Computer fraud - Dr. M.Shanikat Website

advertisement
Studies in Accounting
Information Systems
Computer Fraud
Dr: Mohammed Shanikat ,
www.mohammedshanikat.synthasite.com
1
Learning Objectives
 Explain the threats faced by modern information systems.
 Define fraud and describe the process one follows to perpetuate a fraud.
 Discuss who perpetrates fraud and why it occurs, including:
 the pressures, opportunities, and rationalizations that are present in most
frauds.
 Define computer fraud and discuss the different computer fraud
classifications.
2
INTRODUCTION
 Information systems are becoming increasingly more complex and
society is becoming increasingly more dependent on these systems.
 Companies also face a growing risk of these systems being
compromised.
 Recent surveys indicate 67% of companies suffered a security
breach in the last year with almost 60% reporting financial losses.
3
Common Threats to AIS
 Natural Disasters and Terrorist Threats
 Software Errors and/or Equipment Malfunction
 Unintentional Acts (Human Error)
 Intentional Acts (Computer Crimes)
5-4
INTRODUCTION
 Companies face four types of threats to their information systems:
 Natural and political disasters
•
•
•
Include:
– Fire or excessive heat
– Floods
– Earthquakes
– High winds
– War and terrorist attack
When a natural or political disaster strikes, many companies can be affected
at the same time.
– Example: Bombing of the World Trade Center in NY.
The Defense Science Board has predicted that attacks on information
systems by foreign countries, espionage agents, and terrorists will soon be
widespread.
5-5
INTRODUCTION
 Companies face four types of threats to their information
systems:
 Software errors and equipment malfunction
• Include:
– Hardware or software failures
– Software errors or bugs
– Operating system crashes
– Power outages and fluctuations
– Undetected data transmission errors
• Estimated annual economic losses due to software bugs = $60
billion.
• 60% of companies studied had significant software errors in
previous year.
5-6
INTRODUCTION
 Companies face four types of threats to their information systems:
 Unintentional acts
•
•
Include
– Accidents caused by:
• Human carelessness
• Failure to follow established procedures
• Poorly trained or supervised personnel
– Innocent errors or omissions
– Lost, destroyed, or misplaced data
– Logic errors
– Systems that do not meet needs or are incapable of performing intended
tasks
Information Systems Security Assn. estimates 65% of security problems are
caused by human error.
5-7
INTRODUCTION
 Companies face four types of threats to their information
systems:
 Intentional acts (computer crime)
• Include:
– Sabotage
– Computer fraud
– Misrepresentation, false use, or unauthorized disclosure of
data
– Misappropriation of assets
– Financial statement fraud
• Information systems are increasingly vulnerable to these
malicious attacks.
5-8
INTRODUCTION
 In this chapter we’ll discuss:
 The fraud process
 Why fraud occurs
 Approaches to computer fraud
 Specific techniques used to commit computer fraud
 Ways companies can deter and detect computer fraud
5-9
THE FRAUD PROCESS
 Fraud is any and all means a person uses to gain an unfair
advantage over another person.
 In most cases, to be considered fraudulent, an act must
involve:
 A false statement (oral or in writing)
 About a material fact
 Knowledge that the statement was false when it was
uttered (which implies an intent to deceive)
 A victim relies on the statement
 And suffers injury or loss as a result
5-10
THE FRAUD PROCESS
 Because fraudsters don’t make journal entries to record their frauds,
we can only estimate the amount of losses caused by fraudulent
acts:
 The Association of Certified Fraud Examiners (ACFE) estimates that
total fraud losses in the United States run around 6% of annual
revenues or approximately $660 billion in 2004.
 More than we spend on education and roads in a year.
 Six times what we pay for the criminal justice system.
 Income tax fraud (the difference between what taxpayers owe
and what they pay to the government) is estimated to be over
$200 billion per year.
 Fraud in the healthcare industry is estimated to exceed $100
billion a year.
