You are on page 1of 169

C

HAPTER 5

Computer Fraud and Abuse

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

1 of 175

INTRODUCTION
• Questions to be addressed in this chapter:
– What is fraud, and how are frauds perpetrated? – Who perpetrates fraud and why? – What is computer fraud, and what forms does it take? – What approaches and techniques are used to commit computer fraud?

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

2 of 175

INTRODUCTION
• Information systems are becoming increasingly more complex and society is becoming increasingly more dependent on these systems.
– Companies also face a growing risk of these systems being compromised. – Recent surveys indicate 67% of companies suffered a security breach in the last year with almost 60% reporting financial losses.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 3 of 175

espionage agents. • The Defense Science Board has predicted that attacks on information systems by foreign countries. – Example: Bombing of the World Trade Center in NY.INTRODUCTION • • Include: – Fire or excessive heat Companies face four types of threats to – Floods – Earthquakes – High winds – Natural and political disasters – War and terrorist attack • When a natural or political disaster strikes. many companies can be affected at the same time. 11/e Romney/Steinbart 4 of 175 . their information systems: © 2008 Prentice Hall Business Publishing Accounting Information Systems. and terrorists will soon be widespread.

• 60% of companies studied had significant software errors in previous year.• • Include: – Hardware or software failures – Software errors or bugs – Operating system crashes Companies face four types of threats to – Power outages and fluctuations – – Natural and political disasters Undetected data transmission errors – Software errors and equipment annual economic • Estimated malfunction losses due to software bugs = $60 billion. 11/e Romney/Steinbart 5 of 175 . INTRODUCTION their information systems: © 2008 Prentice Hall Business Publishing Accounting Information Systems.

INTRODUCTION • Include – Accidents of threats • Companies face four types caused by: to • Human carelessness • Failure to follow established procedures – Natural and political disasters • Poorly trained or supervised – Software errors and equipment malfunction personnel – – Unintentional acts Innocent errors or omissions – Lost. estimates 65% of security problems are caused by human error. destroyed. or misplaced data – Logic errors – Systems that do not meet needs or are incapable of performing intended tasks • Information Systems Security Assn. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 6 of 175 their information systems: .

INTRODUCTION • Include:

– Sabotage – Computer fraud Companies face four types of threatsuse, or – Misrepresentation, false to unauthorized disclosure of data – Misappropriation of assets – Natural and political Financial statement fraud – disasters Information systems are increasingly – Software errors •and equipment malfunction vulnerable to these malicious attacks.

their information systems:

– Unintentional acts – Intentional acts (computer crime)

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

7 of 175

INTRODUCTION
• In this chapter we’ll discuss:
– The fraud process – Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud – Ways companies can deter and detect computer fraud

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

8 of 175

INTRODUCTION
• In this chapter we’ll discuss:
– The fraud process – Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud – Ways companies can deter and detect computer fraud

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

9 of 175

– The only difference is the burden of proof required. gain an unfair advantage over another person. an evidence. 11/e Romney/Steinbart 10 of 175 . THE FRAUD PROCESS act must involve: – A false statement (oral or in writing) – About a material fact – Knowledge that the statement was false when it was uttered (which implies an intent to deceive) – A victim relies on the statement – And suffers injury or loss as a result © 2008 Prentice Hall Business Publishing Accounting Information Systems. to be considered fraudulent. • Criminal case: beyond a Fraud is any and all means a person uses to reasonable doubt.the • Civil case: preponderance of evidence OR clear and convincing In most cases.• • • The definition is the same whether it is a criminal or civil fraud case.

– Income tax fraud (the difference between what taxpayers owe and what they pay to the government) is estimated to be over $200 billion per year. © 2008 Prentice Hall Business Publishing Accounting Information Systems.THE FRAUD PROCESS • Because fraudsters don’t make journal entries to record their frauds. • More than we spend on education and roads in a year. we can only estimate the amount of losses caused by fraudulent acts: – The Association of Certified Fraud Examiners (ACFE) estimates that total fraud losses in the United States run around 6% of annual revenues or approximately $660 billion in 2004. 11/e Romney/Steinbart 11 of 175 . • Six times what we pay for the criminal justice system. – Fraud in the healthcare industry is estimated to exceed $100 billion a year.

11/e Romney/Steinbart 12 of 175 . – Former and current employees (called knowledgeable insiders) are much more likely than non-employees to perpetrate frauds (and big ones) against companies. • Largely owing to their understanding of the company’s systems and its weaknesses.THE FRAUD PROCESS • Fraud against companies may be committed by an employee or an external party. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company. which enables them to commit the fraud and cover their tracks.

although some white-collar crime can ultimately have violent outcomes. 11/e Romney/Steinbart 13 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.. • Healthcare patients killed because of alteration of information. etc.THE FRAUD PROCESS • Fraud perpetrators are often referred to as white-collar criminals. – Distinguishes them from violent criminals. that can result in their deaths. such as: • Perpetrators or their victims committing suicide.

check tampering. or misuse of company assets for personal gain. 11/e Romney/Steinbart 15 of 175 . • Examples include billing schemes. embezzlement.000. 92.THE FRAUD PROCESS • Three types of occupational fraud: – Misappropriation of assets • Involves theft. skimming. • In the 2004 Report to the Nation on Occupational Fraud and Abuse.7% of occupational frauds involved asset misappropriation at a median cost of $93. and theft of inventory. © 2008 Prentice Hall Business Publishing Accounting Information Systems.

to procure a benefit. • About 30.000. • Examples include kickback schemes and conflict of interest schemes.1% of occupational frauds include corruption schemes at a median cost of $250.THE FRAUD PROCESS • Three types of occupational fraud: – Misappropriation of assets – Corruption • Corruption involves the wrongful use of a position. contrary to the responsibilities of that position. 11/e Romney/Steinbart 16 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.

• About 7. (The median pales in comparison to the maximum cost. 11/e Romney/Steinbart 17 of 175 .) © 2008 Prentice Hall Business Publishing Accounting Information Systems.9% of occupational frauds involve fraudulent statements at a median cost of $1 million. • Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement.THE FRAUD PROCESS • Three types of occupational fraud: – Misappropriation of assets – Corruption – Fraudulent statements • Financial statement fraud involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users.

THE FRAUD PROCESS • A typical employee fraud has a number of important elements or characteristics: – The fraud perpetrator must gain the trust or confidence of the person or company being defrauded in order to commit and conceal the fraud. © 2008 Prentice Hall Business Publishing Accounting Information Systems. fraudsters use weapons of deceit and misinformation. 11/e Romney/Steinbart 18 of 175 . the sheer magnitude of the frauds may lead to detection. – In time. – Instead of using a gun. knife. and their frauds grow in size. Very few save it. or physical force. – The fraudsters often grow careless or overconfident over time. Most fraudsters can’t stop once they get started. – Frauds tend to start as the result of a perceived need on the part of the employee and then escalate from need to greed. – The most significant contributing factor in most employee frauds is the absence of internal controls and/or the failure to enforce existing controls. – Fraudsters tend to spend what they steal.

11/e Romney/Steinbart 19 of 175 . whether by act or omission.THE FRAUD PROCESS • The National Commission on Fraudulent Financial Reporting (aka. • Financial statements can be falsified to: – – – – Deceive investors and creditors Cause a company’s stock price to rise Meet cash flow needs Hide company losses and problems © 2008 Prentice Hall Business Publishing Accounting Information Systems. the Treadway Commission) defined fraudulent financial reporting as intentional or reckless conduct. that results in materially misleading financial statements.

a premiere international public accounting firm.THE FRAUD PROCESS • Fraudulent financial reporting is of great concern to independent auditors. • In the case of Enron. 11/e Romney/Steinbart 20 of 175 . because undetected frauds lead to half of the lawsuits against auditors. a financial statement fraud led to the total elimination of Arthur Andersen. © 2008 Prentice Hall Business Publishing Accounting Information Systems.

THE FRAUD PROCESS • Common approaches to ―cooking the books‖ include: – Recording fictitious revenues – Recording revenues prematurely – Recording expenses in later periods – Overstating inventories or fixed assets (WorldCom) – Concealing losses and liabilities © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 21 of 175 .

– Assess the risk of fraudulent financial reporting within the company.THE FRAUD PROCESS • The Treadway Commission recommended four actions to reduce the possibility of fraudulent financial reporting: – Establish an organizational environment that contributes to the integrity of the financial reporting process. – Identify and understand the factors that lead to fraudulent financial reporting. – Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented. 11/e Romney/Steinbart 22 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.

SAS-82. Consideration of Fraud in a Financial Statement Audit. © 2008 Prentice Hall Business Publishing Accounting Information Systems. was issued to clarify the auditor’s responsibility to detect fraud.THE FRAUD PROCESS • SAS 99: The Auditor’s Responsibility to Detect Fraud – In 1997. 11/e Romney/Steinbart 23 of 175 .

