computer fraud & abuse

Computer Fraud & Abuse

ACC 444 – Enterprise Process Analysis

1

Computer Fraud and Abuse



2

INTRODUCTION

Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems. Companies also face a growing risk of these

systems being compromised. Recent surveys indicate 67% of companies

suffered a security breach in the last year with almost 60% reporting financial losses.



5

INTRODUCTION

In this chapter we’ll discuss: The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit computer

fraud Ways companies can deter and detect

computer fraud



6

THE FRAUD PROCESS

Fraud is any and all means a person uses to gain an unfair advantage over another person.

Since fraudsters don’t make journal entries to record their frauds, we can only estimate the amount of losses caused by fraudulent acts. In the 2014 Report To The Nations, The Association of Certified Fraud Examiners (ACFE) estimates that: The typical organization loses 5% of its annual

revenue to fraud. Applied to the estimated 2013 Gross World Product, this figure translates to a potential total fraud loss of more than $3.7 trillion.

The median loss caused by the occupational fraud cases was $145,000. 24% of the frauds involved losses of at least $1 million.



7

THE FRAUD PROCESS

Fraud against companies may be committed by an employee or an external party. Former and current employees (called

knowledgeable insiders) are much more likely than non-employees to perpetrate frauds (and big ones) against companies.a) Largely owing to their understanding of the

company’s systems and its weaknesses, which enables them to commit the fraud and cover their tracks.

Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company.



10

THE FRAUD PROCESS

Three types of occupational fraud: Misappropriation of assets Corruption Fraudulent statements

Financial statement fraud involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users.

Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement.

In the 2014 Report to the Nation on Occupational Fraud and Abuse, about 9% of occupational frauds involve fraudulent statements at a median cost of $1 million. (The median pales in comparison to the maximum cost.)



11

THE FRAUD PROCESS

Examples of other fraud schemes: Money Laundering (concealment of the origins of illegally

obtained money, typically by means of transfers involving foreign banks or legitimate businesses)

Ponzi (an investment scheme that pays unreasonably high returns to the investors from money invested by later investors)

Kiting (“creating” cash through the transfer of money between banks) – also a common way to hide a theft

Lapping (stealing cash from customer A and then using customer B's balance to pay customer A's accounts receivable) – also another common way to hide a theft

Besides Kiting & Lapping, theft of cash is typically hidden by charging the stolen item to an expense account.



12

THE FRAUD PROCESS

A typical employee fraud has a number of important elements or characteristics: The fraud perpetrator must gain the trust or confidence of

the person or company being defrauded in order to commit and conceal the fraud.

Frauds tend to start as the result of a perceived need on the part of the employee and then escalate from need to greed. Most fraudsters can’t stop once they get started, and their frauds grow in size.

The fraudsters often grow careless or overconfident over time.

Fraudsters tend to spend what they steal. Very few save it. In time, the sheer magnitude of the frauds may lead to

detection. The most significant contributing factor in most employee

frauds is the absence of internal controls and/or the failure to enforce existing controls.



15

INTRODUCTION



computer fraud



16

WHO COMMITS FRAUD AND WHY

Researchers have compared the psychological and demographic characteristics of three groups of people: White-collar criminals Violent criminals The general public

They found: Significant differences between violent and white-collar

criminals. Few differences between white-collar criminals and the

general public. White-collar criminals tend to mirror the general public in:

Education Age Religion Marriage Length of employment Psychological makeup



20

WHO COMMITS FRAUD AND WHY

Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in an attempt to determine the common threads in their crimes. As a result of his research, he determined that three factors were present in the commission of each crime. These three factors have come to be known as the fraud triangle. Pressure Opportunity Rationalization



21

The “Fraud Triangle”Donald Cressey

PressureOpportunity

Rationalization



32

Red Flags

High personal debts or great financial losses. Expensive lifestyle. Extensive gambling or use of alcohol or drugs. Heavy investments. Significant personal or family problems. Rewriting records, under the guise of neatness. Refusing to leave custody of records during the day. Extensive overtime. Skipping vacations. Questionable background and references. Feeling that pay is not commensurate with responsibilities. Strong desire to beat the system.



33

Red Flags

Regular borrowing of small amounts from fellow employees. Personal checks returned for insufficient funds. Collectors and creditors appearing at the place of business. Placing unauthorized IOUs in petty cash funds. Inclination toward covering up inefficiencies or "plugging"

figures. Pronounced criticism of others. Association with questionable characters. Annoyance with reasonable questions; replying to questions

with unreasonable answers. Unusually large bank balance. Bragging about exploits. Carrying unusually large amounts of cash.



34

Practice Exercise (Text 5.2)

A small but growing firm has recently hired you to investigate a potential fraud. The company heard through its hotline that the purchases journal clerk periodically enters fictitious acquisitions. The nonexistent supplier’s address is given as a post office box, which the clerk rents. He forwards notification of the fictitious purchases for recording in the accounts payable ledger. Payment is ultimately mailed to the post office box. He then deposits the check in an account established in the name of the nonexistent supplier.