5-11
THE FRAUD PROCESS
 Fraud against companies may be committed by an
employee or an external party.
 Former and current employees (called knowledgeable
insiders) are much more likely than non-employees to
perpetrate frauds (and big ones) against companies.
 Largely owing to their understanding of the company’s
systems and its weaknesses, which enables them to
commit the fraud and cover their tracks.
 Organizations must utilize controls to make it difficult for
both insiders and outsiders to steal from the company.
5-12
THE FRAUD PROCESS
 Fraud perpetrators are often referred to as white-collar
criminals.
 Distinguishes them from violent criminals, although some whitecollar crime can ultimately have violent outcomes, such as:
 Perpetrators or their victims committing suicide.
 Healthcare patients killed because of alteration of information,
etc., that can result in their deaths.
5-13
THE FRAUD PROCESS
 Three types of occupational fraud:
 Misappropriation of assets
• Involves theft, embezzlement, or misuse of company assets
for personal gain.
• Examples include billing schemes ‫فواتير وهمية‬, check tampering
‫تجير الشكيات‬, skimming, and theft of inventory.
• In the 2004 Report to the Nation on Occupational Fraud and
Abuse, 92.7% of occupational frauds involved asset
misappropriation at a median cost of $93,000.
5-15
THE FRAUD PROCESS
 Three types of occupational fraud:
 Misappropriation of assets
 Corruption
• Corruption involves the wrongful use of a position, contrary to the
responsibilities of that position, to procure a benefit.
• Examples include kickback schemes and conflict of interest
schemes.
• About 30.1% of occupational frauds include corruption schemes at
a median cost of $250,000.
5-16
THE FRAUD PROCESS
 Three types of occupational fraud:
 Misappropriation of assets
 Corruption
 Fraudulent statements
• Financial statement fraud involves misstating the financial condition of
an entity by intentionally misstating amounts or disclosures in order to
deceive users.
• Financial statements can be misstated as a result of intentional efforts
to deceive or as a result of undetected asset misappropriations that are
so large that they cause misstatement.
• About 7.9% of occupational frauds involve fraudulent statements at a
median cost of $1 million. (The median pales in comparison to the
maximum cost.)
5-17
THE FRAUD PROCESS
 A typical employee fraud has a number of important elements or
characteristics:
 The fraud perpetrator must gain the trust or confidence of the
person or company being defrauded in order to commit and
conceal the fraud.
 Instead of using a gun, knife, or physical force, fraudsters use
weapons of deceit and misinformation.
 Frauds tend to start as the result of a perceived need on the part
of the employee and then escalate from need to greed. Most
fraudsters can’t stop once they get started, and their frauds grow
in size.
 The fraudsters often grow ‫ ينشأ‬careless ‫ عدم مباالة‬or overconfident ‫الثقة‬
‫المفرطة‬over time.
 Fraudsters tend to spend what they steal. Very few save it.
 In time, the sheer magnitude of the frauds may lead to detection.
 The most significant contributing factor in most employee frauds is
the absence of internal controls and/or the failure to enforce
existing controls.
5-18
THE FRAUD PROCESS
 The National Commission on Fraudulent Financial Reporting (aka,
the Treadway Commission) defined fraudulent financial reporting
as intentional or reckless conduct ‫سلوك غير مسؤؤل‬, whether by act or
omission, that results in materially misleading financial statements.
 Financial statements can be falsified to:
 Deceive investors and creditors
 Cause a company’s stock price to rise
 Meet cash flow needs
 Hide company losses and problems
 Fraudulent financial reporting is of great concern to independent
auditors, because undetected frauds lead to half of the lawsuits
against auditors.
