewed 200+ convicted white-
collar criminals in an attempt to determine the common threads in
their crimes. As a result of his research, he determined that three
factors were present in the commission of each crime. These
three factors have come to be known as the fraud triangle.
Pressure
Opportunity
Rationalization
21
The Fraud Triangle
Donald Cressey
Rationalization
32
Red Flags
High personal debts or great financial losses.
Expensive lifestyle.
Extensive gambling or use of alcohol or drugs.
Heavy investments.
Significant personal or family problems.
Rewriting records, under the guise of neatness.
Refusing to leave custody of records during the day.
Extensive overtime.
Skipping vacations.
Questionable background and references.
Feeling that pay is not commensurate with responsibilities.
Strong desire to beat the system.
33
Red Flags
Regular borrowing of small amounts from fellow employees.
Personal checks returned for insufficient funds.
Collectors and creditors appearing at the place of business.
Placing unauthorized IOUs in petty cash funds.
Inclination toward covering up inefficiencies or "plugging" figures.
Pronounced criticism of others.
Association with questionable characters.
Annoyance with reasonable questions; replying to questions with
unreasonable answers.
Unusually large bank balance.
Bragging about exploits.
Carrying unusually large amounts of cash.
34
Practice Exercise (Text 5.2)
A small but growing firm has recently hired you to investigate
a potential fraud. The company heard through its hotline that
the purchases journal clerk periodically enters fictitious
acquisitions. The nonexistent suppliers address is given as a
post office box, which the clerk rents. He forwards notification
of the fictitious purchases for recording in the accounts
payable ledger. Payment is ultimately mailed to the post office
box. He then deposits the check in an account established in
the name of the nonexistent supplier.
List 4 red-flag indicators that might point to the existence of
fraud in this example.
List two procedures you could follow to uncover this fraud
35
Computer Fraud and Abuse
To Be Continued
36
INTRODUCTION
The fraud process
Why fraud occurs
fraud
39
COMPUTER FRAUD CLASSIFICATIONS
Processor
Fraud
Input
Fraud
Output
Fraud
Data
Fraud
Computer
Instructions
Fraud
Frauds can be categorized according to the data processing model:

44
APPROACHES TO COMPUTER FRAUD
Input Fraud
The simplest and most common way to commit a fraud is to alter
computer input.
a) Requires little computer skills.
b) Perpetrator only need to understand how the system
operates
Can take a number of forms, including:
a) Disbursement frauds
b) Inventory frauds
c) Payroll frauds
d) Cash receipt frauds
e) Fictitious refund fraud
The perpetrator files for an undeserved refund, such as
a tax refund.

