1 Computer Fraud and Abuse Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 2 INTRODUCTION Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems. Companies also face a growing risk of these systems being compromised. Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 5 INTRODUCTION In this chapter well discuss: The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 6 THE FRAUD PROCESS Fraud is any and all means a person uses to gain an unfair advantage over another person. Since fraudsters dont make journal entries to record their frauds, we can only estimate the amount of losses caused by fraudulent acts. In the 2014 Report To The Nations, The Association of Certified Fraud Examiners (ACFE) estimates that: The typical organization loses 5% of its annual revenue to fraud. Applied to the estimated 2013 Gross World Product, this figure translates to a potential total fraud loss of more than $3.7 trillion. The median loss caused by the occupational fraud cases was $145,000. 24% of the frauds involved losses of at least $1 million.
Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 7 THE FRAUD PROCESS Fraud against companies may be committed by an employee or an external party. Former and current employees (called knowledgeable insiders) are much more likely than non-employees to perpetrate frauds (and big ones) against companies. a) Largely owing to their understanding of the companys systems and its weaknesses, which enables them to commit the fraud and cover their tracks. Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 10 THE FRAUD PROCESS Three types of occupational fraud: Misappropriation of assets Corruption Fraudulent statements Financial statement fraud involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users. Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement. In the 2014 Report to the Nation on Occupational Fraud and Abuse, about 9% of occupational frauds involve fraudulent statements at a median cost of $1 million. (The median pales in comparison to the maximum cost.) Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 11 THE FRAUD PROCESS Examples of other fraud schemes: Money Laundering (concealment of the origins of illegally obtained money, typically by means of transfers involving foreign banks or legitimate businesses) Ponzi (an investment scheme that pays unreasonably high returns to the investors from money invested by later investors) Kiting (creating cash through the transfer of money between banks) also a common way to hide a theft Lapping (stealing cash from customer A and then using customer B's balance to pay customer A's accounts receivable) also another common way to hide a theft Besides Kiting & Lapping, theft of cash is typically hidden by charging the stolen item to an expense account.
Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 12 THE FRAUD PROCESS A typical employee fraud has a number of important elements or characteristics: The fraud perpetrator must gain the trust or confidence of the person or company being defrauded in order to commit and conceal the fraud. Frauds tend to start as the result of a perceived need on the part of the employee and then escalate from need to greed. Most fraudsters cant stop once they get started, and their frauds grow in size. The fraudsters often grow careless or overconfident over time. Fraudsters tend to spend what they steal. Very few save it. In time, the sheer magnitude of the frauds may lead to detection. The most significant contributing factor in most employee frauds is the absence of internal controls and/or the failure to enforce existing controls. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 15 INTRODUCTION In this chapter well discuss: The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 16 WHO COMMITS FRAUD AND WHY Researchers have compared the psychological and demographic characteristics of three groups of people: White-collar criminals Violent criminals The general public They found: Significant differences between violent and white-collar criminals. Few differences between white-collar criminals and the general public. White-collar criminals tend to mirror the general public in: Education Age Religion Marriage Length of employment Psychological makeup Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 20 WHO COMMITS FRAUD AND WHY Criminologist Donald Cressey, interviewed 200+ convicted white- collar criminals in an attempt to determine the common threads in their crimes. As a result of his research, he determined that three factors were present in the commission of each crime. These three factors have come to be known as the fraud triangle. Pressure Opportunity Rationalization Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 21 The Fraud Triangle Donald Cressey Rationalization Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 32 Red Flags High personal debts or great financial losses. Expensive lifestyle. Extensive gambling or use of alcohol or drugs. Heavy investments. Significant personal or family problems. Rewriting records, under the guise of neatness. Refusing to leave custody of records during the day. Extensive overtime. Skipping vacations. Questionable background and references. Feeling that pay is not commensurate with responsibilities. Strong desire to beat the system. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 33 Red Flags Regular borrowing of small amounts from fellow employees. Personal checks returned for insufficient funds. Collectors and creditors appearing at the place of business. Placing unauthorized IOUs in petty cash funds. Inclination toward covering up inefficiencies or "plugging" figures. Pronounced criticism of others. Association with questionable characters. Annoyance with reasonable questions; replying to questions with unreasonable answers. Unusually large bank balance. Bragging about exploits. Carrying unusually large amounts of cash. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 34 Practice Exercise (Text 5.2) A small but growing firm has recently hired you to investigate a potential fraud. The company heard through its hotline that the purchases journal clerk periodically enters fictitious acquisitions. The nonexistent suppliers address is given as a post office box, which the clerk rents. He forwards notification of the fictitious purchases for recording in the accounts payable ledger. Payment is ultimately mailed to the post office box. He then deposits the check in an account established in the name of the nonexistent supplier. List 4 red-flag indicators that might point to the existence of fraud in this example. List two procedures you could follow to uncover this fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 35 Computer Fraud and Abuse To Be Continued Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 36 INTRODUCTION In this chapter well discuss: The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 39 COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud Frauds can be categorized according to the data processing model:
Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 44 APPROACHES TO COMPUTER FRAUD Input Fraud The simplest and most common way to commit a fraud is to alter computer input. a) Requires little computer skills. b) Perpetrator only need to understand how the system operates Can take a number of forms, including: a) Disbursement frauds b) Inventory frauds c) Payroll frauds d) Cash receipt frauds e) Fictitious refund fraud The perpetrator files for an undeserved refund, such as a tax refund.
Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 46 APPROACHES TO COMPUTER FRAUD Processor Fraud Involves computer fraud committed through unauthorized system use. Includes theft of computer time and services. Incidents could involve employees: a) Surfing the Internet; b) Using the company computer to conduct personal business; or c) Using the company computer to conduct a competing business. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 47 APPROACHES TO COMPUTER FRAUD In one example, an agriculture college at a major state university was experiencing very sluggish performance from its server. Upon investigating, IT personnel discovered that an individual outside the U.S. had effectively hijacked the colleges server to both store some of his/her research data and process it. The college eliminated the individuals data and blocked future access to the system. The individual subsequently contacted college personnel to protest the destruction of the data. Demonstrates both: How a processor fraud can be committed. How oblivious users can sometimes be to the unethical or illegal nature of their activities. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 48 COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 49 APPROACHES TO COMPUTER FRAUD Computer Instructions Fraud Involves tampering with the software that processes company data. May include: a) Modifying the software b) Making illegal copies c) Using it in an unauthorized manner Also might include developing a software program or module to carry out an unauthorized activity. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 50 APPROACHES TO COMPUTER FRAUD Computer instruction fraud used to be one of the least common types of frauds because it required specialized knowledge about computer programming beyond the scope of most users. Today these frauds are more frequent--courtesy of web pages that instruct users on how to create viruses and other schemes. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 51 COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 52 APPROACHES TO COMPUTER FRAUD Data Fraud Involves: a) Altering or damaging a companys data files; or b) Copying, using, or searching the data files without authorization. In many cases, disgruntled employees have scrambled, altered, or destroyed data files. Theft of data often occurs so that perpetrators can sell the data. a) Most identity thefts occur when insiders in financial institutions, credit agencies, etc., steal and sell financial information about individuals from their employers database. Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 53 COMPUTER FRAUD CLASSIFICATIONS Processor Fraud Input Fraud Output Fraud Data Fraud Computer Instructions Fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 54 APPROACHES TO COMPUTER FRAUD Output Fraud Involves stealing or misusing system output. Output is usually displayed on a screen or printed on paper. Unless properly safeguarded, screen output can easily be read from a remote location using inexpensive electronic gear. This output is also subject to prying eyes and unauthorized copying. Fraud perpetrators can use computers and peripheral devices to create counterfeit outputs, such as checks. Remote Desktop Connection and Dumpster Diving are two common methods Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 55 INTRODUCTION In this chapter well discuss: The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Computer Attacks and Abuse Hacking Unauthorized access, modification, or use of a computer system or other electronic device Social Engineering Techniques, usually psychological tricks, to gain access to sensitive data or information Used to gain access to secure systems or locations Malware Any software which can be used to do harm Example: Exploit - a set of instructions for taking advantage of a flaw in a program Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Types of Computer Attacks BotnetRobot Network Network of hijacked computers Hijacked computers carry out processes without users knowledge Zombiehijacked computer Denial-of-Service (DoS) Attack Constant stream of requests made to a Web-server (usually via a Botnet) that overwhelms and shuts down service Spoofing Making an electronic communication look as if it comes from a trusted official source to lure the recipient into providing information Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Types of Spoofing E-mail E-mail sender appears as if it comes from a different source Caller-ID Incorrect number is displayed IP address Forged IP address to conceal identity of sender of data over the Internet or to impersonate another computer system Address Resolution Protocol (ARP) Allows a computer on a LAN to intercept traffic meant for any other computer on the LAN
SMS Incorrect number or name appears, similar to caller-ID but for text messaging Web page Phishing DNS Intercepting a request for a Web service and sending the request to a false service
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Hacking Attacks Buffer Overflow Data is sent that exceeds computer capacity causing program instructions to be lost and replaced with attacker instructions.
Man-in-the-Middle Hacker places themselves between client and host.