SAS-99.THE FRAUD PROCESS • A revision to SAS-82. © 2008 Prentice Hall Business Publishing Accounting Information Systems. Internal auditors will have a more extensive interest in fraud than just those that impact financial statements. 11/e Romney/Steinbart 24 of 175 . SAS-99 requires auditors to: – Understand fraud • Auditors can’t effectively audit something they don’t understand. • SAS-99 also indicated that auditors are not lawyers and “do not make legal determinations of whether fraud has occurred. was issued in December 2002.” • The external auditor’s interest specifically relates to acts that result in a material misstatement of the financial statements. • Note that SAS-99 relates to external auditors.

SAS-99 requires auditors to: – Understand fraud – Discuss the risks of material fraudulent misstatements • While planning the audit.THE FRAUD PROCESS • A revision to SAS-82. SAS-99. members of the audit team should discuss how and where the company’s financial statements might be susceptible to fraud. 11/e Romney/Steinbart 25 of 175 . was issued in December 2002. © 2008 Prentice Hall Business Publishing Accounting Information Systems.

11/e Romney/Steinbart 26 of 175 .• The audit team must gather evidence about the existence of fraud by: – Looking for fraud risk factors – Testing company records • A – Asking management. SAS-99. was and others Decemberany past or current fraud or of fraud risks the know of 2002. THE FRAUD PROCESS – Obtain information © 2008 Prentice Hall Business Publishing Accounting Information Systems. SAS-99 requires auditors to: organization faces.issued in if they revision to SAS-82. – Understand fraud • – Discuss the risks of material fraudulent misstatements Special care needs to be exercised in examining revenue accounts. the audit committee. since they are particularly popular fraud targets.

SAS-99 requires auditors to: – – – – Understand fraud Discuss the risks of material fraudulent misstatements Obtain information Identify. 11/e Romney/Steinbart 27 of 175 . • They should also carefully evaluate risks related to management override of controls. and respond to risks. timing. SAS-99. and extent of auditing procedures they perform. assess. • Auditors can respond by varying the nature. © 2008 Prentice Hall Business Publishing Accounting Information Systems.THE FRAUD PROCESS • A revision to SAS-82. assess. and respond to risks • Use the gathered information to identify. was issued in December 2002.

they must evaluate whether • When the audit any the risks of material fraudulent misstatements Discussidentified misstatements indicate the presence of fraud. Obtain information • If so. Evaluate the results of their audit tests © 2008 Prentice Hall Business Publishing Accounting Information Systems. and respond to risks statements and the audit. SAS-99. – – – – – Understand fraud is complete. 11/e Romney/Steinbart 28 of 175 .THE FRAUD PROCESS • A revision to must assess the risk of was throughout the SAS-82. SAS-99 requires auditors to: audit. fraud issued in • Auditors December 2002. they should determine the impact on the financial Identify. assess.

SAS-99 requires auditors to: – – – – – – Understand fraud Discuss the risks of material fraudulent misstatements Obtain information Identify. 11/e Romney/Steinbart 29 of 175 .THE FRAUD PROCESS • A revision to SAS-82. SAS-99. © 2008 Prentice Hall Business Publishing Accounting Information Systems. and respond to risks Evaluate the results of their audit tests Communicate findings • Auditors communicate their fraud findings to management. was issued in December 2002. and others. the audit committee. assess.

© 2008 Prentice Hall Business Publishing Accounting Information Systems. and respond to risks Evaluate the results of their audit tests Communicate findings Document their audit work • Auditors must document their compliance with SAS-99 requirements.THE FRAUD PROCESS • A revision to SAS-82. SAS-99 requires auditors to: – – – – – – – Understand fraud Discuss the risks of material fraudulent misstatements Obtain information Identify. was issued in December 2002. assess. SAS-99. 11/e Romney/Steinbart 30 of 175 .

SAS-99 requires auditors to: – – – – – – – – Understand fraud Discuss the risks of material fraudulent misstatements Obtain information Identify.THE FRAUD PROCESS • A revision to SAS-82. 11/e Romney/Steinbart 31 of 175 . assess. and respond to risks Evaluate the results of theirthat technology impacts fraud • SAS-99 recognizes audit tests risks findings Communicate and notes opportunities that auditors have to use technology-oriented tools and techniques Document their audit work to design fraud auditing procedures. was issued in December 2002. Incorporate a technology focus © 2008 Prentice Hall Business Publishing Accounting Information Systems. SAS-99.

INTRODUCTION • In this chapter we’ll discuss: – The fraud process – Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud – Ways companies can deter and detect computer fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 32 of 175 .

WHO COMMITS FRAUD AND WHY • Researchers have compared the psychological and demographic characteristics of three groups of people: – White-collar criminals – Violent criminals – The general public • They found: – Significant differences between violent and white-collar criminals. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Few differences between white-collar criminals and the general public. 11/e Romney/Steinbart 33 of 175 .

11/e Romney/Steinbart 34 of 175 .WHO COMMITS FRAUD AND WHY • White-collar criminals tend to mirror the general public in: – – – – – – Education Age Religion Marriage Length of employment Psychological makeup © 2008 Prentice Hall Business Publishing Accounting Information Systems.

and skills.WHO COMMITS FRAUD AND WHY • Perpetrators of computer fraud tend to be younger and possess more computer knowledge. 11/e Romney/Steinbart 35 of 175 . experience. • Hackers and computer fraud perps tend to be more motivated by: – – – – Curiosity A quest for knowledge The desire to learn how things work The challenge of beating the system © 2008 Prentice Hall Business Publishing Accounting Information Systems.

• Some see themselves as revolutionaries spreading a message of anarchy and freedom. they may sell data to: – – – – Spammers Organized crime Other hackers The intelligence community Accounting Information Systems. To do so.WHO COMMITS FRAUD AND WHY • They may view their actions as a game rather than dishonest behavior. • Another motivation may be to gain stature in the hacking community. • But a growing number want to profit financially. 11/e Romney/Steinbart 36 of 175 © 2008 Prentice Hall Business Publishing .

• So why are they willing to risk everything? © 2008 Prentice Hall Business Publishing Accounting Information Systems.WHO COMMITS FRAUD AND WHY • Some fraud perpetrators are disgruntled and unhappy with their jobs and are seeking revenge against their employers. • Most have no prior criminal record. • Others are regarded as ideal. 11/e Romney/Steinbart 37 of 175 . hard-working employees in positions of trust.

As a result of his research. he determined that three factors were present in the commission of each crime. interviewed 200+ convicted white-collar criminals in an attempt to determine the common threads in their crimes. These three factors have come to be known as the fraud triangle. 11/e Romney/Steinbart 38 of 175 .WHO COMMITS FRAUD AND WHY • Criminologist Donald Cressey. – Pressure – Opportunity – Rationalization © 2008 Prentice Hall Business Publishing Accounting Information Systems.

The “Fraud Triangle” Donald Cressey Rationalization © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 39 of 175 .

The “Fraud Triangle”
Donald Cressey

Rationalization
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 40 of 175

WHO COMMITS FRAUD AND WHY
• Pressure
– Cressey referred to this pressure as a ―perceived non-shareable need.‖ – The pressure could be related to finances, emotions, lifestyle, or some combination.

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

41 of 175

WHO COMMITS FRAUD AND WHY
• The most common pressures were:
- Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends (which makes it non-shareable).
• May be associated with vices, such as drugs, gambling, mistresses, etc.

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

42 of 175

or friends (which makes in non-shareable).Fear of loss of status because of a personal failure • Example would be mismanagement of a personal investment or retirement fund. nor admit it to one’s employer.Not being able to pay one’s debts. 11/e Romney/Steinbart 43 of 175 . family.WHO COMMITS FRAUD AND WHY • The most common pressures were: . . © 2008 Prentice Hall Business Publishing Accounting Information Systems.

11/e Romney/Steinbart 44 of 175 . or friends (which makes in non-shareable). .Business reversals • Not many people can walk away from a failing business. © 2008 Prentice Hall Business Publishing Accounting Information Systems. nor admit it to one’s employer. family.Fear of loss of status because of a personal failure .Not being able to pay one’s debts.WHO COMMITS FRAUD AND WHY • The most common pressures were: .

. 11/e Romney/Steinbart 45 of 175 . physically or psychologically. family.Not being able to pay one’s debts.Fear of loss of status because of a personal failure . or friends (which makes in non-shareable).Physical isolation • When an individual is isolated. © 2008 Prentice Hall Business Publishing Accounting Information Systems.Business reversals . almost any pressure becomes nonshareable.WHO COMMITS FRAUD AND WHY • The most common pressures were: . nor admit it to one’s employer.

