Rais11 ch05

C
HAPTER 5
Computer Fraud and Abuse
2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
1 of 175
INTRODUCTION
Questions to be addressed in this chapter:
What is fraud, and how are frauds
perpetrated?
Who perpetrates fraud and why?
What is computer fraud, and what forms does
it take?
What approaches and techniques are used to
commit computer fraud?
Romney/Steinbart
2 of 175
INTRODUCTION
Information systems are becoming
increasingly more complex and society is
becoming increasingly more dependent on
these systems.
Companies also face a growing risk of these
systems being compromised.
Recent surveys indicate 67% of companies
suffered a security breach in the last year with
almost 60% reporting financial losses.
Romney/Steinbart
3 of 175
INTRODUCTION
Include:
Fire or excessive heat
Companies face four types
of threats to
Floods
Earthquakes
High winds
Natural and political disasters
War and terrorist attack
When a natural or political disaster
strikes, many companies can be
affected at the same time.
Example: Bombing of the
World Trade Center in NY.
The Defense Science Board has
predicted that attacks on
information systems by foreign
countries, espionage agents, and
terrorists will soon be widespread.
their information systems:
Romney/Steinbart
4 of 175
Include:
Hardware or software
failures
Software errors or bugs
Operating system
Companies face four types ofcrashes
threats to
Power outages and
fluctuations
Natural and political disasters Undetected data
transmission errors
Software errors and equipment
Estimated annual economic
malfunction
losses due to software
bugs = $60 billion.
60% of companies studied
had significant software
errors in previous year.
INTRODUCTION
Romney/Steinbart
5 of 175
INTRODUCTION
Include
Accidents
by:
Companies face four
types caused
of threats
to
Human carelessness
Failure to follow established
procedures
Natural and political disasters
Poorly trained or supervised
Software errors and equipment
personnel malfunction
Unintentional acts Innocent errors or omissions
Lost, destroyed, or misplaced data
Logic errors
Systems that do not meet needs or
are incapable of performing intended
tasks
Information Systems Security Assn.
estimates 65% of security problems are
caused by human error.
Romney/Steinbart
6 of 175
INTRODUCTION
Include:
Sabotage
Computer fraud
Companies face four
types of threats
to or
Misrepresentation,
false use,
unauthorized disclosure of data
Misappropriation of assets
Natural and political
disasters
Financial
statement fraud
Information
systems
are increasingly
Software errors and
equipment
malfunction
vulnerable to these malicious attacks.
Unintentional acts
Intentional acts (computer crime)
Romney/Steinbart
7 of 175
INTRODUCTION
In this chapter well discuss:
The fraud process
Why fraud occurs
Approaches to computer fraud
Specific techniques used to commit computer
fraud
Ways companies can deter and detect
computer fraud
Romney/Steinbart
8 of 175
INTRODUCTION
The fraud process
Why fraud occurs
fraud
computer fraud
Romney/Steinbart
9 of 175
The definition is the same whether it is a

criminal or civil fraud case.
The only difference is the burden of
proof required.
Criminal case: beyond a
Fraud is any and all means
a person
reasonable
doubt.uses to
gain an unfair advantage
over
another
person.
Civil
case:
preponderance
of the
evidence OR clear and convincing
In most cases, to be considered
evidence. fraudulent, an
THE FRAUD PROCESS
act must involve:

A false statement (oral or in writing)
About a material fact
Knowledge that the statement was false when it was
uttered (which implies an intent to deceive)
A victim relies on the statement
And suffers injury or loss as a result
Romney/Steinbart
10 of 175
THE FRAUD PROCESS

Because fraudsters dont make journal entries to
record their frauds, we can only estimate the
amount of losses caused by fraudulent acts:
The Association of Certified Fraud Examiners (ACFE)
estimates that total fraud losses in the United States
run around 6% of annual revenues or approximately
$660 billion in 2004.
More than we spend on education and roads in a year.
Six times what we pay for the criminal justice system.
Income tax fraud (the difference between what

taxpayers owe and what they pay to the government)
is estimated to be over $200 billion per year.
Fraud in the healthcare industry is estimated to
exceed $100 billion a year.
Romney/Steinbart
11 of 175
THE FRAUD PROCESS

Fraud against companies may be committed by
an employee or an external party.
Former and current employees (called
knowledgeable insiders) are much more likely than
non-employees to perpetrate frauds (and big ones)
against companies.
Largely owing to their understanding of the companys
systems and its weaknesses, which enables them to commit
the fraud and cover their tracks.
Organizations must utilize controls to make it difficult

for both insiders and outsiders to steal from the
company.
Romney/Steinbart
12 of 175
THE FRAUD PROCESS

Fraud perpetrators are often referred to as
white-collar criminals.
Distinguishes them from violent criminals,
although some white-collar crime can
ultimately have violent outcomes, such as:
Perpetrators or their victims committing suicide.
Healthcare patients killed because of alteration of
information, etc., that can result in their deaths.
Romney/Steinbart
13 of 175
THE FRAUD PROCESS

Three types of occupational fraud:
Involves theft, embezzlement, or misuse of
company assets for personal gain.
Examples include billing schemes, check
tampering, skimming, and theft of inventory.
In the 2004 Report to the Nation on Occupational
Fraud and Abuse, 92.7% of occupational frauds
involved asset misappropriation at a median cost
of $93,000.
Romney/Steinbart
15 of 175
THE FRAUD PROCESS

Corruption
Corruption involves the wrongful use of a
position, contrary to the responsibilities of
that position, to procure a benefit.
Examples include kickback schemes and
conflict of interest schemes.
About 30.1% of occupational frauds include
corruption schemes at a median cost of
$250,000.
Romney/Steinbart
16 of 175
THE FRAUD PROCESS

Corruption
Fraudulent statements
Financial statement fraud involves misstating the financial condition of
an entity by intentionally misstating amounts or disclosures in order to
deceive users.
Financial statements can be misstated as a result of intentional efforts
to deceive or as a result of undetected asset misappropriations that are
so large that they cause misstatement.
About 7.9% of occupational frauds involve fraudulent statements at a
median cost of $1 million. (The median pales in comparison to the
maximum cost.)
Romney/Steinbart
17 of 175
THE FRAUD PROCESS

A typical employee fraud has a number of important elements or
characteristics:
The fraud perpetrator must gain the trust or confidence of the
person or company being defrauded in order to commit and
conceal the fraud.
Instead of using a gun, knife, or physical force, fraudsters use
weapons of deceit and misinformation.
Frauds tend to start as the result of a perceived need on the part
of the employee and then escalate from need to greed. Most
fraudsters cant stop once they get started, and their frauds grow
in size.
The fraudsters often grow careless or overconfident over time.
Fraudsters tend to spend what they steal. Very few save it.
In time, the sheer magnitude of the frauds may lead to detection.
The most significant contributing factor in most employee frauds
is the absence of internal controls and/or the failure to enforce
existing controls.
Romney/Steinbart
18 of 175
THE FRAUD PROCESS

The National Commission on Fraudulent
Financial Reporting (aka, the Treadway
Commission) defined fraudulent financial
reporting as intentional or reckless conduct,
whether by act or omission, that results in
materially misleading financial statements.
Financial statements can be falsified to:
Deceive investors and creditors

Cause a companys stock price to rise
Meet cash flow needs
Hide company losses and problems
Romney/Steinbart
19 of 175
THE FRAUD PROCESS