 In the case of Enron, a financial statement fraud led to the total
elimination of Arthur Andersen, a premiere international public
accounting firm
5-19
THE FRAUD PROCESS
 Common approaches to “cooking the books” include:
 Recording fictitious revenues
 Recording revenues prematurely
 Recording expenses in later periods
 Overstating inventories or fixed assets (WorldCom)
 Concealing losses and liabilities
5-20
THE FRAUD PROCESS
The Treadway Commission recommended
four actions to reduce the possibility of
fraudulent financial reporting:
 Establish an organizational environment that
contributes to the integrity of the financial
reporting process.
 Identify and understand the factors that lead to
fraudulent financial reporting.
 Assess the risk of fraudulent financial reporting
within the company.
 Design and implement internal controls to
provide reasonable assurance that fraudulent
financial reporting is prevented.
5-21
THE FRAUD PROCESS

SAS 99: The Auditor’s Responsibility to Detect Fraud
 In 1997, SAS-82, Consideration of Fraud in a Financial Statement
Audit, was issued to clarify the auditor’s responsibility to detect
fraud
 A revision to SAS-82, SAS-99, was issued in December 2002. SAS99 requires auditors to:
 Understand fraud
•
•
•
•
Auditors can’t effectively audit something they don’t understand.
SAS-99 also indicated that auditors are not lawyers and “do not make legal
determinations of whether fraud has occurred.”
The external auditor’s interest specifically relates to acts that result in a
material misstatement of the financial statements.
Note that SAS-99 relates to external auditors. Internal auditors will have a
more extensive interest in fraud than just those that impact financial
statements.
5-22
THE FRAUD PROCESS
A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
 Understand fraud
 Discuss the risks of material fraudulent
misstatements
• While planning the audit, members of the audit team should discuss
how and where the company’s financial statements might be
susceptible to fraud.
5-23
THE FRAUD PROCESS
 A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99
requires auditors to:
 Understand fraud
 Discuss the risks of material fraudulent misstatements
 Obtain information
• The audit team must gather evidence about the existence of fraud by:
– Looking for fraud risk factors
– Testing company records
– Asking management, the audit committee, and others if they know
of any past or current fraud or of fraud risks the organization faces.
• Special care needs to be exercised in examining revenue accounts,
since they are particularly popular fraud targets.
5-24
THE FRAUD PROCESS
 A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99
requires auditors to:
 Understand fraud
 Discuss the risks of material fraudulent misstatements
 Obtain information
 Identify, assess, and respond to risks
• Use the gathered information to identify, assess, and respond to
risks.
• Auditors can respond by varying the nature, timing, and extent of
auditing procedures they perform.
• They should also carefully evaluate risks related to management
override of controls.
5-25
THE FRAUD PROCESS
 A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99
requires auditors to:
 Understand fraud
 Discuss the risks of material fraudulent misstatements
 Obtain information
 Identify, assess, and respond to risks
 Evaluate the results of their audit tests
• Auditors must assess the risk of fraud throughout the audit.
• When the audit is complete, they must evaluate whether any
identified misstatements indicate the presence of fraud.
• If so, they should determine the impact on the financial
statements and the audit.
5-26
THE FRAUD PROCESS
 A revision to SAS-82, SAS-99, was issued in December 2002. SAS-99
requires auditors to:
 Understand fraud
 Discuss the risks of material fraudulent misstatements
 Obtain information
 Identify, assess, and respond to risks
 Evaluate the results of their audit tests
 Communicate findings. Auditors communicate their fraud findings
to management, the audit committee, and others==
 Document their audit work. Auditors must document their
compliance with SAS-99 requirements
 Incorporate a technology focus
• SAS-99 recognizes that technology impacts fraud risks and
notes opportunities that auditors have to use technologyoriented tools and techniques to design fraud auditing
procedures.
5-27
Why fraud occurs
WHO COMMITS FRAUD AND WHY
 Researchers have compared the psychological and demographic
characteristics of three groups of people:
 White-collar criminals
 Violent criminals
 The general public

They found:
 Significant differences between violent and white-collar criminals.