List 4 red-flag indicators that might point to the existence of fraud in this example.

List two procedures you could follow to uncover this fraud



35

Computer Fraud and AbuseTo Be Continued……



36

INTRODUCTION



computer fraud



39

COMPUTER FRAUD CLASSIFICATIONS

ProcessorFraud

InputFraud

OutputFraud

DataFraud

ComputerInstructionsFraud

Frauds can be categorized according to the data processing model:



44

APPROACHES TO COMPUTER FRAUD

Input Fraud The simplest and most common way to commit a fraud is to

alter computer input.

a) Requires little computer skills.

b) Perpetrator only need to understand how the system operates

Can take a number of forms, including:

a) Disbursement frauds

b) Inventory frauds

c) Payroll frauds

d) Cash receipt frauds

e) Fictitious refund fraud• The perpetrator files for an undeserved refund,

such as a tax refund.



46


Processor Fraud Involves computer fraud committed through

unauthorized system use. Includes theft of computer time and services. Incidents could involve employees:

a) Surfing the Internet;

b) Using the company computer to conduct personal business; or

c) Using the company computer to conduct a competing business.



47


In one example, an agriculture college at a major state university was experiencing very sluggish performance from its server.

Upon investigating, IT personnel discovered that an individual outside the U.S. had effectively hijacked the college’s server to both store some of his/her research data and process it.

The college eliminated the individual’s data and blocked future access to the system.

The individual subsequently contacted college personnel to protest the destruction of the data.

Demonstrates both: How a processor fraud can be committed. How oblivious users can sometimes be to the unethical or

illegal nature of their activities.



48


ProcessorFraud

InputFraud

OutputFraud

DataFraud




49


Computer Instructions Fraud Involves tampering with the software that

processes company data. May include:

a) Modifying the softwareb) Making illegal copiesc) Using it in an unauthorized manner

Also might include developing a software program or module to carry out an unauthorized activity.



50


Computer instruction fraud used to be one of the least common types of frauds because it required specialized knowledge about computer programming beyond the scope of most users.

Today these frauds are more frequent--courtesy of web pages that instruct users on how to create viruses and other schemes.



51


ProcessorFraud

InputFraud

OutputFraud

DataFraud




52


Data Fraud Involves:

a) Altering or damaging a company’s data files; or

b) Copying, using, or searching the data files without authorization.

In many cases, disgruntled employees have scrambled, altered, or destroyed data files.

Theft of data often occurs so that perpetrators can sell the data.

a) Most identity thefts occur when insiders in financial institutions, credit agencies, etc., steal and sell financial information about individuals from their employer’s database.



53


ProcessorFraud

InputFraud

OutputFraud

DataFraud




54


Output Fraud Involves stealing or misusing system output. Output is usually displayed on a screen or printed on

paper. Unless properly safeguarded, screen output can easily

be read from a remote location using inexpensive electronic gear.

This output is also subject to prying eyes and unauthorized copying.

Fraud perpetrators can use computers and peripheral devices to create counterfeit outputs, such as checks.

Remote Desktop Connection and Dumpster Diving are two common methods



55

INTRODUCTION

In this chapter we’ll discuss: The fraud process Why fraud occurs Approaches to computer fraud Specific techniques used to commit

computer fraud Ways companies can deter and detect

computer fraud



Computer Attacks and Abuse

Hacking Unauthorized access, modification, or use of a computer

system or other electronic device

Social Engineering Techniques, usually psychological tricks, to gain access to

sensitive data or information Used to gain access to secure systems or locations

Malware Any software which can be used to do harm Example: Exploit - a set of instructions for taking

advantage of a flaw in a program

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall



Types of Computer Attacks

Botnet—Robot Network Network of hijacked computers Hijacked computers carry out processes without

users knowledge Zombie—hijacked computer

Denial-of-Service (DoS) Attack Constant stream of requests made to a Web-

server (usually via a Botnet) that overwhelms and shuts down service

Spoofing Making an electronic communication look as if it

comes from a trusted official source to lure the recipient into providing information




Types of Spoofing

E-mail E-mail sender appears

as if it comes from a different source

Caller-ID Incorrect number is

displayed IP address

Forged IP address to conceal identity of sender of data over the Internet or to impersonate another computer system

Address Resolution Protocol (ARP)

Allows a computer on a LAN to intercept traffic meant for any other computer on the LAN

SMS Incorrect number or

name appears, similar to caller-ID but for text messaging

Web page Phishing

DNS Intercepting a request

for a Web service and sending the request to a false service




Hacking Attacks

Buffer Overflow Data is sent that exceeds computer capacity

causing program instructions to be lost and replaced with attacker instructions.