Fraudulent financial reporting is of great
concern to independent auditors, because
undetected frauds lead to half of the
lawsuits against auditors.
In the case of Enron, a financial statement
fraud led to the total elimination of Arthur
Andersen, a premiere international public
accounting firm.
Romney/Steinbart
20 of 175
THE FRAUD PROCESS

Common approaches to cooking the
books include:
Recording fictitious revenues
Recording revenues prematurely
Recording expenses in later periods
Overstating inventories or fixed assets
(WorldCom)
Concealing losses and liabilities
Romney/Steinbart
21 of 175
THE FRAUD PROCESS

The Treadway Commission recommended four
actions to reduce the possibility of fraudulent
financial reporting:
Establish an organizational environment that
contributes to the integrity of the financial reporting
process.
Identify and understand the factors that lead to
fraudulent financial reporting.
Assess the risk of fraudulent financial reporting within
the company.
Design and implement internal controls to provide
reasonable assurance that fraudulent financial
reporting is prevented.
Romney/Steinbart
22 of 175
THE FRAUD PROCESS

SAS 99: The Auditors Responsibility to
Detect Fraud
In 1997, SAS-82, Consideration of Fraud in a
Financial Statement Audit, was issued to
clarify the auditors responsibility to detect
fraud.
Romney/Steinbart
23 of 175
THE FRAUD PROCESS

A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
Understand fraud
Auditors cant effectively audit something they dont
understand.
SAS-99 also indicated that auditors are not lawyers and do not
make legal determinations of whether fraud has occurred.
The external auditors interest specifically relates to acts that
result in a material misstatement of the financial statements.
Note that SAS-99 relates to external auditors. Internal auditors
will have a more extensive interest in fraud than just those that
impact financial statements.
Romney/Steinbart
24 of 175
THE FRAUD PROCESS

Understand fraud
Discuss the risks of material fraudulent
misstatements
While planning the audit, members of the audit team
should discuss how and where the companys financial
statements might be susceptible to fraud.
Romney/Steinbart
25 of 175
The audit team must gather evidence about the existence of fraud
by:
Looking for fraud risk factors
Testing company records
A revision
to SAS-82, SAS-99, was issued in
Asking management, the audit committee, and others if they
December
2002.
requires
auditors
to:
know of any
past orSAS-99
current fraud
or of fraud
risks the
organizationfraud
faces.
Understand
Special
carethe
needs
to of
bematerial
exercisedfraudulent
in examining
revenue
Discuss
risks
misstatements
accounts, since they are particularly popular fraud targets.
THE FRAUD PROCESS
Obtain information
Romney/Steinbart
26 of 175
THE FRAUD PROCESS

Understand fraud
Discuss the risks of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Use the gathered information to identify, assess, and respond to

risks.
Auditors can respond by varying the nature, timing, and extent
of auditing procedures they perform.
They should also carefully evaluate risks related to management
override of controls.
Romney/Steinbart
27 of 175
THE FRAUD PROCESS

A revision
to SAS-82, SAS-99, was issued in
Auditors must assess the risk of fraud throughout the
December
audit. 2002. SAS-99 requires auditors to:
Understand
When thefraud
audit is complete, they must evaluate whether
any identified
indicate the
presence of
Discuss
the risksmisstatements
of material fraudulent
misstatements
fraud.
Obtain
information
If so, they should determine the impact on the financial
Identify,
assess,
to risks
statements
andand
the respond
audit.
Evaluate the results of their audit tests
Romney/Steinbart
28 of 175
THE FRAUD PROCESS

Understand fraud
Obtain information
Communicate findings
Auditors communicate their fraud
findings to management, the audit
committee, and others.
Romney/Steinbart
29 of 175
THE FRAUD PROCESS

Understand fraud
Obtain information
Communicate findings
Document their audit work
Auditors must document their
compliance with SAS-99 requirements.
Romney/Steinbart
30 of 175
THE FRAUD PROCESS

Understand fraud
Obtain information
Evaluate
results
of theirthat
audit
tests impacts fraud
the
SAS-99
recognizes
technology
risks and
notes opportunities that auditors have
Communicate
findings
to use technology-oriented tools and techniques
Documenttotheir
audit work
design fraud auditing procedures.
Incorporate a technology focus
Romney/Steinbart
31 of 175
INTRODUCTION
The fraud process
Why fraud occurs
fraud
computer fraud
Romney/Steinbart
32 of 175
WHO COMMITS FRAUD AND WHY

Researchers have compared the psychological and
demographic characteristics of three groups of people:
White-collar criminals
Violent criminals
The general public
They found:
Significant differences between violent and white-collar
criminals.
Few differences between white-collar criminals and the general
public.
Romney/Steinbart
33 of 175

White-collar criminals tend to mirror the general
public in:
Education
Age
Religion
Marriage
Length of employment
Psychological makeup
Romney/Steinbart
34 of 175

Perpetrators of computer fraud tend to be
younger and possess more computer
knowledge, experience, and skills.
Hackers and computer fraud perps tend to be
more motivated by:
Curiosity
A quest for knowledge
The desire to learn how things work
The challenge of beating the system
Romney/Steinbart
35 of 175

They may view their actions as a game rather than
dishonest behavior.
Another motivation may be to gain stature in the hacking
community.
Some see themselves as revolutionaries spreading a
message of anarchy and freedom.
But a growing number want to profit financially. To do so,
they may sell data to:
Spammers
Organized crime
Other hackers
The intelligence community
Romney/Steinbart
36 of 175

Some fraud perpetrators are disgruntled and
unhappy with their jobs and are seeking revenge
against their employers.
Others are regarded as ideal, hard-working
employees in positions of trust.
Most have no prior criminal record.
So why are they willing to risk everything?
Romney/Steinbart
37 of 175

Criminologist Donald Cressey, interviewed 200+
convicted white-collar criminals in an attempt to
determine the common threads in their crimes.
As a result of his research, he determined that
three factors were present in the commission of
each crime. These three factors have come to
be known as the fraud triangle.
Pressure
Opportunity
Rationalization
Romney/Steinbart
38 of 175
The Fraud Triangle

Donald Cressey
Rationalization
Romney/Steinbart
39 of 175
The Fraud Triangle

Donald Cressey
Rationalization
Romney/Steinbart
40 of 175

Pressure
Cressey referred to this pressure as a
perceived non-shareable need.
The pressure could be related to
finances, emotions, lifestyle, or some
combination.
Romney/Steinbart
41 of 175

The most common pressures were:
- Not being able to pay ones debts, nor admit it to
ones employer, family, or friends (which makes it
non-shareable).
May be associated with vices, such
as drugs, gambling, mistresses, etc.
Romney/Steinbart
42 of 175

ones employer, family, or friends (which makes in
non-shareable).
- Fear of loss of status because of a personal
failure Example would be mismanagement of
a personal investment or retirement
fund.
Romney/Steinbart
43 of 175

non-shareable).
- Fear of loss of status because of a personal failure
- Business reversals
Not many people can walk away from
a failing business.
Romney/Steinbart
44 of 175

non-shareable).
- Physical isolation
When an individual is isolated,
physically or psychologically, almost
any pressure becomes nonshareable.
Romney/Steinbart
45 of 175

non-shareable).
- Fear of loss of status
because of a personal failure
Many frauds are motivated by nothing
- Business reversals more than a perceived need to keep
up with the Joneses.
- Physical isolation
The problem is that there is always a
- Status gaining
richer Jones down the street and
the pressure continues to mount, as
do the resulting thefts.
Romney/Steinbart
46 of 175

non-shareable).
May create pressure to get revenge,
- Physical isolation take the money you feel is rightfully
owed to you, etc.
- Status gaining
- Difficulties in employer-employee relations
Romney/Steinbart
47 of 175