 Few differences between white-collar criminals and the general public
 White-collar criminals tend to mirror the general public in:
 Education
 Age
 Religion
 Marriage
 Length of employment
 Psychological makeup
5-28
WHO COMMITS FRAUD AND WHY
 Perpetrators of computer fraud tend to be younger
and possess more computer knowledge,
experience, and skills.
 Hackers and computer fraud perps tend to be
more motivated by:
 Curiosity ‫فضول‬
 A quest for knowledge
 The desire to learn how things work
 The challenge of beating the system
5-29
WHO COMMITS FRAUD AND WHY
 They may view their actions as a game rather than dishonest
behavior.
 Another motivation may be to gain stature in the hacking
community.
 Some see themselves as revolutionaries spreading a message of
anarchy and freedom.
 But a growing number want to profit financially. To do so, they may
sell data to:
 Spammers
 Organized crime
 Other hackers
 The intelligence community
5-30
WHO COMMITS FRAUD AND WHY
 Some fraud perpetrators are disgruntled and unhappy with their jobs
and are seeking revenge against their employers.
 Others are regarded as ideal, hard-working employees in positions of
trust.
 Most have no prior criminal record.
 So why are they willing to risk everything?
 Criminologist Donald Cressey, interviewed 200+ convicted white-collar
criminals in an attempt to determine the common threads in their crimes.
As a result of his research, he determined that three factors were present
in the commission of each crime. These three factors have come to be
known as the fraud triangle.
 Pressure
 Opportunity
 Rationalization
5-31
The “Fraud Triangle”
Donald Cressey
Rationalization
32
Pressures
Pressure
 Cressey referred to this pressure as a “perceived
non-shareable need.”
 The pressure could be related to finances,
emotions, lifestyle, or some combination.
5-33
Pressures
 The most common pressures were:
- Not being able to pay one’s debts, nor admit it to one’s employer,
family, or friends (which makes in non-shareable). May be associated
with vices, such as drugs, gambling, mistresses, etc
- Fear of loss of status because of a personal failure. Example would be
mismanagement of a personal investment or retirement fund
- Business reversals. Not many people can walk away from a failing
business.
- Physical isolation. When an individual is isolated, physically or
psychologically, almost any pressure becomes non-shareable
- Status gaining. Many frauds are motivated by nothing more than a
perceived need to keep up with the Joneses. The problem is that
there is always a richer “Jones” down the street and the pressure
continues to mount, as do the resulting thefts
- Difficulties in employer-employee relations. May create pressure to
get revenge, take the money you feel is rightfully owed to you, etc
5-34
Pressure
 What’s important here is the perception of the pressure.
 There might be a number of people who could and would
help a tentative fraudster out of his financial woes.
 But as long as he perceives that he cannot share his
burden, the pressure is present.
 Research has also found that an individual’s propensity to
commit fraud is more related to how much he worries
about his financial position than his actual position.
 The millionaire who frets a lot about his financial condition is
more likely to commit fraud than the guy who doesn’t have
two dimes to rub together but isn’t worried about it.
5-35
Pressure
 Financial statement fraud is distinct from other types of fraud in that the
individuals who commit the fraud are not the direct beneficiaries.
 The company is the direct beneficiary.
 The perpetrators are typically indirect beneficiaries.
 In the case of financial statement frauds, common pressures include:
 To prop up earnings or stock price so that management can:
 Receive performance-related compensation.
 Preserve or improve personal wealth held in company stock or
stock options.
 Keep their jobs.
 To cover the inability to generate cash flow.
 To obtain financing.
 To appear to comply with bond covenants or other agreements.
 May be opposite of propping up earnings in cases involving incometax motivations, government contracts, or regulation.
5-36
Pressure
• Motivation or incentive to
commit fraud
•Types:
1. Employee
• Financial
• Emotional
• Lifestyle
2. Financial
• Industry conditions
• Management
characteristics
5-38
Fraud Triangle: Opportunity
 Opportunity is the opening or gateway that allows an
individual to:
 Commit the fraud
 Conceal the fraud
 Convert the proceeds
 Committing the fraud might involve acts such as:
 Misappropriating assets.
