Professional Documents
Culture Documents
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 2 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 175
INTRODUCTION
• Companies face four • Include:
– Fire or excessive heat
types of threats to their – Floods
information systems: – Earthquakes
– Natural and political – High winds
disasters – War and terrorist attack
• When a natural or political disaster
strikes, many companies can be
affected at the same time.
– Example: Bombing of the World
Trade Center in NYC.
• The Defense Science Board has
predicted that attacks on information
systems by foreign countries,
espionage agents, and terrorists will
soon be widespread.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 4 of 175
INTRODUCTION
• Include:
• Companies face four types of threats to
– Hardware or software
failures
their information systems: – Software errors or bugs
– Natural and political disasters– Operating system
crashes
– Software errors and – Power outages and
fluctuations
equipment malfunction – Undetected data
transmission errors
• Estimated annual economic
losses due to software bugs
= $60 billion.
• 60% of companies studied
had significant software
errors in previous year.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 5 of 175
INTRODUCTION
• Include
• Companies face four types caused
– Accidents of threats by: to
• Human carelessness
their information systems: • Failure to follow established
– Natural and political disasters procedures
• Poorly trained or supervised
– Software errors and equipment personnel malfunction
– Unintentional acts– Innocent errors or omissions
– Lost, destroyed, or misplaced data
– Logic errors
– Systems that do not meet needs or
are incapable of performing intended
tasks
• Information Systems Security Assn.
estimates 65% of security problems are
© 2006 Prentice Hall Business Publishing caused
Accounting bySystems,
Information human 10/e error.
Romney/Steinbart 6 of 175
INTRODUCTION
• Include:
– Sabotage
– Computer fraud
• Companies face four types of threats
– Misrepresentation, to or
false use,
their information systems:unauthorized disclosure of data
– Misappropriation of assets
– Natural and political disasters
– Financial statement fraud
– Software errors •and equipment
Information malfunction
systems are increasingly
vulnerable to these malicious attacks.
– Unintentional acts
– Intentional acts (computer crime)
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 8 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 9 of 175
• The definition is the same whether it is a
criminal or civil fraud case.
THE FRAUD PROCESS
– The only difference is the burden of
proof required.
• Criminal case: Beyond a
• Fraud is any and all means a person
reasonable doubt.uses to
gain an unfair advantage over
• Civil case:another person.
Preponderance of the
evidence OR clear and convincing
• In most cases, to be considered
evidence. fraudulent, an
act must involve:
– A false statement (oral or in writing)
– About a material fact
– Knowledge that the statement was false when it was
uttered (which implies an intent to deceive)
– A victim relies on the statement
– And suffers injury or loss as a result
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 10 of 175
THE FRAUD PROCESS
• Fraud against companies may be committed by
an employee or an external party.
– Former and current employees (called
knowledgeable insiders) are much more likely than
non-employees to perpetrate frauds (and big ones)
against companies.
• Largely owing to their understanding of the company’s
systems and its weaknesses, which enables them to commit
the fraud and cover their tracks.
– Organizations must utilize controls to make it difficult
for both insiders and outsiders to steal from the
company.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 15 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 175
THE FRAUD PROCESS
• The Treadway Commission recommended four
actions to reduce the possibility of fraudulent
financial reporting:
– Establish an organizational environment that
contributes to the integrity of the financial reporting
process.
– Identify and understand the factors that lead to
fraudulent financial reporting.
– Assess the risk of fraudulent financial reporting within
the company.
– Design and implement internal controls to provide
reasonable assurance that fraudulent financial
reporting is prevented.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 175
THE FRAUD PROCESS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
• Auditors can’t effectively audit something they don’t
understand.
• SAS-99 also indicated that auditors are not lawyers and “do not
make legal determinations of whether fraud has occurred.”
• The external auditor’s interest specifically relates to acts that
result in a material misstatement of the financial statements.
• Note that SAS-99 relates to external auditors. Internal auditors
will have a more extensive interest in fraud than just those that
impact financial statements.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent
misstatements
• While planning the audit, members of the audit team
should discuss how and where the company’s financial
statements might be susceptible to fraud.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 175
• The audit team must gather evidence about the existence of fraud
by: THE FRAUD PROCESS
– Looking for fraud risk factors
– Testing company records
• A –revision to SAS-82, SAS-99, was issued in
Asking management, the audit committee, and others if they
December 2002.
know of any past orSAS-99 requires
current fraud auditors
or of fraud to:
risks the
– Understand
organizationfraud
faces.
• –Special carethe
Discuss needs to of
risks bematerial
exercisedfraudulent
in examining revenue
misstatements
accounts, since they are particularly popular fraud targets.
– Obtain information
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent misstatements
– Obtain information
– Identify, assess, and respond to risks
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 28 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent misstatements
– Obtain information
– Identify, assess, and respond to risks
– Evaluate the results of their audit tests
– Communicate findings
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent misstatements
– Obtain information
– Identify, assess, and respond to risks
– Evaluate the results of their audit tests
– Communicate findings
– Document their audit work
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 175
THE FRAUD PROCESS
• A revision to SAS-82, SAS-99, was issued in
December 2002. SAS-99 requires auditors to:
– Understand fraud
– Discuss the risks of material fraudulent misstatements
– Obtain information
– Identify, assess, and respond to risks
– Evaluate• the results
SAS-99 of theirthat
recognizes audit tests
technology impacts fraud
– Communicaterisks findings
and notes opportunities that auditors have
to use technology-oriented tools and techniques
– Documenttotheir audit work
design fraud auditing procedures.