Whats important here is the perception of the
pressure.
There might be a number of people who could and would
help a tentative fraudster out of his financial woes.
But as long as he perceives that he cannot share his
burden, the pressure is present.
Research has also found that an individuals propensity to
commit fraud is more related to how much he worries
about his financial position than his actual position.
The millionaire who frets a lot about his financial condition
is more likely to commit fraud than the guy who doesnt
have two dimes to rub together but isnt worried about it.
Romney/Steinbart
48 of 175

Financial statement fraud is distinct from other
types of fraud in that the individuals who commit
the fraud are not the direct beneficiaries.
The company is the direct beneficiary.
The perpetrators are typically indirect beneficiaries.
Romney/Steinbart
49 of 175

In the case of financial statement frauds, common
pressures include:
To prop up earnings or stock price so that management can:
Receive performance-related compensation.
Preserve or improve personal wealth held in company stock
or stock options.
Keep their jobs.
To cover the inability to generate cash flow.
To obtain financing.
To appear to comply with bond covenants or other agreements.
May be opposite of propping up earnings in cases involving
income-tax motivations, government contracts, or regulation.
Click here for a comprehensive list of pressures.
Pressures
Romney/Steinbart
50 of 175
The Fraud Triangle

Donald Cressey
Rationalization
Romney/Steinbart
52 of 175

Opportunity is the opening or gateway that
allows an individual to:
Commit the fraud
Conceal the fraud
Convert the proceeds
Romney/Steinbart
53 of 175

Commit the fraud
Conceal the fraud
Romney/Steinbart
54 of 175

Committing the fraud might involve acts
such as:
Misappropriating assets.
Issuing deceptive financial statements.
Accepting a bribe in order to make an
arrangement that is not in the companys best
interest.
Romney/Steinbart
55 of 175

Commit the fraud
Conceal the fraud
Romney/Steinbart
56 of 175

Concealing the fraud often takes more time and
effort and leaves more evidence than the actual
theft or misrepresentation.
Examples of concealment efforts:
Charge a stolen asset to an expense account or to
an account receivable that is about to be written
off.
Romney/Steinbart
57 of 175

Charge a stolen asset to an expense account or to an
account receivable that is about to be written off.
Create a ghost employee who receives an extra
paycheck.
Romney/Steinbart
58 of 175

Steal a payment from Customer A.

Charge
a stolen asset to an expense account or to an
Apply Customer Bs payment to Customer As account so
account
receivable that is about to be written off.
Customer A wont get a late notice.
Create
a ghost
employee
who receives
an extra
Apply
Customer
Cs payment
to Customer
Bs account, so
paycheck.
Customer B wont get a late notice, etc.
Lapping.
Romney/Steinbart
59 of 175

and
Creates
cashmore
by transferring
money
between
banks.
effort
leaves
evidence
than
the actual
Requires multiple bank accounts.
theft or
misrepresentation.
Basic scheme:
Examples
of aconcealment
efforts:
Write
check on the account
of Bank A.
Bank
A doesnt
sufficient
funds
to cover
Charge
a stolen
assethave
to an
expense
account
orthe
to an
so writethat
a check
fromto
anbe
account
in off.
Bank B to
accountcheck,
receivable
is about
written
be deposited in Bank A.
Create a ghost employee who receives an extra
Bank B doesnt have sufficient funds to cover the
paycheck.
check, so write a check from an account in Bank C to
be deposited in Bank B, etc.
Lapping.
Kiting.
Romney/Steinbart
60 of 175

Commit the fraud
Conceal the fraud
Romney/Steinbart
61 of 175

Unless the target of the theft is cash, then
the stolen goods must be converted to
cash or some form that is beneficial to the
perpetrator.
Checks can be converted through alterations,
forged endorsements, check washing, etc.
Non-cash assets can be sold (online auctions
are a favorite forum) or returned to the
company for cash.
Romney/Steinbart
62 of 175

If the fraud is a financial statement fraud,
then the gains received may include:
I have to keep my job.
The value of my stock or stock options rose.
I received a raise, promotion, or bonus.
I have power.
Romney/Steinbart
63 of 175

There are many opportunities that enable fraud.
Some of the most common are:
Lack of internal controls
Failure to enforce controls (the most prevalent
reason)
Excessive trust in key employees
Incompetent supervisory personnel
Inattention to details
Inadequate staff
Click here for a comprehensive list of

opportunities.
Opportunities
Romney/Steinbart
64 of 175

Internal controls that may be lacking or unenforced include:
Authorization procedures
Clear lines of authority
Adequate supervision
Adequate documents and records
A system to safeguard assets
Independent checks on performance
Separation of duties
One control feature that many companies lack is

a background check on all potential employees.
Romney/Steinbart
69 of 175

Management may allow fraud by:
Not getting involved in the design or
enforcement of internal controls;
Inattention or carelessness;
Overriding controls; and/or
Using their power to compel subordinates to
carry out the fraud.
Romney/Steinbart
70 of 175
The Fraud Triangle

Donald Cressey
Rationalization
Romney/Steinbart
71 of 175

How many people do you know who regard
themselves as being unprincipled or sleazy?
It is important to understand that fraudsters do
not regard themselves as unprincipled.
In general, they regard themselves as highly
principled individuals.
That view of themselves is important to them.
The only way they can commit their frauds and
maintain their self image as principled individuals is to
create rationalizations that recast their actions as
morally acceptable behaviors.
Romney/Steinbart
72 of 175

These rationalizations take many forms,
including:
I was just borrowing the money.
It wasnt really hurting anyone. (Corporations are
often seen as non-persons, therefore crimes against
them are not hurting anyone.)
Everybody does it.
Ive worked for them for 35 years and been underpaid
all that time. I wasnt stealing; I was only taking what
was owed to me.
I didnt take it for myself. I needed it to pay my childs
medical bills.
Romney/Steinbart
73 of 175

Creators of worms and viruses often use
rationalizations like:
The malicious code helped expose security flaws, so I
did a good service.
It was an accident.
It was not my faultjust an experiment that went bad.
It was the users fault because they didnt keep their
security up to date.
If the code didnt alter or delete any of their files, then
whats the problem?
Romney/Steinbart
74 of 175

Fraud occurs when:
People have perceived, non-shareable pressures;
The opportunity gateway is left open; and
They can rationalize their actions to reduce the moral impact in
their minds (i.e., they have low integrity).
Fraud is much less likely to occur when:

There is low pressure, low opportunity, and high integrity.
Unfortunately, there is usually a mixture of these forces

in play, and it can be very difficult to determine the
pressures that may apply to an individual and the
rationalizations he/she may be able to produce.
Romney/Steinbart
75 of 175
INTRODUCTION
The fraud process
Why fraud occurs
fraud
computer fraud
Romney/Steinbart
76 of 175
APPROACHES TO COMPUTER FRAUD

The U.S. Department of Justice defines
computer fraud as any illegal act for
which knowledge of computer technology
is essential for its:
Perpetration;
Investigation; or
Prosecution.
Romney/Steinbart
77 of 175

