schauen in my castle: 11/17/11

CHAPTER 5

• Computer Fraud and Security

• INTRODUCTION

• Questions to be addressed in this chapter:

– What is fraud, and how are frauds perpetrated?

– Who perpetrates fraud and why?

– What is computer fraud, and what forms does it take?

– What approaches and techniques are used to commit computer fraud?

• INTRODUCTION

• Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems.

– Companies also face a growing risk of these systems being compromised.

– Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.

• INTRODUCTION

• Companies face four types of threats to their information systems:

– Natural and political disasters

• INTRODUCTION

• Companies face four types of threats to their information systems:

– Natural and political disasters

– Software errors and equipment malfunction

• INTRODUCTION

• Companies face four types of threats to their information systems:

– Natural and political disasters

– Software errors and equipment malfunction

– Unintentional acts

• INTRODUCTION

• Companies face four types of threats to their information systems:

– Natural and political disasters

– Software errors and equipment malfunction

– Unintentional acts

– Intentional acts (computer crime)

• INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

– Approaches to computer fraud

– Specific techniques used to commit computer fraud

– Ways companies can deter and detect computer fraud

• INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

– Approaches to computer fraud

– Specific techniques used to commit computer fraud

– Ways companies can deter and detect computer fraud

• THE FRAUD PROCESS

• Fraud is any and all means a person uses to gain an unfair advantage over another person.

• In most cases, to be considered fraudulent, an act must involve:

– A false statement (oral or in writing)

– About a material fact

– Knowledge that the statement was false when it was uttered (which implies an intent to deceive)

– A victim relies on the statement

– And suffers injury or loss as a result

• THE FRAUD PROCESS

• Since fraudsters don’t make journal entries to record their frauds, we can only estimate the amount of losses caused by fraudulent acts:

– The Association of Certified Fraud Examiners (ACFE) estimates that total fraud losses in the U.S. run around 6% of annual revenues or approximately $660 billion in 2004.

• More than we spend on education and roads in a year.

• 6 times what we pay for the criminal justice system.

– Income tax fraud (the difference between what taxpayers owe and what they pay to the government) is estimated to be over $200 billion per year.

– Fraud in the healthcare industry is estimated to exceed $100 billion a year.

• THE FRAUD PROCESS

• Fraud against companies may be committed by an employee or an external party.

– Former and current employees (called knowledgeable insiders) are much more likely than non-employees to perpetrate frauds (and big ones) against companies.

• Largely owing to their understanding of the company’s systems and its weaknesses, which enables them to commit the fraud and cover their tracks.

– Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company.

• THE FRAUD PROCESS

• Fraud perpetrators are often referred to as white-collar criminals.

– Distinguishes them from violent criminals, although some white-collar crime can ultimately have violent outcomes, such as:

• Perpetrators or their victims committing suicide.

• Healthcare patients killed because of alteration of information, etc., that can result in their deaths.

• Types of Frauds

OCCUPATIONAL

• Fraudulent Statements

– Financial

– Non-financial

• Asset Misappropriation

– Theft of Cash

– Fraudulent disbursements

– Inventory and other assets

• Bribery and Corruption

– Bribery

– Illegal gratuities

– Economic extortion

– Conflict of interest

OTHER

• Intellectual property theft

• Financial institution fraud

• Check and credit card fraud

• Insurance fraud

• Healthcare fraud

• Bankruptcy fraud

• Tax fraud

• Securities fraud

• Money laundering

• Consumer fraud

• Computer and Internet fraud

• THE FRAUD PROCESS

• Three types of occupational fraud:

– Misappropriation of assets

• THE FRAUD PROCESS

• Three types of occupational fraud:

– Misappropriation of assets

– Corruption

• THE FRAUD PROCESS

• Three types of occupational fraud:

– Misappropriation of assets

– Corruption

– Fraudulent statements

• THE FRAUD PROCESS

• A typical employee fraud has a number of important elements or characteristics:

– The fraud perpetrator must gain the trust or confidence of the person or company being defrauded in order to commit and conceal the fraud.

– Instead of using a gun, knife, or physical force, fraudsters use weapons of deceit and misinformation.