 Issuing deceptive financial statements.
 Accepting a bribe in order to make an arrangement that is not in
the company’s best interest
5-39
Opportunity
• Condition or situation that
allows a person or
organization to:
1.Commit the fraud
2.Conceal the
fraud
• Lapping
• Kiting
3.Convert the theft
or
misrepresentation
to personal gain
5-40
Opportunity
 Concealing the fraud often takes more time and effort and
leaves more evidence than the actual theft or
misrepresentation.
 Examples of concealment efforts:
 Charge a stolen asset to an expense account or to an
account receivable that is about to be written off.
 Create a ghost employee who receives an extra
paycheck.
5-41
Opportunity
 Examples of concealment efforts:
 Lapping.
Steal a payment from Customer A. Apply Customer B’s payment to
Customer A’s account so Customer A won’t get a late notice. Apply
Customer C’s payment to Customer B’s account, so Customer B won’t
get a late notice, etc.
 Kiting. Creates “cash” by transferring money between banks.
 Requires multiple bank accounts.
 Basic scheme:
 Write a check on the account of Bank A.
 Bank A doesn’t have sufficient funds to cover the check, so write
a check from an account in Bank B to be deposited in Bank A.
 Bank B doesn’t have sufficient funds to cover the check, so write a
check from an account in Bank C to be deposited in Bank B, etc 5-42
Opportunity
 Unless the target of the theft is cash, then the stolen goods
must be converted to cash or some form that is beneficial to
the perpetrator.
 Checks can be converted through alterations, forged
endorsements, check washing, etc.
 Non-cash assets can be sold (online auctions are a favorite forum)
or returned to the company for cash
 If the fraud is a financial statement fraud, then the gains
received may include:
 I have to keep my job.
 The value of my stock or stock options rose.
 I received a raise, promotion, or bonus.
 I have power.
5-43
Opportunity
There are many opportunities that enable
fraud. Some of the most common are:
 Lack of internal controls
 Failure to enforce controls (the most prevalent
reason)
 Excessive trust in key employees
 Incompetent supervisory personnel
 Inattention to details
 Inadequate staff
5-44
Opportunity
 Internal controls that may be lacking or un-enforced include:
 Authorization procedures
 Clear lines of authority
 Adequate supervision
 Adequate documents and records
 A system to safeguard assets
 Independent checks on performance
 Separation of duties

One control feature that many companies lack is a background check on
all potential employees.
 Management may allow fraud by:
 Not getting involved in the design or enforcement of internal controls;
 Inattention or carelessness;
 Overriding controls; and/or
 Using their power to compel subordinates to carry out the fraud
5-49
The Fraud Triangle
Pressure
Opportunity
Rationalization
5-50
Rationalizations
 How many people do you know who regard themselves as
being unprincipled or sleazy (‫?)رخيص‬
 It is important to understand that fraudsters do not regard
themselves as unprincipled.
 In general, they regard themselves as highly principled
individuals.
 That view of themselves is important to them.
 The only way they can commit their frauds and maintain
their self image as principled individuals is to create
rationalizations that recast their actions as “morally
acceptable” behaviors.
5-51
Rationalizations
These rationalizations take many forms,
including:
 I was just borrowing the money.
 It wasn’t really hurting anyone. (Corporations are
often seen as non-persons, therefore crimes
against them are not hurting “anyone.”)
 Everybody does it.
 I’ve worked for them for 35 years and been
underpaid all that time. I wasn’t stealing; I was
only taking what was owed to me.
 I didn’t take it for myself. I needed it to pay my
child’s medical bills.
5-52
Rationalizations
Creators of worms and viruses often use
rationalizations like:
 The malicious code helped expose security flaws,
so I did a good service.
 It was an accident.