Computer fraud includes the following:
Unauthorized theft, use, access, modification,
copying, and destruction of software or data.
Theft of money by altering computer records.
Theft of computer time.
Theft or destruction of computer hardware.
Use or the conspiracy to use computer
resources to commit a felony.
Intent to illegally obtain information or tangible
property through the use of computers.
Romney/Steinbart
78 of 175

In using a computer, fraud perpetrators
can steal:
More of something
In less time
With less effort
They may also leave very little evidence,

which can make these crimes more
difficult to detect.
Romney/Steinbart
79 of 175

Computer systems are particularly vulnerable to
computer crimes for several reasons:
Company databases can be huge and access
privileges can be difficult to create and enforce.
Consequently, individuals can steal, destroy, or alter
massive amounts of data in very little time.
Organizations often want employees, customers,
suppliers, and others to have access to their system
from inside the organization and without. This access
also creates vulnerability.
Computer programs only need to be altered once,
and they will operate that way until:
The system is no longer in use; or
Someone notices.
Romney/Steinbart
80 of 175

Modern systems are accessed by PCs, which
are inherently more vulnerable to security
risks and difficult to control.
It is hard to control physical access to each PC.
PCs are portable, and if they are stolen, the data
and access capabilities go with them.
PCs tend to be located in user departments, where
one person may perform multiple functions that
should be segregated.
PC users tend to be more oblivious to security
concerns.
Romney/Steinbart
81 of 175

Computer systems face a number of unique
challenges:
Reliability (accuracy and completeness)
Equipment failure
Environmental dependency (power, water damage,
fire)
Vulnerability to electromagnetic interference and
interruption
Eavesdropping
Misrouting
Romney/Steinbart
82 of 175

Organizations that track computer fraud
estimate that most U.S. businesses have
been victimized by at least one incident of
computer fraud.
Romney/Steinbart
83 of 175

These frauds cost billions of dollars each
year, and their frequency is increasing
because:
Not everyone agrees on what constitutes
computer fraud.
Many dont believe that taking an unlicensed copy
of software is computer fraud. (It is and can result
in prosecution.)
Some dont think its a crime to browse through
someone elses computer if their intentions arent
malicious.
Romney/Steinbart
84 of 175

Many computer frauds go undetected.
An estimated 8090% of frauds that are
uncovered are not reported because of fear
of:
Adverse publicity
Copycats
Loss of customer confidence
There are a growing number of competent

computer users, and they are aided by easier
access to remote computers through the
Internet and other data networks.
Romney/Steinbart
85 of 175

Some folks believe it cant happen to us.
Many networks have a low level of security.
Instructions on how to perpetrate computer
crimes and abuses are readily available on
the Internet.
Law enforcement is unable to keep up with
the growing number of frauds.
The total dollar value of losses is difficult to
calculate.
Romney/Steinbart
86 of 175

Economic espionage, the theft of
information and intellectual property, is
growing especially fast.
This growth has led to the need for
investigative specialists or cybersleuths.
Romney/Steinbart
87 of 175

Computer fraud classification
Frauds can be categorized according to the
data processing model:
Input
Processor
Computer instructions
Stored data
Output
Romney/Steinbart
88 of 175
COMPUTER FRAUD CLASSIFICATIONS

Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
Romney/Steinbart
89 of 175

Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
Romney/Steinbart
90 of 175

Input Fraud
The simplest and most common way to commit a fraud is to alter
computer input.
Requires little computer skills
Perpetrator only needs to understand how the system
operates
Can take a number of forms, including:
Disbursement frauds
The perpetrator causes a company to:
Pay too much for ordered goods; or
Pay for goods never ordered.
Romney/Steinbart
91 of 175

Input Fraud
computer input.
Requires little computer skills.
operates.
Disbursement frauds
Inventory frauds
The perpetrator enters data into the system to
show that stolen inventory has been scrapped.
Romney/Steinbart
92 of 175

Input Fraud
computer input.
Perpetrators
may
enter data to:
Requires
little computer
skills.
only
Increase
salaries. how the system
Perpetrator
needtheir
to understand
operates Create a fictitious employee.
Can take a number
of forms,
including:
Retain
a terminated
employee on the records.
Disbursement
In the frauds
latter two instances, the perpetrator
and cashes the resulting paychecks.
Inventoryintercepts
frauds
Payroll frauds
Romney/Steinbart
93 of 175

Input Fraud
computer input.
operates
The perpetrator hides the theft by falsifying
Can take a number
forms, including:
systemof
input.
Disbursement
frauds Cash of $200 is received. The
EXAMPLE:
records a cash receipt of $150 and
Inventoryperpetrator
frauds
pockets the $50 difference.
Payroll frauds
Cash receipt frauds
Romney/Steinbart
94 of 175

Input Fraud
computer input.
operates
Disbursement frauds
Inventory frauds
Payroll frauds
The perpetrator files for an undeserved refund,
such
as a tax refund.
Cash receipt
frauds
Fictitious refund fraud
Romney/Steinbart
95 of 175

Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
Romney/Steinbart
96 of 175

Processor fraud
Involves computer fraud committed through
unauthorized system use.
Includes theft of computer time and services.
Incidents could involve employees:
Surfing the Internet;
Using the company computer to conduct personal business;
or
Using the company computer to conduct a competing
business.
Romney/Steinbart
97 of 175

In one example, an agriculture college at a major state
university was experiencing very sluggish performance from
its server.
Upon investigating, IT personnel discovered that an individual
outside the United States had effectively hijacked the
colleges server to both store some of his/her research data
and process it.
The college eliminated the individuals data and blocked
future access to the system.
The individual subsequently contacted college personnel to
protest the destruction of the data.
Demonstrates both:
How a processor fraud can be committed.
How oblivious users can sometimes be to the unethical or illegal
nature of their activities.
Romney/Steinbart
98 of 175

Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
Romney/Steinbart
99 of 175

Computer instructions fraud
Involves tampering with the software that
processes company data.
May include:
Modifying the software
Making illegal copies
Using it in an unauthorized manner
Also might include developing a software

program or module to carry out an
unauthorized activity.
Romney/Steinbart
100 of 175

Computer instruction fraud used to be one of the
least common types of frauds because it
required specialized knowledge about computer
programming beyond the scope of most users.
Today these frauds are more frequentcourtesy
of Web pages that instruct users on how to
create viruses and other schemes.
Romney/Steinbart
101 of 175

Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
Romney/Steinbart
102 of 175

Data fraud
Involves:
Altering or damaging a companys data files; or
Copying, using, or searching the data files without
authorization.
In many cases, disgruntled employees have

scrambled, altered, or destroyed data files.
Theft of data often occurs so that perpetrators can
sell the data.
Most identity thefts occur when insiders in financial
institutions, credit agencies, etc., steal and sell financial
information about individuals from their employers database.
Romney/Steinbart
103 of 175

Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
Romney/Steinbart
104 of 175

Output fraud
Involves stealing or misusing system output.
Output is usually displayed on a screen or printed on
paper.
Unless properly safeguarded, screen output can
easily be read from a remote location using
inexpensive electronic gear.
This output is also subject to prying eyes and
unauthorized copying.
Fraud perpetrators can use computers and peripheral
devices to create counterfeit outputs, such as checks.
Romney/Steinbart
105 of 175
INTRODUCTION
The fraud process
Why fraud occurs
Specific techniques used to commit
computer fraud
computer fraud
Romney/Steinbart
106 of 175
COMPUTER FRAUD AND ABUSE

TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
Changing data before, during, or after it

is entered into the system.
Can involve adding, deleting, or altering
key system data.
Romney/Steinbart
107 of 175

TECHNIQUES
Data diddling
Data leakage
Unauthorized copying of company data.
Romney/Steinbart
108 of 175

TECHNIQUES
Data diddling
Data leakage
Denial of service attacks
An attacker overloads and shuts down an Internet service
providers email system by sending email bombs at a rate
of thousands per secondoften from randomly generated
email addresses.
May also involve shutting down a Web server by sending a
load of requests for the Web pages.
Romney/Steinbart
109 of 175
Carried out as follows:

The attacker infects dozens of
computers that have broadband
TECHNIQUES
Internet access with denial-of-service
programs. These infected computers
the zombies.
Perpetrators have devised are
many
methods to commit
The
attacker
then activates the
computer fraud and abuse.
These
include:
denial-of-service programs, and the
Data diddling
zombies send pings (emails or
Data leakage
requests for data) to the target server.
Denial of service attacks The victim responds to each, not
realizing they have fictitious return
addresses, and waits for responses
that dont come.
While the victim waits, system
performance degrades until the
system freezes up or crashes.
The attacker terminates the program
after an hour or two to limit the
victims ability to trace the source.
Romney/Steinbart
110 of 175

TECHNIQUES
Data diddling
Data leakage
Experts estimate there as many as 5,000
denial-of-service attacks weekly in the
United States.
A denial-of-service can cause severe
economic damage to its victim or even
drive them out of business.
Romney/Steinbart
111 of 175

TECHNIQUES
Data diddling
Data leakage
Eavesdropping
Perpetrators surreptitiously observe
private communications or transmission
of data.
Equipment to commit these electronic
wiretaps is readily available at
electronics stores.
Romney/Steinbart
112 of 175

A threatening message is sent to a victim to induce the victim to
TECHNIQUES
do something that
would make it possible to be defrauded.
Several banks in the Midwest were contacted by an overseas

Perpetrators
haveindicated
devisedthat:
many methods to commit
perpetrator who
computer
fraud
andinto
abuse.
These include:
He had
broken
their computer
system and obtained
personal
Data
diddlingand banking information about all of the banks
customers.
Data
leakage
He would
notify
the banks customers of this breach if he was
Denial
of service
attacks
not paid a specified sum of money.
Eavesdropping
Email threats
Romney/Steinbart
113 of 175

Involves sending an email message that
TECHNIQUES
appears to have come from someone

other than the actual sender.
Email spoofers may:
Claim to be system administrators
Data diddling
and ask users to change their
Data leakage
passwords to specific values.
Denial of service attacks Pretend to be management and
request a copy of some sensitive
Eavesdropping
information.
Email threats
Email forgery (aka, spoofing)
Romney/Steinbart
114 of 175

TECHNIQUES
Unauthorized access to and use of computer systemsusually by
means of a personal computer and a telecommunications
network.
Data diddling
Data
leakagebreak into systems using known flaws in operating
Most
hackers
systems,
Denial ofapplications
service attacks
programs, or access controls.
Eavesdropping
Some
are not very malevolent and mainly motivated by curiosity
a desire
to overcome a challenge.
and
Email
threats
Others
malicious
intent and can do significant damage.
Emailhave
forgery
(aka, spoofing)
Hacking
Romney/Steinbart
115 of 175

TECHNIQUES
Data diddling
Data leakage
Hacking that attacks phone systems and
Eavesdropping
Email threats uses phone lines to transmit viruses and
to access,
steal, and destroy data.
Email forgery (aka,
spoofing)
They also steal telephone services and
Hacking
may break into voice mail systems.
Phreaking
Some hackers gain access to systems
through dial-up modem lines.
Romney/Steinbart
116 of 175

TECHNIQUES
Data diddling
Data leakage
Eavesdropping
Email threats
Email forgery (aka, spoofing)
Hacking
Involves gaining control of someone
Phreaking
elses computer to carry out illicit
activities without the users knowledge.
Hijacking
The illicit activity is often the
perpetuation of spam emails.
Romney/Steinbart
117 of 175

TECHNIQUES
Assuming someones identity, typically for economic gain, by

illegally obtaining
and using
confidential
Perpetrators
have devised
many
methods information
to commit such as
the persons social security number, bank account number,
computer
fraud and abuse. These include:
or credit card number.
Data diddling
Identity thieves benefit financially by:
Data leakage
Taking funds out of the victims bank account.
Taking out mortgages or other loans under the victims
Eavesdropping
identity.
Email
threats out credit cards and running up large balances.
Taking
Email
forgery
spoofing)
If the
thief (aka,
is careful
and ensures that bills and notices are
Hacking
sent to an address he controls, the scheme may be
prolonged until such time as the victim attempts to buy a
Phreaking
home or car and finds out that his credit is destroyed.
Hijacking
Identity theft
Romney/Steinbart
118 of 175

TECHNIQUES
Data diddling
Data leakage
Victims can usually clear their credit, but the effort requires a
Denial
of service
attacks
significant
amount
of time and expense.
Eavesdropping
Identity theft was made a federal offense in 1998, but it is a
Email
threats
growing
crime industry.
(aka, spoofing)
Email
Oneforgery
U.S. postal
inspector, whose job duties involved
investigation of identity thefts, was himself a victim. The thief
Hacking
ran up $80,000 in debt under the postal inspectors identity
Phreaking
before the inspector discovered the problem.
Hijacking
Identity theft
Romney/Steinbart
119 of 175
Identity thieves can steal corporate or individual identities by:

Shoulder surfing

Watching people enter telephone calling card numbers or credit card
TECHNIQUES
numbers or listening
to communications as they provide this
information to sales clerks or others.
or have
dumpster
divingmany methods to commit
Scavenging
Perpetrators
devised
Searchingfraud
corporate
personalThese
recordsinclude:
by rifling garbage cans,
computer
andorabuse.
communal trash bins, and city dumps for documents with confidential
company
Data diddling
information.
May
Dataalso
leakage
look for personal information such as checks, credit card
bank statements,
tax returns, discarded applications for
statements,
Denial of service
attacks
credit cards, or other records that contain social security
pre-approved
Eavesdropping
numbers, names, addresses, phone numbers, and other data that allow
them
Emailtothreats
assume an identity.
Email forgery
Redirecting
mail (aka, spoofing)
Hacking
Intercepting
mail and having it delivered to a location where others can
it.
access
Phreaking
Using
Internet, email, and other technology in spoofing, phishing,
Hijacking
eavesdropping, impersonating, social engineering, and data
Identity theft
leakage schemes.
Romney/Steinbart
120 of 175

TECHNIQUES
Thefraud
U.S. Department
Justiceinclude:
suggests the following four
computer
and abuse.ofThese
ways to minimize the chances of being victimized by

Data diddling
identity theft:
Data leakage
Do not give out corporate or personal information
Denial of unless
service there
attacks
is a good reason to trust the person to
Eavesdropping
whom it is given.
Email threats
Check financial information regularly for what should
be there,
well as for what should not be there.
Email forgery
(aka, as
spoofing)
Periodically review your credit report.
Hacking
Maintain careful records of banking and financial
Phreaking
Hijackingaccounts.
Identity theft
Romney/Steinbart
121 of 175