46
Processor Fraud
Involves computer fraud committed through unauthorized
system use.
Includes theft of computer time and services.
Incidents could involve employees:
a) Surfing the Internet;
b) Using the company computer to conduct personal
business; or
c) Using the company computer to conduct a competing
business.
47
In one example, an agriculture college at a major state university was
experiencing very sluggish performance from its server.
Upon investigating, IT personnel discovered that an individual outside the
U.S. had effectively hijacked the colleges server to both store some of
his/her research data and process it.
The college eliminated the individuals data and blocked future access to
the system.
The individual subsequently contacted college personnel to protest the
destruction of the data.
Demonstrates both:
How a processor fraud can be committed.
How oblivious users can sometimes be to the unethical or illegal
nature of their activities.
48
Processor
Fraud
Input
Fraud
Output
Fraud
Data
Fraud
Computer
Instructions
Fraud
49
Computer Instructions Fraud
Involves tampering with the software that
processes company data.
May include:
a) Modifying the software
b) Making illegal copies
c) Using it in an unauthorized manner
Also might include developing a software program
or module to carry out an unauthorized activity.
50
Computer instruction fraud used to be one of the least common
types of frauds because it required specialized knowledge about
computer programming beyond the scope of most users.
Today these frauds are more frequent--courtesy of web pages that
instruct users on how to create viruses and other schemes.
51
Processor
Fraud
Input
Fraud
Output
Fraud
Data
Fraud
Computer
Instructions
Fraud
52
Data Fraud
Involves:
a) Altering or damaging a companys data files; or
b) Copying, using, or searching the data files without
authorization.
In many cases, disgruntled employees have scrambled,
altered, or destroyed data files.
Theft of data often occurs so that perpetrators can sell the
data.
a) Most identity thefts occur when insiders in financial
institutions, credit agencies, etc., steal and sell financial
information about individuals from their employers
database.
53
Processor
Fraud
Input
Fraud
Output
Fraud
Data
Fraud
Computer
Instructions
Fraud
54
Output Fraud
Involves stealing or misusing system output.
Output is usually displayed on a screen or printed on paper.
Unless properly safeguarded, screen output can easily be read
from a remote location using inexpensive electronic gear.
This output is also subject to prying eyes and unauthorized
copying.
Fraud perpetrators can use computers and peripheral devices
to create counterfeit outputs, such as checks.
Remote Desktop Connection and Dumpster Diving are two
common methods
55
INTRODUCTION
The fraud process
Why fraud occurs
Specific techniques used to commit computer
fraud
fraud
Computer Attacks and Abuse
Hacking
Unauthorized access, modification, or use of a computer system or
other electronic device
Social Engineering
Techniques, usually psychological tricks, to gain access to sensitive
data or information
Used to gain access to secure systems or locations
Malware
Any software which can be used to do harm
Example: Exploit - a set of instructions for taking advantage of a
flaw in a program
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall
Types of Computer Attacks
BotnetRobot Network
Network of hijacked computers
Hijacked computers carry out processes without users
knowledge
Zombiehijacked computer
Denial-of-Service (DoS) Attack
Constant stream of requests made to a Web-server
(usually via a Botnet) that overwhelms and shuts down
service
Spoofing
Making an electronic communication look as if it comes
from a trusted official source to lure the recipient into
providing information
Types of Spoofing
E-mail
E-mail sender appears as if
it comes from a different
source
Caller-ID
Incorrect number is
displayed
IP address
Forged IP address to
conceal identity of sender of
data over the Internet or to
impersonate another
computer system
Address Resolution Protocol
(ARP)
Allows a computer on a LAN
to intercept traffic meant for
any other computer on the
LAN

SMS
Incorrect number or name
appears, similar to caller-ID
but for text messaging
Web page
Phishing
DNS
Intercepting a request for a
Web service and sending
the request to a false
service

Hacking Attacks
Buffer Overflow
Data is sent that exceeds computer capacity causing
program instructions to be lost and replaced with
attacker instructions.

Man-in-the-Middle
Hacker places themselves between client and host.

Additional Hacking Attacks
Password Cracking
Penetrating system security to steal passwords
War Dialing
Computer automatically dials phone numbers looking for modems.
Phreaking
Attacks on phone systems to obtain free phone service.
Data Diddling
Making changes to data before, during, or after it is entered into a system.
Data Leakage
Unauthorized copying of company data.
Hacking Embezzlement Schemes
Salami Technique
Taking small amounts from many different accounts.
Economic Espionage
Theft of information, trade secrets, and intellectual property.
Cyber-Bullying
Internet, cell phones, or other communication technologies to support
deliberate, repeated, and hostile behavior that torments, threatens, harasses,
humiliates, embarrasses, or otherwise harms another person.
Internet Terrorism
Act of disrupting electronic commerce and harming computers and
communications.
Internet Misinformation
Using the Internet to spread false or misleading information
Hacking for Fraud
Internet Auction
Using an Internet auction site to defraud another
person
a) Unfairly drive up bidding
b) Seller delivers inferior merchandise or fails to deliver
at all
c) Buyer fails to make payment
Internet Pump-and-Dump
Using the Internet to pump up the price of a stock and
then selling it
Social Engineering Techniques
Identity Theft
Assuming someone elses identity
Pretexting
Inventing a scenario that will lull
someone into divulging sensitive
information
Posing
Using a fake business to acquire
sensitive information
Phishing
Posing as a legitimate company
asking for verification type
information: passwords, accounts,
usernames
Pharming
Redirecting Web site traffic to a
spoofed Web site.
Piggybacking
Clandestine use of someones Wi-Fi
network.