 It was not my fault—just an experiment that went
bad.
 It was the user’s fault because they didn’t keep
their security up to date.
 If the code didn’t alter or delete any of their files,
then what’s the problem?
5-53
Rationalizations
justification of illegal
behavior
1. Justification
• I am not
being
dishonest.
2. Attitude
• I don’t need
to be
honest.
3. Lack of personal
integrity
• Theft is
valued
higher than
honesty or
integrity.
5-54
Fraud occuers when:
 Fraud occurs when:
 People have perceived, non-shareable pressures;
 The opportunity gateway is left open; and
 They can rationalize their actions to reduce the moral
impact in their minds (i.e., they have low integrity).
 Fraud is much less likely to occur when:
 There is .
 Unfortunately, there is usually a mixture of these
forces in play, and it can be very difficult to
determine the pressures that may apply to an
individual and the rationalizations he/she may be
able to produce.
5-55
APPROACHES TO COMPUTER FRAUD
 The U.S. Department of Justice defines computer fraud as any
illegal act for which knowledge of computer technology is
essential for its:
 Perpetration;
 Investigation; or
 Prosecution
 Computer fraud includes the following:
 Unauthorized theft, use, access, modification, copying, and
destruction of software or data.
 Theft of money by altering computer records.
 Theft of computer time.
 Theft or destruction of computer hardware.
 Use or the conspiracy to use computer resources to commit a felony.
 Intent to illegally obtain information or tangible property through the
use of computers.
5-56
APPROACHES TO COMPUTER FRAUD
 In using a computer, fraud perpetrators can steal:
 More of something
 In less time
 With less effort
 They may also leave very little evidence, which can make these crimes
more difficult to detect.
 Computer systems are particularly vulnerable to computer crimes for
several reasons:
 Company databases can be huge and access privileges can be
difficult to create and enforce. Consequently, individuals can steal,
destroy, or alter massive amounts of data in very little time.
 Organizations often want employees, customers, suppliers, and others
to have access to their system from inside the organization and
without. This access also creates vulnerability.
 Computer programs only need to be altered once, and they will
operate that way until:
 The system is no longer in use; or
 Someone notices.
5-57
APPROACHES TO COMPUTER FRAUD
 Modern systems are accessed by PCs, which are inherently more
vulnerable to security risks and difficult to control.
 It is hard to control physical access to each PC.
 PCs are portable, and if they are stolen, the data and access
capabilities go with them.
 PCs tend to be located in user departments, where one person
may perform multiple functions that should be segregated.
 PC users tend to be more oblivious to security concerns.
5-58
APPROACHES TO COMPUTER FRAUD
 Computer systems face a number of unique challenges:
 Reliability (accuracy and completeness)
 Equipment failure
 Environmental dependency (power, water damage, fire)
 Vulnerability to electromagnetic interference and interruption
 Eavesdropping
 Misrouting

Organizations that track computer fraud estimate that most U.S.
businesses have been victimized by at least one incident of
computer fraud.
5-59
APPROACHES TO COMPUTER FRAUD
 These frauds cost billions of dollars each year, and their
frequency is increasing because:
 Not everyone agrees on what constitutes computer fraud.
 Many don’t believe that taking an unlicensed copy of software
is computer fraud. (It is and can result in prosecution.)
 Some don’t think it’s a crime to browse through someone else’s
computer if their intentions aren’t malicious.
 Many computer frauds go undetected.
 An estimated 80–90% of frauds that are uncovered are not
reported because of fear of:
 Adverse publicity
 Copycats
 Loss of customer confidence
 There are a growing number of competent computer users, and
they are aided by easier access to remote computers through the
Internet and other data networks.
5-60
APPROACHES TO COMPUTER FRAUD
 Some folks believe “it can’t happen to us.”
 Many networks have a low level of security.
 Instructions on how to perpetrate computer crimes and abuses
are readily available on the Internet.