Business reversals more than a perceived need to keep up with the Joneses. or friends (which makes in non-shareable). 11/e Romney/Steinbart 46 of 175 .WHO COMMITS FRAUD AND WHY • The most common pressures were: . family. .Physical isolation • The problem is that there is always a .Not being able to pay one’s debts. © 2008 Prentice Hall Business Publishing Accounting Information Systems. as do the resulting thefts. nor admit it to one’s employer.Fear of loss of status Many frauds are motivated by nothing because of a personal failure • .Status gaining richer “Jones” down the street and the pressure continues to mount. .

etc.Fear of loss of status because of a personal failure .WHO COMMITS FRAUD AND WHY • The most common pressures were: .Not being able to pay one’s debts.Physical isolation take the money you feel is rightfully owed to you. .Status gaining . • . nor admit it to one’s employer. . or friends (which makes in non-shareable).Difficulties in employer-employee relations © 2008 Prentice Hall Business Publishing Accounting Information Systems. family.Business reversalsMay create pressure to get revenge. 11/e Romney/Steinbart 47 of 175 .

WHO COMMITS FRAUD AND WHY • What’s important here is the perception of the pressure. 11/e Romney/Steinbart 48 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. – There might be a number of people who could and would help a tentative fraudster out of his financial woes. the pressure is present. – The millionaire who frets a lot about his financial condition is more likely to commit fraud than the guy who doesn’t have two dimes to rub together but isn’t worried about it. – But as long as he perceives that he cannot share his burden. – Research has also found that an individual’s propensity to commit fraud is more related to how much he worries about his financial position than his actual position.

© 2008 Prentice Hall Business Publishing Accounting Information Systems. – The perpetrators are typically indirect beneficiaries. 11/e Romney/Steinbart 49 of 175 .WHO COMMITS FRAUD AND WHY • Financial statement fraud is distinct from other types of fraud in that the individuals who commit the fraud are not the direct beneficiaries. – The company is the direct beneficiary.

• Click here for a comprehensive list of pressures. 11/e Romney/Steinbart 50 of 175 . government contracts. • Keep their jobs. – To obtain financing. • Preserve or improve personal wealth held in company stock or stock options. – May be opposite of propping up earnings in cases involving income-tax motivations. – To cover the inability to generate cash flow. or regulation. Pressures © 2008 Prentice Hall Business Publishing Accounting Information Systems. – To appear to comply with bond covenants or other agreements. common pressures include: – To prop up earnings or stock price so that management can: • Receive performance-related compensation.WHO COMMITS FRAUD AND WHY • In the case of financial statement frauds.

The “Fraud Triangle” Donald Cressey Rationalization © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 52 of 175 .

11/e Romney/Steinbart 53 of 175 .WHO COMMITS FRAUD AND WHY • Opportunity is the opening or gateway that allows an individual to: – Commit the fraud – Conceal the fraud – Convert the proceeds © 2008 Prentice Hall Business Publishing Accounting Information Systems.

11/e Romney/Steinbart 54 of 175 .WHO COMMITS FRAUD AND WHY • Opportunity is the opening or gateway that allows an individual to: – Commit the fraud – Conceal the fraud – Convert the proceeds © 2008 Prentice Hall Business Publishing Accounting Information Systems.

WHO COMMITS FRAUD AND WHY
• Committing the fraud might involve acts such as:
– Misappropriating assets. – Issuing deceptive financial statements. – Accepting a bribe in order to make an arrangement that is not in the company’s best interest.

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

55 of 175

WHO COMMITS FRAUD AND WHY
• Opportunity is the opening or gateway that allows an individual to:
– Commit the fraud – Conceal the fraud – Convert the proceeds

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

56 of 175

WHO COMMITS FRAUD AND WHY
• Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation. • Examples of concealment efforts:
– Charge a stolen asset to an expense account or to an account receivable that is about to be written off.

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

57 of 175

• Examples of concealment efforts: – Charge a stolen asset to an expense account or to an account receivable that is about to be written off. – Create a ghost employee who receives an extra paycheck. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 58 of 175 .WHO COMMITS FRAUD AND WHY • Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation.

– Lapping. so paycheck. account or to an an expense • Apply Customer B’s account receivable that payment to Customer A’s account so is about to be written off. • Examples of concealment efforts: • Steal a payment from – Charge a stolen asset to Customer A. etc. Customer B won’t get a late notice.WHO COMMITS FRAUD AND WHY • Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation. Customer A won’t get a late notice. – Create a ghost employee who receives an extra • Apply Customer C’s payment to Customer B’s account. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 59 of 175 .

– Create a ghost employee who receives an extra – Bank B doesn’t have sufficient funds to cover the paycheck. be – Lapping. B to be deposited in Bank A. – Write concealment efforts: – Bank A doesn’t have sufficient funds to cover to – Charge a stolen asset to an expense account orthe an check. © 2008 Prentice Hall Business Publishing Accounting Information Systems.WHO COMMITS FRAUD AND WHY • Concealing the fraud often takes more time and • Creates “cash” by transferring money between banks. deposited in Bank B. 11/e Romney/Steinbart 60 of 175 . effort and leaves more evidence than the actual • Requires multiple bank accounts. • Basic scheme: • Examples of a check on the account of Bank A. etc. – Kiting. so write a check from an account in Bank C to check. so write a check from an account in Bank account receivable that is about to be written off. theft or misrepresentation.

WHO COMMITS FRAUD AND WHY • Opportunity is the opening or gateway that allows an individual to: – Commit the fraud – Conceal the fraud – Convert the proceeds © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 61 of 175 .

forged endorsements. check washing. – Checks can be converted through alterations. then the stolen goods must be converted to cash or some form that is beneficial to the perpetrator. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 62 of 175 . etc.WHO COMMITS FRAUD AND WHY • Unless the target of the theft is cash. – Non-cash assets can be sold (online auctions are a favorite forum) or returned to the company for cash.

– The value of my stock or stock options rose. then the gains received may include: – I have to keep my job. promotion. – I received a raise.WHO COMMITS FRAUD AND WHY • If the fraud is a financial statement fraud. © 2008 Prentice Hall Business Publishing Accounting Information Systems. or bonus. – I have power. 11/e Romney/Steinbart 63 of 175 .

WHO COMMITS FRAUD AND WHY • There are many opportunities that enable fraud. Some of the most common are: – Lack of internal controls – Failure to enforce controls (the most prevalent reason) – Excessive trust in key employees – Incompetent supervisory personnel – Inattention to details – Inadequate staff • Click here for a comprehensive list of opportunities. Opportunities © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 64 of 175 .

WHO COMMITS FRAUD AND WHY • Internal controls that may be lacking or unenforced include: – – – – – – – Authorization procedures Clear lines of authority Adequate supervision Adequate documents and records A system to safeguard assets Independent checks on performance Separation of duties  One control feature that many companies lack is a background check on all potential employees. 11/e Romney/Steinbart 69 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.

WHO COMMITS FRAUD AND WHY • Management may allow fraud by: – Not getting involved in the design or enforcement of internal controls. – Inattention or carelessness. and/or – Using their power to compel subordinates to carry out the fraud. 11/e Romney/Steinbart 70 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Overriding controls.

11/e Romney/Steinbart 71 of 175 .The “Fraud Triangle” Donald Cressey Rationalization © 2008 Prentice Hall Business Publishing Accounting Information Systems.

they regard themselves as highly principled individuals.WHO COMMITS FRAUD AND WHY • How many people do you know who regard themselves as being unprincipled or sleazy? • It is important to understand that fraudsters do not regard themselves as unprincipled. 11/e Romney/Steinbart 72 of 175 . – The only way they can commit their frauds and maintain their self image as principled individuals is to create rationalizations that recast their actions as ―morally acceptable‖ behaviors. – That view of themselves is important to them. – In general. © 2008 Prentice Hall Business Publishing Accounting Information Systems.

– I’ve worked for them for 35 years and been underpaid all that time. including: – I was just borrowing the money. – I didn’t take it for myself. 11/e Romney/Steinbart 73 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. I was only taking what was owed to me. I needed it to pay my child’s medical bills.WHO COMMITS FRAUD AND WHY • These rationalizations take many forms. (Corporations are often seen as non-persons.‖) – Everybody does it. I wasn’t stealing. – It wasn’t really hurting anyone. therefore crimes against them are not hurting ―anyone.