TECHNIQUES
Internet misinformation
Using the Internet to spread false or misleading information about
people or companies.
May involve:
Planting inflammatory messages in online chat rooms.
Websites with misinformation.
Pretending to be someone else online and making inflammatory
comments that will be attributed to that person.
A pump-and-dump occurs when an individual spreads
misinformation, often through Internet chat rooms, to cause a runup in the value a stock and then sells off his shares of the stock. A
number of pump-and-dump cases have been prosecuted by the
SEC.
2008 Prentice
Hall Business Publishing
Romney/Steinbart
122 of 175
Another common form of Internet misinformation is the spreading of

urban legendsoftenTECHNIQUES
by innocently forwarding emails.
Urban legends may often include damaging implications about
products,
as a recent
suggesting
that certain
company
Perpetrators
havesuch
devised
many email
methods
to commit
lipsticks contain lead or that using plastic cookware in the
microwave can cause cancer.
Before forwarding any emails with negative information about
individuals, companies, or their products, its a good idea to check
the veracity of the information first.
Emails with urban legends often attribute their facts to credible
sources, such as the federal government, Stanford University
researchers, the FBI, etc.
There are several Websites that attempt to verify the truth of emails
that are circulated. One such Website is www.snopes.com. You can
easily locate the email you received on these Websites, by
searching under a key term in the email, such as lipstick.
You are likely to find that most emails you were getting ready to
forward are either false or only partially true.
Romney/Steinbart
123 of 175

TECHNIQUES
Internet terrorism
Hackers use the Internet to disrupt electronic commerce and
destroy company and individual communications.
Viruses and worms are two main forms of Internet terrorism.
Romney/Steinbart
124 of 175

TECHNIQUES
Internet terrorism
Logic time bombs
A program that lies idle until triggered by some circumstance or a
particular time.
Once triggered, it sabotages the system, destroying programs,
data, or both.
Usually written by disgruntled programmers.
EXAMPLE: A programmer places a logic bomb in a payroll
application that will destroy all the payroll records if the
programmer is terminated.
Romney/Steinbart
125 of 175

TECHNIQUES
Internet terrorism
Logic time bombs
Masquerading or impersonation
The perpetrator gains access to the system by pretending to be

an authorized user.
The perpetrator must know the legitimate users ID and password.
Once in the system, he enjoys the same privileges as the legitimate
user.
Romney/Steinbart
126 of 175

TECHNIQUES
Internet terrorism
Logic time bombs
Packet sniffers
Programs that capture data from information packets as they travel

over the Internet or company networks.
Confidential information and access information can be gleaned
from the captured datasome of which is later sold.
Romney/Steinbart
127 of 175

TECHNIQUES
Internet terrorism
Logic time bombs
Packet sniffers
Password cracking
An intruder penetrates a systems defenses, steals the file of valid

passwords, decrypts them, and then uses them to gain access to
almost any system resources.
Romney/Steinbart
128 of 175

TECHNIQUES
Sending out a spoofed email that appears to come from a
Perpetrators
have such
devised
methods
to commit
legitimate company,
as amany
financial
institution.
eBay, PayPal,
computer
fraud
and abuse.
These include:
and banks are
commonly
spoofed.
Internet
misinformation
The
recipient
is advised that information or a security check is
needed
on terrorism
his account, and advised to click on a link to the
Internet
companys
website
Logic time
bombs to provide the information.
The
link connectsorthe
individual to a Website that is an imitation of
Masquerading
impersonation
the spoofed companys actual Website. These counterfeit Websites
Packet sniffers
appear very authentic, as do the emails.
Password cracking
Phishing
Romney/Steinbart
129 of 175

TECHNIQUES
One newly graduated college student recently took a job in
California and deposited his first paycheck of approximately $5,000
Perpetrators
in the bank. have devised many methods to commit
computer
fraud he
and
abuse.anThese
include:
That same night,
received
email from
the bank, inviting him
click
Internet
to
on misinformation
the link in the email to set up online banking for his new
bank
account.
Internet
terrorism
He
followed
and provided the requested information to
Logic
timedirections
bombs
set
up online banking.
Masquerading
or impersonation
Two
hourssniffers
later, he was nervous and called the bankonly to find
Packet
out that his bank account had been cleaned out and closed.
Password cracking
Phishing
Romney/Steinbart
130 of 175

As a rule of thumb, it is a good idea not to click on any link
provided in an emailTECHNIQUES
and to go directly to the Website instead.
PayPal, whose email address is commonly spoofed for phishing

Perpetrators
have
devised
many methods to commit
scams, offers the
following
advice:
computer
abuse.
include:
If PayPalfraud
ever and
sends
you an These
email, they
will include your first
and lastmisinformation
name in the salutation of the email.
Internet
If you need
to enter PayPals Website, type https: in the URL
Internet
terrorism
instead
of bombs
http: in order to enter on the companys secured
Logic
time
server.
Masquerading
or impersonation
If you receive
Packet
sniffers a suspicious email, get out of your browser and
go back in before proceeding directly to a company Website.
Password cracking
Phishing
Romney/Steinbart
131 of 175

TECHNIQUES
Perpetrators
have devised
many
to commit
In 2004, a phishing-related
scam
tookmethods
place in South
America with
respect to three
American
Once an individual
computer
fraudlarge
and South
abuse.
These banks.
include:
opened
themisinformation
related email, a script was downloaded on their
Internet
computer. The script would alter the individuals Web browser so
Internet
terrorism
that
if the user
entered the URL of one of these three banks, the
Logic would
time bombs
browser
redirect them to a counterfeit Website for that bank.
The
oblivious user
provide ID and password information,
Masquerading
or would
impersonation
and
was instantly
Packet
sniffers set up for a high-tech robbery of his bank
account.
Password cracking
Phishing
Romney/Steinbart
132 of 175

TECHNIQUES
Internet terrorism
Logic time
bombssuggests that if you have any questions about
Consumer
Reports
Masquerading
impersonation
the
legitimacy of or
a Website,
you should try entering the wrong
password.
A phishing Website will typically accept an incorrect
Packet sniffers
passwordwhich
cues you that it is a phishing scam.
Password cracking
Phishing
Romney/Steinbart
133 of 175

TECHNIQUES
Example of a Website produced for a phishing scam.
Romney/Steinbart
134 of 175

TECHNIQUES
Internet terrorism
Logic time bombs
Packet sniffers
Password cracking
Tapping into a telecommunications line and
latching onto a legitimate user before that
Phishing
user logs into a system.
Piggybacking
The legitimate user unknowingly carries the
perpetrator into the system.
Romney/Steinbart
135 of 175

TECHNIQUES
Internet terrorism
Logic time bombs
Made famous in the movie,
Office Space.
Packet sniffers
The programmer instructs the
Password cracking
computer to round interest
Phishing
calculations down to two
Piggybacking
decimal places and deposits
Round-down technique
the remaining fraction into the
account of a programmer or an
accomplice.
Romney/Steinbart
136 of 175

TECHNIQUES
Internet terrorism
Logic time bombs
Packet sniffers
Password cracking
Involves the theft of tiny
slices of money over a
Phishing
period of time.
Piggybacking
Round-down technique The round-down is just a
special form of a salami
Salami technique
technique.
Romney/Steinbart
137 of 175