– Frauds tend to start as the result of a perceived need on the part of the employee and then escalate from need to greed. Most fraudsters can’t stop once they get started, and their frauds grow in size.

– The fraudsters often grow careless or overconfident over time.

– Fraudsters tend to spend what they steal. Very few save it.

– In time, the sheer magnitude of the frauds may lead to detection.

– The most significant contributing factor in most employee frauds is the absence of internal controls and/or the failure to enforce existing controls.

• THE FRAUD PROCESS

• The National Commission on Fraudulent Financial Reporting (aka, the Treadway Commission) defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.

• Financial statements can be falsified to:

– Deceive investors and creditors

– Cause a company’s stock price to rise

– Meet cash flow needs

– Hide company losses and problems

• THE FRAUD PROCESS

• Fraudulent financial reporting is of great concern to independent auditors, because undetected frauds lead to half of the lawsuits against auditors.

• In the case of Enron, a financial statement fraud led to the total elimination of Arthur Andersen, a premiere international public accounting firm.

• THE FRAUD PROCESS

• Common approaches to “cooking the books” include:

– Recording fictitious revenues

– Recording revenues prematurely

– Recording expenses in later periods

– Overstating inventories or fixed assets (WorldCom)

– Concealing losses and liabilities

• THE FRAUD PROCESS

• The Treadway Commission recommended four actions to reduce the possibility of fraudulent financial reporting:

– Establish an organizational environment that contributes to the integrity of the financial reporting process.

– Identify and understand the factors that lead to fraudulent financial reporting.

– Assess the risk of fraudulent financial reporting within the company.

– Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented.

• THE FRAUD PROCESS

• SAS 99: The Auditor’s Responsibility to Detect Fraud

– In 1997, SAS-82, Consideration of Fraud in a Financial Statement Audit, was issued to clarify the auditor’s responsibility to detect fraud.

• THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:

– Understand fraud

• THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

• THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

• THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

• THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

– Evaluate the results of their audit tests

• THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

– Evaluate the results of their audit tests

– Communicate findings

• THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

– Evaluate the results of their audit tests

– Communicate findings

– Document their audit work

• THE FRAUD PROCESS

• A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99 requires auditors to:

– Understand fraud

– Discuss the risks of material fraudulent misstatements

– Obtain information

– Identify, assess, and respond to risks

– Evaluate the results of their audit tests

– Communicate findings

– Document their audit work

– Incorporate a technology focus

• INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

– Approaches to computer fraud

– Specific techniques used to commit computer fraud

– Ways companies can deter and detect computer fraud

• WHO COMMITS FRAUD AND WHY

• Researchers have compared the psychological and demographic characteristics of three groups of people:

– White-collar criminals

– Violent criminals

– The general public

• They found:

– Significant differences between violent and white-collar criminals.

– Few differences between white-collar criminals and the general public.

• WHO COMMITS FRAUD AND WHY

• White-collar criminals tend to mirror the general public in:

– Education

– Age

– Religion

– Marriage

– Length of employment

– Psychological makeup

• WHO COMMITS FRAUD AND WHY

• Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills.

• Hackers and computer fraud perps tend to be more motivated by:

– Curiosity

– A quest for knowledge

– The desire to learn how things work

– The challenge of beating the system

• WHO COMMITS FRAUD AND WHY

• They may view their actions as a game rather than dishonest behavior.

• Another motivation may be to gain stature in the hacking community.

• Some see themselves as revolutionaries spreading a message of anarchy and freedom.

• But a growing number want to profit financially. To do so, they may sell data to:

– Spammers

– Organized crime

– Other hackers

– The intelligence community

• WHO COMMITS FRAUD AND WHY

• Some fraud perpetrators are disgruntled and unhappy with their jobs and are seeking revenge against their employers.

• Others are regarded as ideal, hard-working employees in positions of trust.

• Most have no prior criminal record.

• So why are they willing to risk everything?

• WHO COMMITS FRAUD AND WHY

• Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in an attempt to determine the common threads in their crimes. As a result of his research, he determined that three factors were present in the commission of each crime. These three factors have come to be known as the fraud triangle.

– Pressure

– Opportunity

– Rationalization

• WHO COMMITS FRAUD AND WHY

• Pressure

– Cressey referred to this pressure as a “perceived non-shareable need.”