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Additional Hacking Attacks Password Cracking Penetrating system security to steal passwords War Dialing Computer automatically dials phone numbers looking for modems. Phreaking Attacks on phone systems to obtain free phone service. Data Diddling Making changes to data before, during, or after it is entered into a system. Data Leakage Unauthorized copying of company data. Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Hacking Embezzlement Schemes Salami Technique Taking small amounts from many different accounts. Economic Espionage Theft of information, trade secrets, and intellectual property. Cyber-Bullying Internet, cell phones, or other communication technologies to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person. Internet Terrorism Act of disrupting electronic commerce and harming computers and communications. Internet Misinformation Using the Internet to spread false or misleading information Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Hacking for Fraud Internet Auction Using an Internet auction site to defraud another person a) Unfairly drive up bidding b) Seller delivers inferior merchandise or fails to deliver at all c) Buyer fails to make payment Internet Pump-and-Dump Using the Internet to pump up the price of a stock and then selling it Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Social Engineering Techniques Identity Theft Assuming someone elses identity Pretexting Inventing a scenario that will lull someone into divulging sensitive information Posing Using a fake business to acquire sensitive information Phishing Posing as a legitimate company asking for verification type information: passwords, accounts, usernames Pharming Redirecting Web site traffic to a spoofed Web site. Piggybacking Clandestine use of someones Wi-Fi network.
Typesquatting Typographical errors when entering a Web site name cause an invalid site to be accessed Tabnapping Changing an already open browser tab Scavenging Looking for sensitive information in items thrown away Shoulder Surfing Snooping over someones shoulder for sensitive information Evil Twin A wireless network with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information. Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis More Social Engineering Lebanese Loping Capturing ATM pin and card numbers Skimming Double-swiping a credit card Chipping Planting a device to read credit card information in a credit card reader Eavesdropping Listening to private communications Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis Type of Malware Spyware Secretly monitors and collects personal information about users and sends it to someone else Adware a) Pops banner ads on a monitor, collects information about the users Web-surfing, and spending habits, and forward it to the adware creator Key logging Records computer activity, such as a users keystrokes, e-mails sent and received, Web sites visited, and chat session participation Trojan Horse Malicious computer instructions in an authorized and otherwise properly functioning program Time bombs/logic bombs a) Idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that does not occur Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis More Malware Trap Door/Back Door A way into a system that bypasses normal authorization and authentication controls Packet Sniffers Capture data from information packets as they travel over networks Rootkit a) Used to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial-of-service or an e-mail spam attack; and access user names and log-in information Superzapping Unauthorized use of special system programs to bypass regular system controls and perform illegal acts, all without leaving an audit trail Spamming Sending an unsolicited message to many people at the same time. Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 67 INTRODUCTION In this chapter well discuss: The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer fraud Ways companies can deter and detect computer fraud Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 69 PREVENTING AND DETECTING COMPUTER FRAUD Make fraud less likely to occur; for example: Require oversight from an active, involved, and independent audit committee. Identify the events that lead to increased fraud risk, and take steps to prevent, avoid, share, or accept that risk. Develop a comprehensive set of security policies to guide the design and implementation of specific control procedures, and communicate them effectively to company employees. Implement human resource policies for hiring, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the required level of ethical behavior and integrity. Effectively supervise employees, including monitoring their performance and correcting their errors. Train employees in integrity and ethical considerations, as well as security and fraud prevention measures. Require annual employee vacations, periodically rotate duties of key employees, and require signed confidentiality agreements.
Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 70 PREVENTING AND DETECTING COMPUTER FRAUD Increase the difficulty of committing fraud; for example: Segregate the accounting & system functions of authorization, recording, and custody Restrict access to assets, records, data, and system resources to authorized personnel Have the system authenticate the person and their right to perform the transaction before allowing the transaction to take place. Require transactions and activities to be authorized by appropriate supervisory personnel. Use properly designed documents and records to capture and process transactions. Require independent checks on performance, such as reconciliation of two independent sets of records, where possible and appropriate. Encrypt stored and transmitted data and programs to protect them from unauthorized access and use. Fix known software vulnerabilities by installing the latest updates to operating systems, security, and applications programs.
Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 71 PREVENTING AND DETECTING COMPUTER FRAUD Improve detection methods. Create an audit trail so individual transactions can be traced through the system to the financial statements and vice versa. Conduct periodic external and internal audits, as well as special network security audits. Install fraud detection software. Implement a fraud hotline. Monitor system activities, including computer and network security efforts, usage and error logs, and all malicious actions.
Computer Fraud & Abuse ACC 444 Enterprise Process Analysis 72 PREVENTING AND DETECTING COMPUTER FRAUD Reduce Fraud Losses Maintain adequate insurance. Develop comprehensive fraud contingency, disaster recovery, and business continuity plans. Store backup copies of program and data files in a secure, off-site location. Use software to monitor system activity and recover from fraud.