Typesquatting
Typographical errors when
entering a Web site name cause
an invalid site to be accessed
Tabnapping
Changing an already open
browser tab
Scavenging
Looking for sensitive information
in items thrown away
Shoulder Surfing
Snooping over someones
shoulder for sensitive information
Evil Twin
A wireless network with the same
name as another wireless access
point. Users unknowingly connect
to the evil twin; hackers monitor
the traffic looking for useful
information.
More Social Engineering
Lebanese Loping
Capturing ATM pin and card numbers
Skimming
Double-swiping a credit card
Chipping
Planting a device to read credit card information in a
credit card reader
Eavesdropping
Listening to private communications
Type of Malware
Spyware
Secretly monitors and collects personal information about users and sends it to someone
else
Adware
a) Pops banner ads on a monitor, collects information about the users Web-surfing,
and spending habits, and forward it to the adware creator
Key logging
Records computer activity, such as a users keystrokes, e-mails sent and received, Web
sites visited, and chat session participation
Trojan Horse
Malicious computer instructions in an authorized and otherwise properly functioning
program
Time bombs/logic bombs
a) Idle until triggered by a specified date or time, by a change in the system, by a
message sent to the system, or by an event that does not occur
More Malware
Trap Door/Back Door
A way into a system that bypasses normal authorization and authentication
controls
Packet Sniffers
Capture data from information packets as they travel over networks
Rootkit
a) Used to hide the presence of trap doors, sniffers, and key loggers;
conceal software that originates a denial-of-service or an e-mail spam
attack; and access user names and log-in information
Superzapping
Unauthorized use of special system programs to bypass regular system
controls and perform illegal acts, all without leaving an audit trail
Spamming
Sending an unsolicited message to many people at the same time.
67
INTRODUCTION
The fraud process
Why fraud occurs
Ways companies can deter and detect
computer fraud
69
PREVENTING AND DETECTING COMPUTER
FRAUD
Make fraud less likely to occur; for example:
Require oversight from an active, involved, and independent audit
committee.
Identify the events that lead to increased fraud risk, and take steps
to prevent, avoid, share, or accept that risk.
Develop a comprehensive set of security policies to guide the design
and implementation of specific control procedures, and communicate
them effectively to company employees.
Implement human resource policies for hiring, compensating,
evaluating, counseling, promoting, and discharging employees that
send messages about the required level of ethical behavior and
integrity.
Effectively supervise employees, including monitoring their
performance and correcting their errors.
Train employees in integrity and ethical considerations, as well as
security and fraud prevention measures.
Require annual employee vacations, periodically rotate duties of key
employees, and require signed confidentiality agreements.

70
FRAUD
Increase the difficulty of committing fraud; for example:
Segregate the accounting & system functions of authorization,
recording, and custody
Restrict access to assets, records, data, and system resources to
authorized personnel
Have the system authenticate the person and their right to perform
the transaction before allowing the transaction to take place.
Require transactions and activities to be authorized by appropriate
supervisory personnel.
Use properly designed documents and records to capture and
process transactions.
Require independent checks on performance, such as reconciliation
of two independent sets of records, where possible and appropriate.
Encrypt stored and transmitted data and programs to protect them
from unauthorized access and use.
Fix known software vulnerabilities by installing the latest updates to
operating systems, security, and applications programs.

71
FRAUD
Improve detection methods.
Create an audit trail so individual transactions can
be traced through the system to the financial
statements and vice versa.
Conduct periodic external and internal audits, as
well as special network security audits.
Install fraud detection software.
Implement a fraud hotline.
Monitor system activities, including computer and
network security efforts, usage and error logs, and
all malicious actions.

72
FRAUD
Reduce Fraud Losses
Maintain adequate insurance.
Develop comprehensive fraud contingency, disaster
recovery, and business continuity plans.
Store backup copies of program and data files in a
secure, off-site location.
Use software to monitor system activity and recover
from fraud.

Computer Fraud & Abuse

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Fraud & Abuse

Uploaded by

Copyright:

Available Formats

Computer Fraud & Abuse

ACC 444 Enterprise Process Analysis

You might also like

Computer Fraud &amp; Abuse

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Fraud &amp; Abuse

Uploaded by

Copyright:

Available Formats

Computer Fraud & Abuse

ACC 444 Enterprise Process Analysis

You might also like

Computer Fraud & Abuse

Computer Fraud & Abuse