TECHNIQUES
Social engineering
Perpetrators trick employees into giving them information

they need to get into the system.
A perpetrator might call an employee and indicate he is
the systems administrator and needs to get the
employees password.
Romney/Steinbart
138 of 175

TECHNIQUES
Social engineering
Software piracy
Copying software without the publishers permission.
In the United States, its estimated that 26% of software in use is
pirated.
Fines for individuals and corporations are stiff, and individuals
convicted of software piracy can serve jail terms of up to 5 years.
Romney/Steinbart
139 of 175

TECHNIQUES
Social engineering
Software piracy
Spamming
Emailing an unsolicited message to multitudes of
people, often in an attempt to sell a product.
Many times the product offers are fraudulent.
Romney/Steinbart
140 of 175

TECHNIQUES
Social engineering
Software piracy
Spamming
Spammers use creative means to find valid email addresses:

Scanning the Internet for addresses posted online.
Hacking into company databases and stealing mailing lists.
Staging dictionary (aka direct harvesting) attacks.
These attacks use special software to guess addresses at a
particular company and send blank emails.
Messages not returned are usually valid.
These attacks are very burdensome to corporate email
systems.
Romney/Steinbart
141 of 175
Companies may use filtering software to

detect dictionary attacks, search mail for
competitive leaks, and block inappropriate
attachments, such as pornography and
TECHNIQUES
illegal MP3 files.
Filtering
is not
always viable.
The director
Perpetrators have devised
many
methods
to commit
of internal
auditinclude:
at a major healthcare
computer fraud and abuse.
These
company changes email addresses
Social engineering
frequently because of the volume of spam
Software piracy
email in his inbox. When asked why his
company did not filter the spam, he
Spamming
replied, Because were a healthcare
company, we cannot filter out any
references to body parts or prescription
medications.
There is increasing public clamor for laws
to clamp down on spamming. In
December 2004, a federal judge awarded
over $1 billion to a small Midwestern
Internet service provider in an action
against three spammers.
Romney/Steinbart
142 of 175

TECHNIQUES
computer fraud
abuse.
include:
and
Software
that These
monitors
computing habits, such
Social engineering
as Web-surfing habits, and sends the data it
Software piracygathers to someone else, typically without the
users permission.
Spamming
One type, called adware (for advertisingSpyware
supported software) does two things:
Causes banner ads to pop up on your
monitor as you surf the net.
Collects information about your Websurfing and spending habits and forward
it to a company gathering the dataoften
an advertising or large media organization.
Romney/Steinbart
143 of 175
Usually
comesABUSE
bundled with
COMPUTER FRAUD
AND
freeware and shareware
TECHNIQUES
downloaded from the Internet.
May be disclosed in the
Perpetrators have devised many
methods
to commit
licensing
agreement,
but users
unlikely
to read it.
computer fraud and abuse. are
These
include:
Reputable adware companies
Social engineering
claim they dont collect
Software piracy
sensitive or identifying data.
Spamming
But there is no way for users to
Spyware
control or limit the activity.
It is not illegal, but many find it
objectionable.
Software has been developed to

detect and eliminate spyware,
but it may also impair the
downloaded software.
Some is intentionally difficult to
uninstall.
Romney/Steinbart
144 of 175

A keystroke logger records a users
TECHNIQUES
keystrokes and emails them to or
saves them for the party that planted
Perpetrators have devisedthe
many
methods
to commit
logger.
These are
sometimes used
computer fraud and abuse.by:These include:
Parents to monitor their childrens
Social engineering
computer usage.
Software piracy
Businesses to monitor employee
Spamming
activity.
Spyware
Fraudsters to capture passwords,
Keystroke loggers
credit card numbers, etc.
A keystroke logger can be a
hardware device attached to a
computer or can be downloaded
on an individuals computer in the
same way that any Trojan horse
might be downloaded.
Romney/Steinbart
145 of 175

TECHNIQUES
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Spyware and keystroke loggers are

very problematic for companies with
employees who telecommute or
contact the companys computer from
remote locations.
Spyware on those computers makes
the companys systems vulnerable.
Individuals are also exposed when
they use wireless networks, such as
those that may be available in coffee
shops.
Romney/Steinbart
146 of 175

TECHNIQUES
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Unauthorized use of special system

programs to bypass regular system
controls and perform illegal acts.
The name is derived from an IBM
software utility called Superzap that
was used to restored crashed
systems.
Romney/Steinbart
147 of 175

TECHNIQUES
Social engineering
Software piracy Also called back doors.
Programmers create trap doors to
Spamming
modify programs.
Spyware
The trap door is a way into the system
Keystroke loggersthat bypasses normal controls.
Superzapping The trap door should be removed
Trap doors
before the program is implemented.
If it is not, the programmer or others
may later gain unauthorized access to
the system.
Romney/Steinbart
148 of 175

TECHNIQUES
computer fraud and
abuse.
These include:
A
set of unauthorized
computer
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Trap doors
Trojan horse
instructions planted in an authorized

and otherwise properly functioning
program.
Allows the creator to control the
victims computer remotely.
The code does not try to replicate
itself but performs an illegal act at
some specific time or when some
condition arises.
Programs that launch denial of
service attacks are often Trojan
horses.
Romney/Steinbart
149 of 175

TECHNIQUES
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Hackers search for an idle modem by
Trap doors
programming their computers to dial
Trojan horse
thousands of phone lines.
War dialing Hackers enter through the idle modem
and gain access to the connected
network.
Romney/Steinbart
150 of 175

TECHNIQUES
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Driving around in cars looking for
Trap doors
unprotected home or corporate
Trojan horse
wireless networks.
War dialing
If the hackers mark the sidewalk of
War driving
the susceptible wireless network, the
practice is referred to as warchalking.
Romney/Steinbart
151 of 175

TECHNIQUES
Virus
Many viruses have two phases:
First, when some predefined event occurs, the
virus replicates itself and spreads to other
systems or files.
Another event triggers the attack phase in which
the virus carries out its mission.
A virus may lay dormant or propagate itself
without causing damage for an extended period.
Romney/Steinbart
152 of 175
COMPUTER
FRAUD
AND
ABUSE
Damage may take many forms:
TECHNIQUES
Send
email with the victims name as the alleged
source.
Perpetrators have
devised
many
methods
to commit
Destroy
or alter
data
or programs.
computer fraud and
These
include:
Takeabuse.
control of
the computer.
Virus
Destroy or alter file allocation tables.
Delete or rename files or directories.
Reformat the hard drive.
Change file content.
Prevent users from booting.
Intercept and change transmissions.
Print disruptive images or messages on the
screen.
Change screen appearance.
As viruses spread, they take up much space, clog
communications, and hinder system performance.
Romney/Steinbart
153 of 175

TECHNIQUES
computer fraud
and symptoms:
abuse. These include:
Virus
Virus
Computer will not start or

execute
Performs unexpected read or
write operations
Unable to save files
Long time to load programs
Abnormally large file sizes
Slow systems operation
Unusual screen activity
Error messages
Romney/Steinbart
154 of 175

TECHNIQUES
computer fraud
and abuse.
These include:
Viruses
are contagious
and easily spread from
Virus
one system to another.