– The pressure could be related to finances, emotions, lifestyle, or some combination.

• WHO COMMITS FRAUD AND WHY

• The most common pressures were:

– Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)

• WHO COMMITS FRAUD AND WHY

• The most common pressures were:

– Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)

– Fear of loss of status because of a personal failure

• WHO COMMITS FRAUD AND WHY

• The most common pressures were:

– Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)

– Fear of loss of status because of a personal failure

– Business reversals

• WHO COMMITS FRAUD AND WHY

• The most common pressures were:

– Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)

– Fear of loss of status because of a personal failure

– Business reversals

– Physical isolation

• WHO COMMITS FRAUD AND WHY

• The most common pressures were:

– Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)

– Fear of loss of status because of a personal failure

– Business reversals

– Physical isolation

– Status gaining

• WHO COMMITS FRAUD AND WHY

• The most common pressures were:

– Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes in non-shareable)

– Fear of loss of status because of a personal failure

– Business reversals

– Physical isolation

– Status gaining

– Difficulties in employer-employee relations

• WHO COMMITS FRAUD AND WHY

• What’s important here is the perception of the pressure.

– There might be a number of people who could and would help a tentative fraudster out of his financial woes.

– But as long as he perceives that he cannot share his burden, the pressure is present.

– Research has also found that an individual’s propensity to commit fraud is more related to how much he worries about his financial position than his actual position.

– The millionaire who frets a lot about his financial condition is more likely to commit fraud than the guy who doesn’t have two dimes to rub together but isn’t worried about it.

• WHO COMMITS FRAUD AND WHY

• Financial statement fraud is distinct from other types of fraud in that the individuals who commit the fraud are not the direct beneficiaries.

– The company is the direct beneficiary.

– The perpetrators are typically indirect beneficiaries.

• WHO COMMITS FRAUD AND WHY

• In the case of financial statement frauds, common pressures include:

– To prop up earnings or stock price so that management can:

• Receive performance-related compensation.

• Preserve or improve personal wealth held in company stock or stock options.

• Keep their jobs.

– To cover the inability to generate cash flow.

– To obtain financing.

– To appear to comply with bond covenants or other agreements.

– May be opposite of propping up earnings in cases involving income-tax motivations, government contracts, or regulation.

• Click here for a comprehensive list of pressures.

• PRESSURES THAT LEAD TO EMPLOYEE FRAUD

FINANCIAL

• Living beyond means

• High personal debt/expenses

• “Inadequate” salary/income

• Poor credit ratings

• Heavy financial losses

• Bad investments

• Tax avoidance

• Meet unreasonable quotas/goals

• WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that allows an individual to:

– Commit the fraud

– Conceal the fraud

– Convert the proceeds

• WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that allows an individual to:

– Commit the fraud

– Conceal the fraud

– Convert the proceeds

• WHO COMMITS FRAUD AND WHY

• Committing the fraud might involve acts such as:

– Misappropriating assets.

– Issuing deceptive financial statements.

– Accepting a bribe in order to make an arrangement that is not in the company’s best interest.

• WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that allows an individual to:

– Commit the fraud

– Conceal the fraud

– Convert the proceeds

• WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.

• Examples of concealment efforts:

– Charge a stolen asset to an expense account or to an account receivable that is about to be written off.

• WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.

• Examples of concealment efforts:

– Charge a stolen asset to an expense account or to an account receivable that is about to be written off.

– Create a ghost employee who receives an extra paycheck.

• WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.

• Examples of concealment efforts:

– Charge a stolen asset to an expense account or to an account receivable that is about to be written off.

– Create a ghost employee who receives an extra paycheck.

– Lapping.

• WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.

• Examples of concealment efforts:

– Charge a stolen asset to an expense account or to an account receivable that is about to be written off.

– Create a ghost employee who receives an extra paycheck.

– Lapping.

– Kiting.

• WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that allows an individual to:

– Commit the fraud

– Conceal the fraud

– Convert the proceeds

• WHO COMMITS FRAUD AND WHY

• Unless the target of the theft is cash, then the stolen goods must be converted to cash or some form that is beneficial to the perpetrator.

– Checks can be converted through alterations, forged endorsements, check washing, etc.