– It was the user’s fault because they didn’t keep their security up to date.WHO COMMITS FRAUD AND WHY • Creators of worms and viruses often use rationalizations like: – The malicious code helped expose security flaws. – It was an accident. then what’s the problem? © 2008 Prentice Hall Business Publishing Accounting Information Systems. – It was not my fault—just an experiment that went bad. so I did a good service. 11/e Romney/Steinbart 74 of 175 . – If the code didn’t alter or delete any of their files.

low opportunity.e. 11/e Romney/Steinbart 75 of 175 . • Unfortunately. and – They can rationalize their actions to reduce the moral impact in their minds (i. and high integrity. © 2008 Prentice Hall Business Publishing Accounting Information Systems. • Fraud is much less likely to occur when: – There is low pressure. non-shareable pressures.WHO COMMITS FRAUD AND WHY • Fraud occurs when: – People have perceived. – The opportunity gateway is left open.. there is usually a mixture of these forces in play. and it can be very difficult to determine the pressures that may apply to an individual and the rationalizations he/she may be able to produce. they have low integrity).

INTRODUCTION • In this chapter we’ll discuss: – The fraud process – Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud – Ways companies can deter and detect computer fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 76 of 175 .

11/e Romney/Steinbart 77 of 175 .S.APPROACHES TO COMPUTER FRAUD • The U. – Investigation. © 2008 Prentice Hall Business Publishing Accounting Information Systems. or – Prosecution. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its: – Perpetration.

access. – Theft of computer time. copying. use. – Use or the conspiracy to use computer resources to commit a felony. and destruction of software or data. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Theft or destruction of computer hardware. – Theft of money by altering computer records. modification. – Intent to illegally obtain information or tangible property through the use of computers. 11/e Romney/Steinbart 78 of 175 .APPROACHES TO COMPUTER FRAUD • Computer fraud includes the following: – Unauthorized theft.

APPROACHES TO COMPUTER FRAUD • In using a computer. 11/e Romney/Steinbart 79 of 175 . fraud perpetrators can steal: – More of something – In less time – With less effort • They may also leave very little evidence. © 2008 Prentice Hall Business Publishing Accounting Information Systems. which can make these crimes more difficult to detect.

Consequently. – Computer programs only need to be altered once. and they will operate that way until: • The system is no longer in use. – Organizations often want employees. © 2008 Prentice Hall Business Publishing Accounting Information Systems. This access also creates vulnerability. customers. 11/e Romney/Steinbart 80 of 175 . individuals can steal. or • Someone notices.APPROACHES TO COMPUTER FRAUD • Computer systems are particularly vulnerable to computer crimes for several reasons: – Company databases can be huge and access privileges can be difficult to create and enforce. and others to have access to their system from inside the organization and without. or alter massive amounts of data in very little time. suppliers. destroy.

11/e Romney/Steinbart 81 of 175 . which are inherently more vulnerable to security risks and difficult to control. • PCs are portable. and if they are stolen. • It is hard to control physical access to each PC.APPROACHES TO COMPUTER FRAUD – Modern systems are accessed by PCs. © 2008 Prentice Hall Business Publishing Accounting Information Systems. where one person may perform multiple functions that should be segregated. • PCs tend to be located in user departments. the data and access capabilities go with them. • PC users tend to be more oblivious to security concerns.

11/e Romney/Steinbart 82 of 175 . fire) • Vulnerability to electromagnetic interference and interruption • Eavesdropping • Misrouting © 2008 Prentice Hall Business Publishing Accounting Information Systems. water damage.APPROACHES TO COMPUTER FRAUD – Computer systems face a number of unique challenges: • Reliability (accuracy and completeness) • Equipment failure • Environmental dependency (power.

11/e Romney/Steinbart 83 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.S. businesses have been victimized by at least one incident of computer fraud.APPROACHES TO COMPUTER FRAUD • Organizations that track computer fraud estimate that most U.

• Many don’t believe that taking an unlicensed copy of software is computer fraud. (It is and can result in prosecution. and their frequency is increasing because: – Not everyone agrees on what constitutes computer fraud.) • Some don’t think it’s a crime to browse through someone else’s computer if their intentions aren’t malicious.APPROACHES TO COMPUTER FRAUD • These frauds cost billions of dollars each year. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 84 of 175 .

– An estimated 80–90% of frauds that are uncovered are not reported because of fear of: • Adverse publicity • Copycats • Loss of customer confidence – There are a growing number of competent computer users.APPROACHES TO COMPUTER FRAUD – Many computer frauds go undetected. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 85 of 175 . and they are aided by easier access to remote computers through the Internet and other data networks.

APPROACHES TO COMPUTER FRAUD – Some folks believe ―it can’t happen to us. 11/e Romney/Steinbart 86 of 175 . – Instructions on how to perpetrate computer crimes and abuses are readily available on the Internet. – Law enforcement is unable to keep up with the growing number of frauds. – The total dollar value of losses is difficult to calculate. © 2008 Prentice Hall Business Publishing Accounting Information Systems.‖ – Many networks have a low level of security.

APPROACHES TO COMPUTER FRAUD • Economic espionage. • This growth has led to the need for investigative specialists or cybersleuths. the theft of information and intellectual property. 11/e Romney/Steinbart 87 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. is growing especially fast.

11/e Romney/Steinbart 88 of 175 .APPROACHES TO COMPUTER FRAUD • Computer fraud classification – Frauds can be categorized according to the data processing model: • • • • • Input Processor Computer instructions Stored data Output © 2008 Prentice Hall Business Publishing Accounting Information Systems.

COMPUTER FRAUD CLASSIFICATIONS Data Fraud Input Fraud Processor Fraud Output Fraud Computer Instructions Fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 89 of 175 .

COMPUTER FRAUD CLASSIFICATIONS Data Fraud Input Fraud Processor Fraud Output Fraud Computer Instructions Fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 90 of 175 .

© 2008 Prentice Hall Business Publishing Accounting Information Systems. or – Pay for goods never ordered.APPROACHES TO COMPUTER FRAUD • Input Fraud – The simplest and most common way to commit a fraud is to alter computer input. 11/e Romney/Steinbart 91 of 175 . including: • Disbursement frauds • The perpetrator causes a company to: – Pay too much for ordered goods. • Requires little computer skills • Perpetrator only needs to understand how the system operates – Can take a number of forms.

APPROACHES TO COMPUTER FRAUD • Input Fraud – The simplest and most common way to commit a fraud is to alter computer input. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Can take a number of forms. • Requires little computer skills. • Perpetrator only needs to understand how the system operates. including: • Disbursement frauds • Inventory frauds • The perpetrator enters data into the system to show that stolen inventory has been scrapped. 11/e Romney/Steinbart 92 of 175 .

11/e Romney/Steinbart 93 of 175 . the perpetrator • In the latter intercepts and cashes the resulting paychecks.APPROACHES TO COMPUTER FRAUD • Input Fraud – The simplest and most common way to commit a fraud is to alter computer input. • Inventory frauds • Payroll frauds © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Can take a number of forms. how the system operates – Create a fictitious employee. • Perpetrators may enter data to: • Requires little computer skills. • Disbursement frauds two instances. including: – Retain a terminated employee on the records. – Increase to understand • Perpetrator only needtheir salaries.

• Perpetrator only needs to understand how the system operatesThe perpetrator hides the theft by falsifying • – Can take a number of forms. The • EXAMPLE: perpetrator records a cash receipt of $150 and • Inventory frauds pockets the $50 difference. • Disbursement frauds Cash of $200 is received. • Payroll frauds • Cash receipt frauds © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 94 of 175 . • Requires little computer skills.APPROACHES TO COMPUTER FRAUD • Input Fraud – The simplest and most common way to commit a fraud is to alter computer input. including: system input.

• The such as a • Cash receipt frauds tax refund. 11/e Romney/Steinbart 95 of 175 .APPROACHES TO COMPUTER FRAUD • Input Fraud – The simplest and most common way to commit a fraud is to alter computer input. • Perpetrator only needs to understand how the system operates – Can take a number of forms. • Fictitious refund fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. • Requires little computer skills. including: • Disbursement frauds • Inventory frauds • Payroll frauds perpetrator files for an undeserved refund.

COMPUTER FRAUD CLASSIFICATIONS Data Fraud Input Fraud Processor Fraud Output Fraud Computer Instructions Fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 96 of 175 .

APPROACHES TO COMPUTER FRAUD • Processor fraud – Involves computer fraud committed through unauthorized system use. © 2008 Prentice Hall Business Publishing Accounting Information Systems. or • Using the company computer to conduct a competing business. – Incidents could involve employees: • Surfing the Internet. • Using the company computer to conduct personal business. 11/e Romney/Steinbart 97 of 175 . – Includes theft of computer time and services.

IT personnel discovered that an individual outside the United States had effectively hijacked the college’s server to both store some of his/her research data and process it. • Upon investigating. 11/e Romney/Steinbart 98 of 175 . • Demonstrates both: – How a processor fraud can be committed. • The individual subsequently contacted college personnel to protest the destruction of the data. an agriculture college at a major state university was experiencing very sluggish performance from its server. – How oblivious users can sometimes be to the unethical or illegal nature of their activities. • The college eliminated the individual’s data and blocked future access to the system. © 2008 Prentice Hall Business Publishing Accounting Information Systems.APPROACHES TO COMPUTER FRAUD • In one example.