They are usually spread by:
Opening an infected email attachment or file
(most common); or
Running an infected program.
Some viruses can mutate, which makes them
more difficult to detect and destroy.
The emails often appear to come from sources
like Microsoft and seem very convincing.
Romney/Steinbart
155 of 175
Virus protections include:

COMPUTER
FRAUD
AND
ABUSE
Install
reliable virus
software
that scans for,
identifies, and destroys viruses.
TECHNIQUES
Keep the antivirus program up to date.
Scan
incoming
at the to
server
level,
Perpetrators have
devised
manyemail
methods
commit
rather than when it hits the desktops.
computer fraud and
abuse. These include:
Certify all software as virus-free before
Virus
loading it.
Software from unknown sources may be
virus bait, especially if it seems too good
to be true.
Deal with trusted software retailers.
Use electronic techniques to make tampering
evident.
Check new software on an isolated machine.
Have two backups of all files.
Do not put diskettes or CDs in strange
machines, or let others put unscanned disks
in your machine.
Romney/Steinbart
156 of 175

TECHNIQUES
Virus
Viruses attack computers, but any device that is
part of the communications network is
vulnerable, including:
Cell phones
Smart phones
PDAs
Romney/Steinbart
157 of 175

TECHNIQUES
Perpetrators
havetodevised
many that:
methods to commit
A worm is similar
a virus except
computer
fraud
and abuse.program,
These while
include:
A worm
is a stand-alone
a virus is only a
Virus
segment of code hidden in a host program or executable file.
Worms
A worm will replicate itself automatically, while a virus
requires a human to do something like open a file.
Worms often reproduce by mailing themselves to the recipients
mailing list.
They are not confined to PCs and have infected cell phones in
Japan.
A worm typically has a short but very destructive life.
It takes little technical knowledge to create worms or viruses;
several Websites provide instructions.
Most exploit known software vulnerabilities that can be corrected
with a software patch, making it important to install all patches as
soon
as they
are available.
2008 Prentice
Hall Business
Publishing
Romney/Steinbart
158 of 175

TECHNIQUES
fraud
and abuse.
These
include: profusely that
computer
You receive
an email
from a friend,
apologizing
he/she
Virus has previously sent you an email that was infected with a
virus.
Worms
friends
email
gives you instructions
to look for and remove
The
The
low-tech,
do-it-yourself
attack
the offending virus.
You delete the file from your hard drive. The only problem is that
the file you just deleted was part of your operating system.
Your friend was well-intended and has done the same thing to
his/her computer.
REMEDY: Before even considering following instructions of this
sort, check the list of hoaxes that are available on any virus
protection Website, such as:
www.norton.com
www.mcafee.com
Romney/Steinbart
159 of 175
INTRODUCTION
The fraud process
Why fraud occurs
fraud
computer fraud
Romney/Steinbart
160 of 175
PREVENTING AND DETECTING

COMPUTER FRAUD
Organizations must take every precaution to
protect their information systems.
Certain measures can significantly decrease the
potential for fraud and any resulting losses.
These measures include:
Make fraud less likely to occur

Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
Romney/Steinbart
161 of 175

COMPUTER FRAUD

Reduce fraud losses
Romney/Steinbart
162 of 175

COMPUTER FRAUD
Create a culture that stresses integrity and
commitment to ethical values and competence.
Adopt an organizational structure, management
philosophy, operating style, and appetite for risk that
minimizes the likelihood of fraud.
Require oversight from an active, involved, and
independent audit committee.
Assign authority and responsibility for business
objectives to specific departments and individuals,
encourage initiative in solving problems, and hold
them accountable for achieving those objectives.
Romney/Steinbart
163 of 175

COMPUTER FRAUD
Identify the events that lead to increased fraud risk,
and take steps to prevent, avoid, share, or accept that
risk.
Develop a comprehensive set of security policies to
guide the design and implementation of specific
control procedures, and communicate them
effectively to company employees.
Implement human resource policies for hiring,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
required level of ethical behavior and integrity.
Effectively supervise employees, including monitoring
their performance and correcting their errors.
Romney/Steinbart
164 of 175

COMPUTER FRAUD
Train employees in integrity and ethical
considerations, as well as security and fraud
prevention measures.
Require annual employee vacations, periodically
rotate duties of key employees, and require signed
confidentiality agreements.
Implement formal and rigorous project development
and acquisition controls, as well as change
management controls.
Increase the penalty for committing fraud by
prosecuting fraud perpetrators more vigorously.
Romney/Steinbart
165 of 175

COMPUTER FRAUD

Reduce fraud losses
Romney/Steinbart
166 of 175

COMPUTER FRAUD
Increase the difficulty of committing
fraud
Develop a strong system of internal controls
Segregate the accounting functions of:
Authorization
Recording
Custody
Implement a program segregation of duties

between systems functions
Restrict physical and remote access to
system resources to authorized personnel
Romney/Steinbart
167 of 175

COMPUTER FRAUD
Require transactions and activities to be authorized
by appropriate supervisory personnel. Have the
system authenticate the person and their right to
perform the transaction before allowing the
transaction to take place.
Use properly designed documents and records to
capture and process transactions.
Safeguard all assets, records, and data.
Require independent checks on performance, such
as reconciliation of two independent sets of records,
where possible and appropriate.
Romney/Steinbart
168 of 175

COMPUTER FRAUD
Implement computer-based controls over data input,
computer processing, data storage, data
transmission, and information output.
Encrypt stored and transmitted data and programs to
protect them from unauthorized access and use.
Fix known software vulnerabilities by installing the
latest updates to operating systems, security, and
applications programs.
Romney/Steinbart
169 of 175

COMPUTER FRAUD

Reduce fraud losses
Romney/Steinbart
170 of 175

COMPUTER FRAUD
Create an audit trail so individual transactions
can be traced through the system to the
financial statements and vice versa.
Conduct periodic external and internal audits,
as well as special network security audits.
Install fraud detection software.
Implement a fraud hotline.
Romney/Steinbart
171 of 175

COMPUTER FRAUD
Employ a computer security officer, as well as
computer consultants and forensic specialists
as needed.
Monitor system activities, including computer
and network security efforts, usage and error
logs, and all malicious actions.
Use intrusion detection systems to help
automate the monitoring process.
Romney/Steinbart
172 of 175

COMPUTER FRAUD

Reduce fraud losses
Romney/Steinbart
173 of 175

COMPUTER FRAUD
Reduce fraud losses
Maintain adequate insurance.
Develop comprehensive fraud contingency,
disaster recovery, and business continuity
plans.
Store backup copies of program and data files
in a secure, off-site location.
Use software to monitor system activity and
recover from fraud.
Romney/Steinbart
174 of 175
SUMMARY
In this chapter, youve learned what fraud
is, who commits fraud, and how its
perpetrated.
Youve learned about the many variations
of computer fraud, and youve learned
about techniques to reduce an
organizations vulnerability to these types
of fraud.
Romney/Steinbart
175 of 175

Rais11 ch05

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rais11 ch05

Uploaded by

Copyright:

Available Formats

C

Computer Fraud and Abuse

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Accounting Information Systems, 11/e

their information systems:

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

their information systems:

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

their information systems:

their information systems:

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

The definition is the same whether it is a

THE FRAUD PROCESS

act must involve:

Accounting Information Systems, 11/e

THE FRAUD PROCESS

Income tax fraud (the difference between what

Accounting Information Systems, 11/e

THE FRAUD PROCESS

Organizations must utilize controls to make it difficult

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

THE FRAUD PROCESS

Accounting Information Systems, 11/e

THE FRAUD PROCESS

Deceive investors and creditors

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

THE FRAUD PROCESS

2008 Prentice Hall Business Publishing