– Non-cash assets can be sold (online auctions are a favorite forum) or returned to the company for cash.

• WHO COMMITS FRAUD AND WHY

• If the fraud is a financial statement fraud, then the gains received may include:

– I got to keep my job.

– The value of my stock or stock options rose.

– I got a raise, promotion, or bonus.

– I got power.

• WHO COMMITS FRAUD AND WHY

• There are many opportunities that enable fraud. Some of the most common are:

– Lack of internal controls

– Failure to enforce controls (the most prevalent reason)

– Excessive trust in key employees

– Incompetent supervisory personnel

– Inattention to details

– Inadequate staff

• Click here for a comprehensive list of opportunities.

• OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD

• Internal Control Factors

– Failure to enforce/monitor internal controls

– Management not involved in control system

– Management override of controls and guidelines

– Managerial carelessness, inattention to details

– Dominant and unchallenged management

– Ineffective oversight by board of directors

– No effective internal auditing staff

– Infrequent third-party reviews

– Insufficient separation of authorization, custody, and record-keeping duties

– Too much trust in key employees

– Inadequate supervision

– Unclear lines of authority

• OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD

– Lack of proper authorization procedures

– No independent checks on performance

– Inadequate documents and records

– Inadequate system for safeguarding assets

– No physical or logical security system

– No audit trails

– Failure to conduct background checks

– No policy of annual vacations, rotation of duties

• OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD

• Other Factors

– Large, unusual, or complex transactions

– Numerous adjusting entries at year end

– Related-party transactions

– Accounting department understaffed and overworked

– Incompetent personnel

– Rapid turnover of key employees

– Lengthy tenure in a key job

– Unnecessarily complex organizational structure

– No code of conduct, conflict of interest statements, or definitions of unacceptable behavior

– Frequently changing auditors, legal counsel

– Operating on a crisis basis

– Close association with suppliers/customers

• OPPORTUNITIES PERMITTING EMPLOYEE AND FINANCIAL STATEMENT FRAUD

– Assets highly susceptible to misappropriation

– Questionable accounting practices

– Pushing accounting principles to the limit

– Unclear company policies and procedures

– Failing to teach and stress corporate honesty

– Failure to prosecute dishonest employees

– Low employee morale and loyalty

• WHO COMMITS FRAUD AND WHY

• Internal controls that may be lacking or un-enforced include:

– Authorization procedures

– Clear lines of authority

– Adequate supervision

– Adequate documents and records

– A system to safeguard assets

– Independent checks on performance

– Separation of duties

One control feature that many companies lack is a background check on all potential employees.

• WHO COMMITS FRAUD AND WHY

• Management may allow fraud by:

– Not getting involved in the design or enforcement of internal controls;

– Inattention or carelessness;

– Overriding controls; and/or

– Using their power to compel subordinates to carry out the fraud.

• WHO COMMITS FRAUD AND WHY

• How many people do you know who regard themselves as being unprincipled or sleazy?

• It is important to understand that fraudsters do not regard themselves as unprincipled.

– In general, they regard themselves as highly principled individuals.

– That view of themselves is important to them.

– The only way they can commit their frauds and maintain their self image as principled individuals is to create rationalizations that recast their actions as “morally acceptable” behaviors.

• WHO COMMITS FRAUD AND WHY

• These rationalizations take many forms, including:

– I was just borrowing the money.

– It wasn’t really hurting anyone. (Corporations are often seen as non-persons, therefore crimes against them are not hurting “anyone.”)

– Everybody does it.

– I’ve worked for them for 35 years and been underpaid all that time. I wasn’t stealing; I was only taking what was owed to me.

– I didn’t take it for myself. I needed it to pay my child’s medical bills.

• WHO COMMITS FRAUD AND WHY

• Creators of worms and viruses often use rationalizations like:

– The malicious code helped expose security flaws, so I did a good service.

– It was an accident.

– It was not my fault—just an experiment that went bad.

– It was the user’s fault because they didn’t keep their security up to date.

– If the code didn’t alter or delete any of their files, then what’s the problem?