11/e Romney/Steinbart 99 of 175 .COMPUTER FRAUD CLASSIFICATIONS Data Fraud Input Fraud Processor Fraud Output Fraud Computer Instructions Fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems.

APPROACHES TO COMPUTER FRAUD • Computer instructions fraud – Involves tampering with the software that processes company data. – May include: • Modifying the software • Making illegal copies • Using it in an unauthorized manner – Also might include developing a software program or module to carry out an unauthorized activity. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 100 of 175 .

• Today these frauds are more frequent—courtesy of Web pages that instruct users on how to create viruses and other schemes. 11/e Romney/Steinbart 101 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.APPROACHES TO COMPUTER FRAUD • Computer instruction fraud used to be one of the least common types of frauds because it required specialized knowledge about computer programming beyond the scope of most users.

COMPUTER FRAUD CLASSIFICATIONS Data Fraud Input Fraud Processor Fraud Output Fraud Computer Instructions Fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 102 of 175 .

steal and sell financial information about individuals from their employer’s database. or destroyed data files. disgruntled employees have scrambled. • Most identity thefts occur when insiders in financial institutions.. etc. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 103 of 175 . – Theft of data often occurs so that perpetrators can sell the data. using. altered. or searching the data files without authorization. or • Copying. – In many cases.APPROACHES TO COMPUTER FRAUD • Data fraud – Involves: • Altering or damaging a company’s data files. credit agencies.

COMPUTER FRAUD CLASSIFICATIONS Data Fraud Input Fraud Processor Fraud Output Fraud Computer Instructions Fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 104 of 175 .

– This output is also subject to prying eyes and unauthorized copying. – Unless properly safeguarded.APPROACHES TO COMPUTER FRAUD • Output fraud – Involves stealing or misusing system output. such as checks. 11/e Romney/Steinbart 105 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. screen output can easily be read from a remote location using inexpensive electronic gear. – Fraud perpetrators can use computers and peripheral devices to create counterfeit outputs. – Output is usually displayed on a screen or printed on paper.

INTRODUCTION • In this chapter we’ll discuss: – The fraud process – Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud – Ways companies can deter and detect computer fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 106 of 175 .

© 2008 Prentice Hall Business Publishing Accounting Information Systems.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. These include:  Data diddling • Changing data before. • Can involve adding. or altering key system data. deleting. or after it is entered into the system. during. 11/e Romney/Steinbart 107 of 175 .

COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. These include:  Data diddling  Data leakage • Unauthorized copying of company data. 11/e Romney/Steinbart 108 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.

These include:  Data diddling  Data leakage  Denial of service attacks • An attacker overloads and shuts down an Internet service provider’s email system by sending email bombs at a rate of thousands per second—often from randomly generated email addresses. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 109 of 175 .COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. • May also involve shutting down a Web server by sending a load of requests for the Web pages.

• Carried out as follows: – The attacker infects dozens of computers that have broadband TECHNIQUES with denial-of-service Internet access programs. These infected computers  Perpetrators have devised are the zombies. to commit many methods – The attacker then computer fraud and abuse. These include:activates the denial-of-service programs, and the  Data diddling zombies send pings (emails or  Data leakage requests for data) to the target server.  Denial of service attacks The victim responds to each, not realizing they have fictitious return addresses, and waits for responses that don’t come. – While the victim waits, system performance degrades until the system freezes up or crashes. – The attacker terminates the program after an hour or two to limit the victim’s ability to trace the source.

COMPUTER FRAUD AND ABUSE

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

110 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES
 Perpetrators have devised many methods to commit computer fraud and abuse. These include:
 Data diddling  Data leakage  Denial of service attacks • Experts estimate there as many as 5,000 denial-of-service attacks weekly in the United States. • A denial-of-service can cause severe economic damage to its victim or even drive them out of business.

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

111 of 175

COMPUTER FRAUD AND ABUSE TECHNIQUES
 Perpetrators have devised many methods to commit computer fraud and abuse. These include:
    Data diddling Data leakage Denial of service attacks Eavesdropping • Perpetrators surreptitiously observe private communications or transmission of data. • Equipment to commit these “electronic wiretaps” is readily available at electronics stores.

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

112 of 175

computer system and obtained – He had broken into their These include: personal  Data diddlingand banking information about all of the bank’s customers. 11/e Romney/Steinbart 113 of 175 .  Data leakage – He of service attacks  Denialwould notify the bank’s customers of this breach if he was not paid a specified sum of money.  Eavesdropping  Email threats © 2008 Prentice Hall Business Publishing Accounting Information Systems. • Several banks in the Midwest were contacted by an overseas  Perpetrators who indicated that: methods to commit perpetrator have devised many computer fraud and abuse.• COMPUTER FRAUD AND ABUSE A threatening message is sent to a victim to induce the victim to TECHNIQUES do something that would make it possible to be defrauded.

 Perpetrators have devised many methods to commit • Email spoofers may: computer fraud and abuse. spoofing) COMPUTER FRAUD AND ABUSE • Involves sending TECHNIQUES an email message that © 2008 Prentice Hall Business Publishing Accounting Information Systems.  Denial of service attacks – Pretend to be management and request a copy of some sensitive  Eavesdropping information. 11/e Romney/Steinbart 114 of 175 .  Email threats  Email forgery (aka. These include: – Claim to be system administrators  Data diddling and ask users to change their  Data leakage passwords to specific values.appears to have come from someone other than the actual sender.

Others forgery (aka. •  Data leakage Most hackers break into systems using known flaws in operating  Denial of service attacks systems. or access controls. 11/e Romney/Steinbart 115 of 175 . spoofing)  Hacking © 2008 Prentice Hall Business Publishing Accounting Information Systems. •  Emailhave malicious intent and can do significant damage. •  Eavesdropping malevolent and mainly motivated by curiosity Some are not very and a desire to  Email threats overcome a challenge. These include: means of a personal computer and a telecommunications  Data diddling network. applications programs.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit • Unauthorized access to and use of computer systems—usually by computer fraud and abuse.

© 2008 Prentice Hall Business Publishing Accounting Information Systems. access. 11/e Romney/Steinbart 116 of 175 . steal. • They also steal telephone services and Hacking may break into voice mail systems. Phreaking • Some hackers gain access to systems through dial-up modem lines. and destroy data. These include:         Data diddling Data leakage Denial of service attacks • Eavesdropping Hacking that attacks phone systems and Email threats uses phone lines to transmit viruses and to spoofing) Email forgery (aka.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse.

Hijacking • The illicit activity is often the perpetuation of spam emails. 11/e Romney/Steinbart 117 of 175 © 2008 Prentice Hall Business Publishing . spoofing) Hacking • Involves gaining control of someone Phreaking else’s computer to carry out illicit activities without the user’s knowledge. Accounting Information Systems. These include:          Data diddling Data leakage Denial of service attacks Eavesdropping Email threats Email forgery (aka.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse.

 Denial of service attacks – Taking out mortgages or other loans under the victim’s  Eavesdropping identity. 11/e Romney/Steinbart 118 of 175 .• Assuming someone’s identity.  Email Taking out credit cards and running up large balances. spoofing) If the thief is careful and ensures that bills and notices are  Hackingto an address he controls.  Data diddling • Identity thieves benefit financially by:  Data leakage – Taking funds out of the victim’s bank account. These include: account number. the scheme may be sent prolonged until such time as the victim attempts to buy a  Phreaking home  Hijackingor car and finds out that his credit is destroyed. bank computer fraud and abuse. typically for economic gain. by illegally have devised many methods to commit  Perpetratorsobtaining and using confidential information such as the person’s social security number. – threats  •Email forgery (aka.  Identity theft COMPUTER FRAUD AND ABUSE TECHNIQUES © 2008 Prentice Hall Business Publishing Accounting Information Systems. or credit card number.

but it is a Identity theft Email threats growing crime industry. 11/e Romney/Steinbart 119 of 175 .COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. These include:           Data diddling Data leakage • Victims can usually clear their credit. spoofing) whose job duties involved One U.S. The thief Hacking ran up Phreaking$80. but the effort requires a Denial of service attacks time and expense.000 in debt under the postal inspector’s identity before the inspector discovered the problem. significant amount of •Eavesdropping was made a federal offense in 1998. postal inspector. was himself a victim. Hijacking Identity theft © 2008 Prentice Hall Business Publishing Accounting Information Systems. •Email forgery (aka. investigation of identity thefts.

phishing. names. and city dumps for documents with confidential . discarded applications for Denial of service attacks  pre-approved credit cards. and other technology in spoofing. 11/e Romney/Steinbart 120 of 175 communal trash bins.  company information.• Identity thieves can steal corporate or individual identities by: – Shoulder surfing • COMPUTER FRAUD AND ABUSE Watching people enter telephone calling card numbers or credit card TECHNIQUES numbers or listening to communications as they provide this information to sales clerks or others. spoofing)  Hacking • Intercepting mail and having it delivered to a location where others can  access it. – Scavenging or have devised many methods to commit  Perpetrators dumpster diving • Searching corporate abuse. Phreaking – Using Internet. records by rifling computer fraud andor personalThese include: garbage cans. and data  Identity theft leakage schemes. credit card • Data leakage  statements. tax returns. Data diddling  May also look for personal information such as checks. or other records that contain social security Eavesdropping numbers. addresses. Email threats  Email forgery – Redirecting mail (aka. social engineering. email. and other data that allow  them to assume an identity. phone numbers. © 2008 Prentice Hall Business Publishing Accounting Information Systems. bank statements.  Hijacking eavesdropping. impersonating.