 Law enforcement is unable to keep up with the growing number
of frauds.
 The total dollar value of losses is difficult to calculate.
5-61
APPROACHES TO COMPUTER FRAUD
 Computer fraud classification
 Frauds can be categorized according to the data processing
model:
 Input
 Processor
 Computer instructions
 Stored data
 Output
5-62
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Input
Fraud
Processor
Fraud
Output
Fraud
Computer
Instructions
Fraud
5-63
APPROACHES TO COMPUTER FRAUD
 Input Fraud
 The simplest and most common way to commit a fraud is to
alter computer input.
 Requires little computer skills.
 Perpetrator only needs to understand how the system
operates
 Can take a number of forms, including:





Disbursement frauds
Inventory frauds
Payroll frauds
Cash receipt frauds
Fictitious refund fraud
5-64
APPROACHES TO COMPUTER FRAUD
 Input Fraud Can take a number of forms, including:
 Disbursement frauds. The perpetrator causes a company to:
1. Pay too much for ordered goods; or
2. Pay for goods never ordered
 Inventory frauds. The perpetrator enters data into the system to
show that stolen inventory has been scrapped
 Payroll frauds. Perpetrators may enter data to:
1.
Increase their salaries
2.
Create a fictitious employee
3.
Retain a terminated employee on the records
 Cash receipt frauds. The perpetrator hides the theft by falsifying
system input. EXAMPLE: Cash of $200 is received. The perpetrator
records a cash receipt of $150 and pockets the $50 difference
 Fictitious refund fraud. The perpetrator files for an undeserved
refund, such as a tax refund
5-65
APPROACHES TO COMPUTER FRAUD
Processor fraud
 Involves computer fraud committed through
unauthorized system use.
 Includes theft of computer time and services.
 Incidents could involve employees:
 Surfing the Internet;
 Using the company computer to conduct personal
business; or
 Using the company computer to conduct a competing
business.
5-66
APPROACHES TO COMPUTER FRAUD
 In one example, an agriculture college at a major state
university was experiencing very sluggish (slow) performance
from its server.
 Upon investigating, IT personnel discovered that an individual
outside the United States had effectively hijacked the college’s
server to both store some of his/her research data and process
it.
 The college eliminated the individual’s data and blocked
future access to the system.
 The individual subsequently contacted college personnel to
protest the destruction of the data.
 Demonstrates both:
 How a processor fraud can be committed.
 How oblivious users can sometimes be to the unethical or
illegal nature of their activities.
67
APPROACHES TO COMPUTER FRAUD
 Computer instructions fraud
 Involves tampering with the software that processes company
data.
 May include:
 Modifying the software
 Making illegal copies
 Using it in an unauthorized manner
 Also might include developing a software program or module to
carry out an unauthorized activity.
 Computer instruction fraud used to be one of the least common
types of frauds because it required specialized knowledge about
computer programming beyond the scope of most users.
 Today these frauds are more frequent—courtesy of Web pages that
instruct users on how to create viruses and other schemes.
68
APPROACHES TO COMPUTER FRAUD
Data fraud
 Involves:
 Altering or damaging a company’s data files; or
 Copying, using, or searching the data files without
authorization.
 In many cases, disgruntled employees have scrambled,
altered, or destroyed data files.
 Theft of data often occurs so that perpetrators can
sell the data.
 Most identity thefts occur when insiders in financial
institutions, credit agencies, etc., steal and sell financial
information about individuals from their employer’s
database.
5-69
APPROACHES TO COMPUTER FRAUD
 Output fraud
 Involves stealing or misusing system output.
 Output is usually displayed on a screen or printed on paper.
 Unless properly safeguarded, screen output can easily be
read from a remote location using inexpensive electronic
gear.
 This output is also subject to prying eyes and unauthorized
copying.
 Fraud perpetrators can use computers and peripheral
devices to create counterfeit outputs, such as checks.
70
Download