• WHO COMMITS FRAUD AND WHY

• Fraud occurs when:

– People have perceived, non-shareable pressures;

– The opportunity gateway is left open; and

– They can rationalize their actions to reduce the moral impact in their minds (i.e., they have low integrity).

• Fraud is much less likely to occur when

– There is low pressure, low opportunity, and high integrity.

• Unfortunately, there is usually a mixture of these forces in play, and it can be very difficult to determine the pressures that may apply to an individual and the rationalizations he/she may be able to produce.

• INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

– Approaches to computer fraud

– Specific techniques used to commit computer fraud

– Ways companies can deter and detect computer fraud

• APPROACHES TO COMPUTER FRAUD

• The U.S. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its:

– Perpetration;

– Investigation; or

– Prosecution.

• APPROACHES TO COMPUTER FRAUD

• Computer fraud includes the following:

– Unauthorized theft, use, access, modification, copying, and destruction of software or data.

– Theft of money by altering computer records.

– Theft of computer time.

– Theft or destruction of computer hardware.

– Use or the conspiracy to use computer resources to commit a felony.

– Intent to illegally obtain information or tangible property through the use of computers.

• APPROACHES TO COMPUTER FRAUD

• In using a computer, fraud perpetrators can steal:

– More of something

– In less time

– With less effort

• They may also leave very little evidence, which can make these crimes more difficult to detect.

• APPROACHES TO COMPUTER FRAUD

• Computer systems are particularly vulnerable to computer crimes for several reasons:

– Company databases can be huge and access privileges can be difficult to create and enforce. Consequently, individuals can steal, destroy, or alter massive amounts of data in very little time.

– Organizations often want employees, customers, suppliers, and others to have access to their system from inside the organization and without. This access also creates vulnerability.

– Computer programs only need to be altered once, and they will operate that way until:

• The system is no longer in use; or

• Someone notices.

• APPROACHES TO COMPUTER FRAUD

– Modern systems are accessed by PCs, which are inherently more vulnerable to security risks and difficult to control.

• It is hard to control physical access to each PC.

• PCs are portable, and if they are stolen, the data and access capabilities go with them.

• PCs tend to be located in user departments, where one person may perform multiple functions that should be segregated.

• PC users tend to be more oblivious to security concerns.

• APPROACHES TO COMPUTER FRAUD

– Computer systems face a number of unique challenges:

• Reliability (accuracy and completeness)

• Equipment failure

• Environmental dependency (power, water damage, fire)

• Vulnerability to electromagnetic interference and interruption

• Eavesdropping

• Misrouting

• APPROACHES TO COMPUTER FRAUD

• Organizations that track computer fraud estimate that most U.S. businesses have been victimized by at least one incident of computer fraud.

• APPROACHES TO COMPUTER FRAUD

• These frauds cost billions of dollars each year, and their frequency is increasing because:

– Not everyone agrees on what constitutes computer fraud.

• Many don’t believe that taking an unlicensed copy of software is computer fraud. (It is and can result in prosecution.)

• Some don’t think it’s a crime to browse through someone else’s computer if their intentions aren’t malicious.

• APPROACHES TO COMPUTER FRAUD

– Many computer frauds go undetected.

– An estimated 80-90% of frauds that are uncovered are not reported because of fear of:

• Adverse publicity

• Copycats

• Loss of customer confidence.

– There are a growing number of competent computer users, and they are aided by easier access to remote computers through the Internet and other data networks.

• APPROACHES TO COMPUTER FRAUD

– Some folks believe “it can’t happen to us.”

– Many networks have a low level of security.

– Instructions on how to perpetrate computer crimes and abuses are readily available on the Internet.

– Law enforcement is unable to keep up with the growing number of frauds.

– The total dollar value of losses is difficult to calculate.

• APPROACHES TO COMPUTER FRAUD

• Economic espionage, the theft of information and intellectual property, is growing especially fast.

• This growth has led to the need for investigative specialists or cybersleuths.

• APPROACHES TO COMPUTER FRAUD

• Computer Fraud Classification

– Frauds can be categorized according to the data processing model:

• Input

• Processor

• Computer instructions

• Stored data

• Output

• COMPUTER FRAUD CLASSIFICATIONS

• APPROACHES TO COMPUTER FRAUD

• Input Fraud

– The simplest and most common way to commit a fraud is to alter computer input.