S. – Maintain careful records of banking and financial Phreaking Hijackingaccounts. – Hacking Periodically review your credit report. Justice suggests computer fraud Department ofThese include: the following four           ways to minimize the chances of being victimized by Data diddling theft: identity Data leakage – Do not give out corporate or personal information Denial of unless there is a good reason to trust the person to service attacks Eavesdropping it is given. Identity theft © 2008 Prentice Hall Business Publishing Accounting Information Systems. as well as for what should not be there. and abuse.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit • The U. 11/e Romney/Steinbart 121 of 175 . whom Email threats financial information regularly for what should – Check be there. spoofing) Email forgery (aka.

These include:  Internet misinformation • Using the Internet to spread false or misleading information about people or companies. – A “pump-and-dump” occurs when an individual spreads misinformation. often through Internet chat rooms. • May involve: – Planting inflammatory messages in online chat rooms.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. – Websites with misinformation. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Pretending to be someone else online and making inflammatory comments that will be attributed to that person. to cause a runup in the value a stock and then sells off his shares of the stock. A number of pump-and-dump cases have been prosecuted by the SEC. 11/e Romney/Steinbart 122 of 175 .

snopes. such as the federal government. such as a recent email suggesting that certain Perpetrators have devised many methods to commit lipsticks contain lead or that using plastic cookware in the computer fraud and abuse.  Internet misinformation – Before forwarding any emails with negative information about individuals. it’s a good idea to check the veracity of the information first. the FBI. These include: microwave can cause cancer. © 2008 Prentice Hall Business Publishing Accounting Information Systems. etc.com. 11/e Romney/Steinbart 123 of 175 COMPUTER FRAUD AND ABUSE .• Another common form of Internet misinformation is the spreading of “urban legends”—often by innocently forwarding emails. – There are several Websites that attempt to verify the truth of emails that are circulated. TECHNIQUES – Urban legends may often include damaging implications about  company products. by searching under a key term in the email. companies. or their products. You can easily locate the email you received on these Websites.” – You are likely to find that most emails you were getting ready to forward are either false or only partially true. One such Website is www. Stanford University researchers. – Emails with urban legends often attribute their “facts” to credible sources. such as “lipstick.

11/e Romney/Steinbart 124 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. • Viruses and worms are two main forms of Internet terrorism. These include:  Internet misinformation  Internet terrorism • Hackers use the Internet to disrupt electronic commerce and destroy company and individual communications.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse.

it sabotages the system. • Once triggered. 11/e Romney/Steinbart 125 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. • Usually written by disgruntled programmers.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. • EXAMPLE: A programmer places a logic bomb in a payroll application that will destroy all the payroll records if the programmer is terminated. or both. These include:  Internet misinformation  Internet terrorism  Logic time bombs • A program that lies idle until triggered by some circumstance or a particular time. destroying programs. data.

11/e Romney/Steinbart 126 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. he enjoys the same privileges as the legitimate user. • The perpetrator must know the legitimate user’s ID and password. • Once in the system.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. These include:     Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation • The perpetrator gains access to the system by pretending to be an authorized user.

COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. These include:      Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Packet sniffers • Programs that capture data from information packets as they travel over the Internet or company networks. • Confidential information and access information can be gleaned from the captured data—some of which is later sold. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 127 of 175 .

steals the file of valid passwords.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. 11/e Romney/Steinbart 128 of 175 . decrypts them. These include:       Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Packet sniffers Password cracking • An intruder penetrates a system’s defenses. © 2008 Prentice Hall Business Publishing Accounting Information Systems. and then uses them to gain access to almost any system resources.

These counterfeit Websites  Packet sniffers appear very authentic. legitimate company. eBay. 11/e Romney/Steinbart 129 of 175 .  Logic time bombs • The link connects the individual to a Website that is an imitation of  Masquerading or impersonation the spoofed company’s actual Website. and banks fraud and abuse. as do the emails. and advised to click on a link to the company’s website to provide the information. computer are commonly spoofed.  Password cracking  Phishing © 2008 Prentice Hall Business Publishing Accounting Information Systems. devised financial institution. These include:  Internet misinformation • The recipient is advised that information or a security check is needed on terrorism  Internet his account.COMPUTER FRAUD AND ABUSE TECHNIQUES • Sending out a spoofed email that appears to come from a  Perpetrators have such as amany methods to commitPayPal.

11/e Romney/Steinbart 130 of 175 .  Internet terrorism He Logic timedirections and provided the requested information to  followed bombs set Masquerading or impersonation  up online banking.000 Perpetrators have devised many methods to commit in the bank. inviting him That same fraud and abuse. computer night. he received anThesefrom the bank.• COMPUTER FRAUD AND ABUSE TECHNIQUES One newly graduated college student recently took a job in California and deposited his first paycheck of approximately $5. he out that his bank account had been cleaned out and closed.  Password cracking  Phishing  • • • © 2008 Prentice Hall Business Publishing Accounting Information Systems. Two hourssniffers was nervous and called the bank—only to find  Packet later. email include:  Internet the link in the to click on misinformation email to set up online banking for his new bank account.

it is a good idea not to click on any link TECHNIQUES provided in an email and to go directly to the Website instead. type “https:” in the URL  Internet terrorism instead of “http:”  Logic time bombs in order to enter on the company’s secured server. 11/e Romney/Steinbart 131 of 175 . get out of your browser and go back in before proceeding directly to a company Website.  Password cracking  Phishing © 2008 Prentice Hall Business Publishing Accounting Information Systems.• COMPUTER FRAUD AND ABUSE As a rule of thumb.  Internet misinformation – If you need to enter PayPal’s Website. include: and last name in the salutation of the email. offers have devised many computer fraud and abuse. whose email address is commonly spoofed for phishing  Perpetrators the following advice: methods to commit scams. Thesethey will include your first – If PayPal ever sends you an email.  Masquerading or impersonation – If you sniffers  Packetreceive a suspicious email. • PayPal.

the  Logic time bombs browser would redirect them to a counterfeit Website for that bank. 11/e Romney/Steinbart 132 of 175 .COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methodsSouth America with  In 2004.  Password cracking  Phishing © 2008 Prentice Hall Business Publishing Accounting Information Systems. computer. Once an individual opened themisinformation a script was downloaded on their  Internet related email. The script would alter the individual’s Web browser so  Internet terrorism that if the user entered the URL of one of these three banks.  Masquerading or impersonation and was instantly set up for a high-tech robbery of his bank  Packet sniffers account. a phishing-related scam took place in to commit respect to fraud and abuse. These include: computer three large South American banks. The oblivious user would provide ID and password information.

11/e Romney/Steinbart 133 of 175 .sniffers  Packet A phishing Website will typically accept an incorrect password—which cues you that it is a phishing scam.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. These include:  Internet misinformation  Internet terrorism  Logic time bombs • Consumer Reports suggests that if you have any questions about  legitimacy of a impersonation theMasquerading orWebsite. you should try entering the wrong password.  Password cracking  Phishing © 2008 Prentice Hall Business Publishing Accounting Information Systems.

COMPUTER FRAUD AND ABUSE TECHNIQUES  Example of a Website produced for a phishing scam. 11/e Romney/Steinbart 134 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.

These include:         Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Packet sniffers Password cracking Tapping into a telecommunications line and • latching onto a legitimate user before that Phishing user logs into a system. © 2008 Prentice Hall Business Publishing Accounting Information Systems. Piggybacking • The legitimate user unknowingly carries the perpetrator into the system. 11/e Romney/Steinbart 135 of 175 .COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse.

These include:          Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation • Made famous in the movie. Packet sniffers • The programmer instructs the Password cracking computer to round interest Phishing calculations down to two Piggybacking decimal places and deposits Round-down technique the remaining fraction into the account of a programmer or an accomplice.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. Office Space. 11/e Romney/Steinbart 136 of 175 © 2008 Prentice Hall Business Publishing . Accounting Information Systems.