Man-in-the-Middle Hacker places themselves between client and

host.




Additional Hacking Attacks

Password Cracking Penetrating system security to steal passwords

War Dialing Computer automatically dials phone numbers looking for modems.

Phreaking Attacks on phone systems to obtain free phone service.

Data Diddling Making changes to data before, during, or after it is entered into a

system.

Data Leakage Unauthorized copying of company data.




Hacking Embezzlement Schemes

Salami Technique Taking small amounts from many different accounts.

Economic Espionage Theft of information, trade secrets, and intellectual property.

Cyber-Bullying Internet, cell phones, or other communication technologies to

support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.

Internet Terrorism Act of disrupting electronic commerce and harming computers and

communications.

Internet Misinformation Using the Internet to spread false or misleading information




Hacking for Fraud

Internet Auction Using an Internet auction site to defraud another

person

a) Unfairly drive up bidding

b) Seller delivers inferior merchandise or fails to deliver at all

c) Buyer fails to make payment

Internet Pump-and-Dump Using the Internet to pump up the price of a

stock and then selling it




Social Engineering Techniques

Identity Theft Assuming someone else’s

identity Pretexting

Inventing a scenario that will lull someone into divulging sensitive information

Posing Using a fake business to acquire

sensitive information Phishing

Posing as a legitimate company asking for verification type information: passwords, accounts, usernames

Pharming Redirecting Web site traffic to a

spoofed Web site. Piggybacking

Clandestine use of someone’s Wi-Fi network.

Typesquatting Typographical errors when

entering a Web site name cause an invalid site to be accessed

Tabnapping Changing an already open

browser tab Scavenging

Looking for sensitive information in items thrown away

Shoulder Surfing Snooping over someone’s

shoulder for sensitive information

Evil Twin A wireless network with the

same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information.




More Social Engineering

Lebanese Loping Capturing ATM pin and card numbers

Skimming Double-swiping a credit card

Chipping Planting a device to read credit card information

in a credit card reader

Eavesdropping Listening to private communications




Type of Malware

Spyware Secretly monitors and collects personal information about users and sends it

to someone else Adware

a) Pops banner ads on a monitor, collects information about the user’s Web-surfing, and spending habits, and forward it to the adware creator

Key logging Records computer activity, such as a user’s keystrokes, e-mails sent and

received, Web sites visited, and chat session participation

Trojan Horse Malicious computer instructions in an authorized and otherwise properly

functioning program Time bombs/logic bombs

a) Idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that does not occur




More Malware

Trap Door/Back Door A way into a system that bypasses normal authorization and

authentication controls

Packet Sniffers Capture data from information packets as they travel over networks Rootkit

a) Used to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial-of-service or an e-mail spam attack; and access user names and log-in information

Superzapping Unauthorized use of special system programs to bypass regular

system controls and perform illegal acts, all without leaving an audit trail

Spamming Sending an unsolicited message to many people at the same time.




67

INTRODUCTION



computer fraud



69

PREVENTING AND DETECTING COMPUTER FRAUD

Make fraud less likely to occur; for example: Require oversight from an active, involved, and independent

audit committee. Identify the events that lead to increased fraud risk, and take

steps to prevent, avoid, share, or accept that risk. Develop a comprehensive set of security policies to guide the

design and implementation of specific control procedures, and communicate them effectively to company employees.

Implement human resource policies for hiring, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the required level of ethical behavior and integrity.

Effectively supervise employees, including monitoring their performance and correcting their errors.

Train employees in integrity and ethical considerations, as well as security and fraud prevention measures.

Require annual employee vacations, periodically rotate duties of key employees, and require signed confidentiality agreements.



70


Increase the difficulty of committing fraud; for example: Segregate the accounting & system functions of authorization,

recording, and custody Restrict access to assets, records, data, and system resources

to authorized personnel Have the system authenticate the person and their right to

perform the transaction before allowing the transaction to take place.

Require transactions and activities to be authorized by appropriate supervisory personnel.

Use properly designed documents and records to capture and process transactions.

Require independent checks on performance, such as reconciliation of two independent sets of records, where possible and appropriate.

Encrypt stored and transmitted data and programs to protect them from unauthorized access and use.

Fix known software vulnerabilities by installing the latest updates to operating systems, security, and applications programs.



71


Improve detection methods. Create an audit trail so individual transactions

can be traced through the system to the financial statements and vice versa.

Conduct periodic external and internal audits, as well as special network security audits.

Install fraud detection software. Implement a fraud hotline. Monitor system activities, including computer

and network security efforts, usage and error logs, and all malicious actions.



72


Reduce Fraud Losses Maintain adequate insurance. Develop comprehensive fraud contingency,

disaster recovery, and business continuity plans.

Store backup copies of program and data files in a secure, off-site location.

Use software to monitor system activity and recover from fraud.

computer fraud & abuse

Documents