• Requires little computer skills.

• Perpetrator only need to understand how the system operates

– Can take a number of forms, including:

• Disbursement frauds

• APPROACHES TO COMPUTER FRAUD

• Input Fraud

– The simplest and most common way to commit a fraud is to alter computer input.

• Requires little computer skills.

• Perpetrator only need to understand how the system operates

– Can take a number of forms, including:

• Disbursement frauds

• Inventory frauds

• APPROACHES TO COMPUTER FRAUD

• Input Fraud

– The simplest and most common way to commit a fraud is to alter computer input.

• Requires little computer skills.

• Perpetrator only need to understand how the system operates

– Can take a number of forms, including:

• Disbursement frauds

• Inventory frauds

• Payroll frauds

• APPROACHES TO COMPUTER FRAUD

• Input Fraud

– The simplest and most common way to commit a fraud is to alter computer input.

• Requires little computer skills.

• Perpetrator only need to understand how the system operates

– Can take a number of forms, including:

• Disbursement frauds

• Inventory frauds

• Payroll frauds

• Cash receipt frauds

• APPROACHES TO COMPUTER FRAUD

• Input Fraud

– The simplest and most common way to commit a fraud is to alter computer input.

• Requires little computer skills.

• Perpetrator only need to understand how the system operates

– Can take a number of forms, including:

• Disbursement frauds

• Inventory frauds

• Payroll frauds

• Cash receipt frauds

• Fictitious refund fraud

• COMPUTER FRAUD CLASSIFICATIONS

• APPROACHES TO COMPUTER FRAUD

• Processor Fraud

– Involves computer fraud committed through unauthorized system use.

– Includes theft of computer time and services.

– Incidents could involve employees:

• Surfing the Internet;

• Using the company computer to conduct personal business; or

• Using the company computer to conduct a competing business.

• APPROACHES TO COMPUTER FRAUD

• In one example, an agriculture college at a major state university was experiencing very sluggish performance from its server.

• Upon investigating, IT personnel discovered that an individual outside the U.S. had effectively hijacked the college’s server to both store some of his/her research data and process it.

• The college eliminated the individual’s data and blocked future access to the system.

• The individual subsequently contacted college personnel to protest the destruction of the data.

• Demonstrates both:

– How a processor fraud can be committed.

– How oblivious users can sometimes be to the unethical or illegal nature of their activities.

• COMPUTER FRAUD CLASSIFICATIONS

• APPROACHES TO COMPUTER FRAUD

• Computer Instructions Fraud

– Involves tampering with the software that processes company data.

– May include:

• Modifying the software

• Making illegal copies

• Using it in an unauthorized manner

– Also might include developing a software program or module to carry out an unauthorized activity.

• APPROACHES TO COMPUTER FRAUD

• Computer instruction fraud used to be one of the least common types of frauds because it required specialized knowledge about computer programming beyond the scope of most users.

• Today these frauds are more frequent--courtesy of web pages that instruct users on how to create viruses and other schemes.

• COMPUTER FRAUD CLASSIFICATIONS

• APPROACHES TO COMPUTER FRAUD

• Data Fraud

– Involves:

• Altering or damaging a company’s data files; or

• Copying, using, or searching the data files without authorization.

– In many cases, disgruntled employees have scrambled, altered, or destroyed data files.

– Theft of data often occurs so that perpetrators can sell the data.

• Most identity thefts occur when insiders in financial institutions, credit agencies, etc., steal and sell financial information about individuals from their employer’s database.

• COMPUTER FRAUD CLASSIFICATIONS

• APPROACHES TO COMPUTER FRAUD

• Output Fraud

– Involves stealing or misusing system output.

– Output is usually displayed on a screen or printed on paper.

– Unless properly safeguarded, screen output can easily be read from a remote location using inexpensive electronic gear.

– This output is also subject to prying eyes and unauthorized copying.

– Fraud perpetrators can use computers and peripheral devices to create counterfeit outputs, such as checks.

• INTRODUCTION

• In this chapter we’ll discuss:

– The fraud process

– Why fraud occurs

– Approaches to computer fraud

– Specific techniques used to commit computer fraud

– Ways companies can deter and detect computer fraud