Piggybacking Round-down technique• The round-down is just a special form of a salami Salami technique technique. These include:           Internet misinformation Internet terrorism Logic time bombs Masquerading or impersonation Packet sniffers Password cracking • Involves the theft of tiny slices of money over a Phishing period of time.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. 11/e Romney/Steinbart 137 of 175 © 2008 Prentice Hall Business Publishing . Accounting Information Systems.

These include:  Social engineering • Perpetrators trick employees into giving them information they need to get into the system.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. 11/e Romney/Steinbart 138 of 175 . • A perpetrator might call an employee and indicate he is the systems administrator and needs to get the employee’s password. © 2008 Prentice Hall Business Publishing Accounting Information Systems.

and individuals convicted of software piracy can serve jail terms of up to 5 years.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. 11/e Romney/Steinbart 139 of 175 . it’s estimated that 26% of software in use is pirated. • In the United States. These include:  Social engineering  Software piracy • Copying software without the publisher’s permission. © 2008 Prentice Hall Business Publishing Accounting Information Systems. • Fines for individuals and corporations are stiff.

often in an attempt to sell a product. • Many times the product offers are fraudulent. These include:  Social engineering  Software piracy  Spamming • Emailing an unsolicited message to multitudes of people. 11/e Romney/Steinbart 140 of 175 .COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. © 2008 Prentice Hall Business Publishing Accounting Information Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 141 of 175 . – Staging dictionary (aka direct harvesting) attacks. • Messages not returned are usually valid. • These attacks are very burdensome to corporate email systems. – Hacking into company databases and stealing mailing lists. These include:  Social engineering  Software piracy  Spamming • Spammers use creative means to find valid email addresses: – Scanning the Internet for addresses posted online. • These attacks use special software to guess addresses at a particular company and send blank emails.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse.

The director of internal audit at a major computer fraud and abuse. • Filtering is not always to commit  Perpetrators have devised many methods viable. he  Spamming replied. In December 2004. and block inappropriate attachments. we cannot filter out any references to body parts or prescription medications.• Companies may use filtering software to detect dictionary attacks. These include: healthcare company changes email addresses  Social engineering frequently because of the volume of spam  Software piracy email in his inbox. search mail for competitive leaks. When asked why his company did not filter the spam. a federal judge awarded over $1 billion to a small Midwestern Internet service provider in an action against three spammers. such TECHNIQUES as pornography and illegal MP3 files. COMPUTER FRAUD AND ABUSE © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 142 of 175 .” • There is increasing public clamor for laws to clamp down on spamming. “Because we’re a healthcare company.

© 2008 Prentice Hall Business Publishing Accounting Information Systems. typically without the user’s permission. called adware (for advertisingSpyware supported software) does two things: • Causes banner ads to pop up on your monitor as you surf the net. 11/e Romney/Steinbart 143 of 175 . and sends the data it as Software piracygathers to someone else.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. • Collects information about your Websurfing and spending habits and forward it to a company gathering the data—often an advertising or large media organization. Spamming – One type. such     Social engineeringWeb-surfing habits. These include: • Software that monitors computing habits.

 Spamming – But there is no way for users to  Spyware control or limit the activity. 11/e Romney/Steinbart 144 of 175 . • Software has been developed to detect and eliminate spyware. downloaded • May be disclosed in the  Perpetrators have devised many methods to commit licensing agreement. but it may also impair the downloaded software. but many find it objectionable. These include: • Reputable adware companies  Social engineering claim they don’t collect  Software piracy sensitive or identifying data. but users computer fraud and abuse. are unlikely to read it. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – It is not illegal. – Some is intentionally difficult to uninstall.• Usually comes bundled with COMPUTER FRAUD AND ABUSE freeware and shareware TECHNIQUES from the Internet.

 Spyware – Fraudsters to capture passwords. These arecommit many methods to sometimes used computer fraud and abuse. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 145 of 175 . etc. – A keystroke logger can be a hardware device attached to a computer or can be downloaded on an individual’s computer in the same way that any Trojan horse might be downloaded.  Keystroke loggers credit card numbers. These include: by: – Parents to monitor their children’s  Social engineering computer usage.  Software piracy – Businesses to monitor employee  Spamming activity.COMPUTER FRAUD AND ABUSE • A keystroke user’s TECHNIQUESlogger records ato or keystrokes and emails them saves them for the party that planted  Perpetrators have devisedthe logger.

11/e . Romney/Steinbart 146 of 175 © 2008 Prentice Hall Business Publishing Accounting Information Systems. • Spyware on those computers makes the company’s systems vulnerable. These include:      Social engineering Software piracy Spamming Spyware Keystroke loggers • Spyware and keystroke loggers are very problematic for companies with employees who telecommute or contact the company’s computer from remote locations. • Individuals are also exposed when they use wireless networks.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. such as those that may be available in coffee shops.

The name is derived from an IBM software utility called Superzap that was used to restored crashed systems. © 2008 Prentice Hall Business Publishing Accounting Information Systems. These include:       Social engineering Software piracy Spamming • Spyware Keystroke loggers Superzapping • Unauthorized use of special system programs to bypass regular system controls and perform illegal acts. 11/e Romney/Steinbart 147 of 175 .COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse.

the programmer or others may later gain unauthorized access to the system. Superzapping • The trap door should be removed Trap doors before the program is implemented. • Programmers create trap doors to Spamming modify programs. These include:        Social engineering • Software piracy Also called back doors. 11/e Romney/Steinbart 148 of 175 .COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. © 2008 Prentice Hall Business Publishing Accounting Information Systems. Spyware • The trap door is a way into the system Keystroke loggersthat bypasses normal controls. • If it is not.

Accounting Information Systems. The code does not try to replicate itself but performs an illegal act at some specific time or when some condition arises.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and A set of unauthorized computer • abuse. These include:         Social engineering Software piracy Spamming • Spyware Keystroke loggers • Superzapping Trap doors Trojan horse instructions planted in an authorized and otherwise properly functioning program. • Programs that launch denial of service attacks are often Trojan horses. 11/e Romney/Steinbart 149 of 175 © 2008 Prentice Hall Business Publishing . Allows the creator to control the victim’s computer remotely.

War dialing • Hackers enter through the idle modem and gain access to the connected network.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. 11/e Romney/Steinbart 150 of 175 © 2008 Prentice Hall Business Publishing . Accounting Information Systems. These include:          Social engineering Software piracy Spamming Spyware Keystroke loggers Superzapping • Hackers search for an idle modem by Trap doors programming their computers to dial Trojan horse thousands of phone lines.

11/e Romney/Steinbart 151 of 175 © 2008 Prentice Hall Business Publishing . the practice is referred to as warchalking.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. Accounting Information Systems. War dialing • If the hackers mark the sidewalk of War driving the susceptible wireless network. These include:           Social engineering Software piracy Spamming Spyware Keystroke loggers Superzapping • Driving around in cars looking for Trap doors unprotected home or corporate Trojan horse wireless networks.

11/e Romney/Steinbart 152 of 175 . the virus replicates itself and spreads to other systems or files. These include:  Virus • Many viruses have two phases: – First. when some predefined event occurs. © 2008 Prentice Hall Business Publishing Accounting Information Systems.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. – Another event triggers the attack phase in which the virus carries out its mission. – A virus may lay dormant or propagate itself without causing damage for an extended period.

– Intercept and change transmissions. – Change file content.COMPUTER may take many forms:ABUSE FRAUD AND • Damage TECHNIQUES – Send email with the victim’s name as the alleged source. they take up much space. – Prevent users from booting. – Reformat the hard drive. 11/e Romney/Steinbart 153 of 175 . clog communications. • As viruses spread. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Destroy or many methods to commit computer fraud and abuse. – Change screen appearance. of the computer. – Delete or rename files or directories.  Perpetrators have devisedalter data or programs. – Take control These include:  Virus – Destroy or alter file allocation tables. – Print disruptive images or messages on the screen. and hinder system performance.

11/e Romney/Steinbart 154 of 175 .COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraudVirus symptoms: • and abuse. These include:  Virus – Computer will not start or execute – Performs unexpected read or write operations – Unable to save files – Long time to load programs – Abnormally large file sizes – Slow systems operation – Unusual screen activity – Error messages © 2008 Prentice Hall Business Publishing Accounting Information Systems.

• The emails often appear to come from sources like Microsoft and seem very convincing. which makes them more difficult to detect and destroy. • Some viruses can mutate.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraudViruses are contagiousinclude: spread from • and abuse. 11/e Romney/Steinbart 155 of 175 . or – Running an infected program. • They are usually spread by: – Opening an infected email attachment or file (most common). © 2008 Prentice Hall Business Publishing Accounting Information Systems. These and easily  Virus one system to another.

– Have two backups of all files. especially if it seems too good to be true. – Install reliable virus software that scans identifies. – devised many methods server level. – Certify all software as virus-free before  Virus loading it. or let others put unscanned disks in your machine. when it include: These hits the desktops. – Deal with trusted software retailers.  Perpetrators haveScan incoming email at the to commit rather than computer fraud and abuse. 11/e Romney/Steinbart 156 of 175 . – Do not put diskettes or CDs in strange machines. • Software from unknown sources may be virus bait. – Check new software on an isolated machine. – Keep the antivirus program up to date.• Virus protections include: COMPUTER FRAUD AND ABUSE for. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Use electronic techniques to make tampering evident. and destroys TECHNIQUES viruses.

but any device that is part of the communications network is vulnerable. These include:  Virus • Viruses attack computers.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit computer fraud and abuse. 11/e Romney/Steinbart 157 of 175 . including: – Cell phones – Smart phones – PDAs © 2008 Prentice Hall Business Publishing Accounting Information Systems.

• Most exploit known software vulnerabilities that can be corrected with a software patch.  –Worms will replicate itself automatically. • They are not confined to PCs and have infected cell phones in Japan. 11/e Romney/Steinbart 158 of 175 . • It takes little technical knowledge to create worms or viruses. several Websites provide instructions. • Worms often reproduce by mailing themselves to the recipient’s mailing list. while a virus A worm requires a human to do something like open a file.COMPUTER FRAUD AND ABUSE TECHNIQUES  • Perpetrators have devisedexcept that: A worm is similar to a virus many methods to commit computer fraud stand-alone program. Information Systems. while a virus is only a – A worm is a and abuse. These include:  Virus segment of code hidden in a host program or executable file. making it important to install all patches as soon as they are Accounting © 2008 Prentice Hall Business Publishing available. • A worm typically has a short but very destructive life.

norton. Your friend was well-intended and has done the same thing to his/her computer. Worms The friend’s email gives you instructions to look for and remove The low-tech. such as: – www.com – www. 11/e Romney/Steinbart 159 of 175 .com © 2008 Prentice Hall Business Publishing Accounting Information Systems.mcafee. do-it-yourself attack the offending virus.COMPUTER FRAUD AND ABUSE TECHNIQUES  Perpetrators have devised many methods to commit • computer fraudemail abuse. REMEDY: Before even considering following instructions of this sort. apologizing profusely that You receive an and from a These include: • • • • he/she has previously sent you an email that was infected with a Virus virus. The only problem is that the file you just deleted was part of your operating system. You delete the file from your hard drive. check the list of hoaxes that are available on any virus protection Website.friend.

INTRODUCTION • In this chapter we’ll discuss: – The fraud process – Why fraud occurs – Approaches to computer fraud – Specific techniques used to commit computer fraud – Ways companies can deter and detect computer fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 160 of 175 .

11/e Romney/Steinbart 161 of 175 .PREVENTING AND DETECTING COMPUTER FRAUD • Organizations must take every precaution to protect their information systems. • Certain measures can significantly decrease the potential for fraud and any resulting losses. • These measures include: – – – – Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses © 2008 Prentice Hall Business Publishing Accounting Information Systems.

• Certain measures can significantly decrease the potential for fraud and any resulting losses. 11/e Romney/Steinbart 162 of 175 .PREVENTING AND DETECTING COMPUTER FRAUD • Organizations must take every precaution to protect their information systems. • These measures include: – – – – Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses © 2008 Prentice Hall Business Publishing Accounting Information Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems. and independent audit committee. 11/e Romney/Steinbart 163 of 175 . operating style. – Assign authority and responsibility for business objectives to specific departments and individuals. involved. encourage initiative in solving problems. – Require oversight from an active.PREVENTING AND DETECTING COMPUTER FRAUD • Make fraud less likely to occur – Create a culture that stresses integrity and commitment to ethical values and competence. – Adopt an organizational structure. and hold them accountable for achieving those objectives. and appetite for risk that minimizes the likelihood of fraud. management philosophy.

counseling. compensating. – Effectively supervise employees. – Implement human resource policies for hiring. including monitoring their performance and correcting their errors. promoting. 11/e Romney/Steinbart 164 of 175 . share. evaluating. and communicate them effectively to company employees. and discharging employees that send messages about the required level of ethical behavior and integrity. avoid. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Develop a comprehensive set of security policies to guide the design and implementation of specific control procedures. and take steps to prevent.PREVENTING AND DETECTING COMPUTER FRAUD – Identify the events that lead to increased fraud risk. or accept that risk.

PREVENTING AND DETECTING COMPUTER FRAUD – Train employees in integrity and ethical considerations. – Increase the penalty for committing fraud by prosecuting fraud perpetrators more vigorously. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 165 of 175 . – Require annual employee vacations. as well as security and fraud prevention measures. periodically rotate duties of key employees. as well as change management controls. – Implement formal and rigorous project development and acquisition controls. and require signed confidentiality agreements.

11/e Romney/Steinbart 166 of 175 . • These measures include: – – – – Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses © 2008 Prentice Hall Business Publishing Accounting Information Systems.PREVENTING AND DETECTING COMPUTER FRAUD • Organizations must take every precaution to protect their information systems. • Certain measures can significantly decrease the potential for fraud and any resulting losses.

PREVENTING AND DETECTING COMPUTER FRAUD • Increase the difficulty of committing fraud – Develop a strong system of internal controls – Segregate the accounting functions of: • Authorization • Recording • Custody – Implement a program segregation of duties between systems functions – Restrict physical and remote access to system resources to authorized personnel © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 167 of 175 .

– Use properly designed documents and records to capture and process transactions. and data. – Safeguard all assets. where possible and appropriate. – Require independent checks on performance. Have the system authenticate the person and their right to perform the transaction before allowing the transaction to take place. such as reconciliation of two independent sets of records. 11/e Romney/Steinbart 168 of 175 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. records.PREVENTING AND DETECTING COMPUTER FRAUD – Require transactions and activities to be authorized by appropriate supervisory personnel.

– Fix known software vulnerabilities by installing the latest updates to operating systems. and applications programs. data transmission. computer processing. data storage. 11/e Romney/Steinbart 169 of 175 . security. – Encrypt stored and transmitted data and programs to protect them from unauthorized access and use.PREVENTING AND DETECTING COMPUTER FRAUD – Implement computer-based controls over data input. and information output. © 2008 Prentice Hall Business Publishing Accounting Information Systems.

PREVENTING AND DETECTING COMPUTER FRAUD • Organizations must take every precaution to protect their information systems. • These measures include: – – – – Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses © 2008 Prentice Hall Business Publishing Accounting Information Systems. • Certain measures can significantly decrease the potential for fraud and any resulting losses. 11/e Romney/Steinbart 170 of 175 .

© 2008 Prentice Hall Business Publishing Accounting Information Systems. – Implement a fraud hotline. 11/e Romney/Steinbart 171 of 175 . as well as special network security audits.PREVENTING AND DETECTING COMPUTER FRAUD • Improve detection methods – Create an audit trail so individual transactions can be traced through the system to the financial statements and vice versa. – Install fraud detection software. – Conduct periodic external and internal audits.

– Monitor system activities.PREVENTING AND DETECTING COMPUTER FRAUD – Employ a computer security officer. © 2008 Prentice Hall Business Publishing Accounting Information Systems. and all malicious actions. usage and error logs. – Use intrusion detection systems to help automate the monitoring process. including computer and network security efforts. 11/e Romney/Steinbart 172 of 175 . as well as computer consultants and forensic specialists as needed.

• Certain measures can significantly decrease the potential for fraud and any resulting losses.PREVENTING AND DETECTING COMPUTER FRAUD • Organizations must take every precaution to protect their information systems. 11/e Romney/Steinbart 173 of 175 . • These measures include: – – – – Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses © 2008 Prentice Hall Business Publishing Accounting Information Systems.

off-site location. – Use software to monitor system activity and recover from fraud. – Develop comprehensive fraud contingency.PREVENTING AND DETECTING COMPUTER FRAUD • Reduce fraud losses – Maintain adequate insurance. 11/e Romney/Steinbart 174 of 175 . and business continuity plans. © 2008 Prentice Hall Business Publishing Accounting Information Systems. disaster recovery. – Store backup copies of program and data files in a secure.

and you’ve learned about techniques to reduce an organization’s vulnerability to these types of fraud. who commits fraud. and how it’s perpetrated. 11/e Romney/Steinbart 175 of 175 .SUMMARY • In this chapter. • You’ve learned about the many variations of computer fraud. you’ve learned what fraud is. © 2008 Prentice Hall Business Publishing Accounting Information Systems.