– Incorporate a technology focus
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 32 of 175
WHO COMMITS FRAUD AND WHY
• Researchers have compared the psychological and
demographic characteristics of three groups of people:
– White-collar criminals
– Violent criminals
– The general public
• They found:
– Significant differences between violent and white-collar
criminals.
– Few differences between white-collar criminals and the general
public.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 33 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 34 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 35 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 37 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 38 of 175
The “Fraud Triangle”
Donald Cressey
Op
re
su
po
es
r tu
Pr
ni
ty
Rationalization
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 39 of 175
The “Fraud Triangle”
Donald Cressey
Op
re
su
po
es
r tu
Pr
ni
ty
Rationalization
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 40 of 175
WHO COMMITS FRAUD AND WHY
• Pressure
– Cressey referred to this pressure as a
“perceived non-shareable need.”
– The pressure could be related to
finances, emotions, lifestyle, or some
combination.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 41 of 175
WHO COMMITS FRAUD AND WHY
• What’s important here is the perception of the
pressure.
– There might be a number of people who could and would
help a tentative fraudster out of his financial woes.
– But as long as he perceives that he cannot share his
burden, the pressure is present.
– Research has also found that an individual’s propensity to
commit fraud is more related to how much he worries
about his financial position than his actual position.
– The millionaire who frets a lot about his financial condition
is more likely to commit fraud than the guy who doesn’t
have two dimes to rub together but isn’t worried about it.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 48 of 175
WHO COMMITS FRAUD AND WHY
• Financial statement fraud is distinct from other
types of fraud in that the individuals who commit
the fraud are not the direct beneficiaries.
– The company is the direct beneficiary.
– The perpetrators are typically indirect beneficiaries.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 49 of 175
WHO COMMITS FRAUD AND WHY
• In the case of financial statement frauds, common
pressures include:
– To prop up earnings or stock price so that management can:
• Receive performance-related compensation.
• Preserve or improve personal wealth held in company stock
or stock options.
• Keep their jobs.
– To cover the inability to generate cash flow.
– To obtain financing.
– To appear to comply with bond covenants or other agreements.
– May be opposite of propping up earnings in cases involving
income-tax motivations, government contracts, or regulation.
• Click here for a comprehensive list of pressures .
Pressures
Pressures
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 50 of 175
The “Fraud Triangle”
Donald Cressey
Op
re
su
po
es
rt u
Pr
ni
ty
Rationalization
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 52 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 53 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 54 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 55 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 56 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 57 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 58 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 59 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 60 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 61 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 62 of 175
WHO COMMITS FRAUD AND WHY
• There are many opportunities that enable fraud.
Some of the most common are:
– Lack of internal controls
– Failure to enforce controls (the most prevalent
reason)
– Excessive trust in key employees
– Incompetent supervisory personnel
– Inattention to details
– Inadequate staff
• Click here for a comprehensive list of
opportunities.
Opportunities
Opportunities
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 64 of 175
WHO COMMITS FRAUD AND WHY
• Internal controls that may be lacking or un-
enforced include:
– Authorization procedures
– Clear lines of authority
– Adequate supervision
– Adequate documents and records
– A system to safeguard assets
– Independent checks on performance
– Separation of duties
One control feature that many companies lack is
a background check on all potential employees.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 69 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 70 of 175
The “Fraud Triangle”
Donald Cressey
Op
re
su
po
es
r tu
Pr
ni
ty
Rationalization
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 71 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 72 of 175
WHO COMMITS FRAUD AND WHY
• These rationalizations take many forms,
including:
– I was just borrowing the money.
– It wasn’t really hurting anyone. (Corporations are
often seen as non-persons, therefore crimes against
them are not hurting “anyone.”)
– Everybody does it.
– I’ve worked for them for 35 years and been underpaid
all that time. I wasn’t stealing; I was only taking what
was owed to me.
– I didn’t take it for myself. I needed it to pay my child’s
medical bills.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 73 of 175
WHO COMMITS FRAUD AND WHY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 74 of 175
WHO COMMITS FRAUD AND WHY
• Fraud occurs when:
– People have perceived, non-shareable pressures;
– The opportunity gateway is left open; and
– They can rationalize their actions to reduce the moral impact in
their minds (i.e., they have low integrity).
• Fraud is much less likely to occur when
– There is low pressure, low opportunity, and high integrity.
• Unfortunately, there is usually a mixture of these forces
in play, and it can be very difficult to determine the
pressures that may apply to an individual and the
rationalizations he/she may be able to produce.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 75 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 76 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 77 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 78 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 79 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 80 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 81 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 82 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 83 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 84 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 85 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 86 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 87 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 88 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 89 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 90 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
– Can take a number of forms, including:
• Disbursement frauds
• The perpetrator causes a company to:
– Pay too much for ordered goods; or
– Pay for goods never ordered.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 91 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
– Can take a number of forms, including:
• Disbursement frauds
• Inventory frauds
• The perpetrator enters data into the system to
show that stolen inventory has been scrapped.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 92 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Perpetrators
• Requires little computer may enter data to:
skills.
– Increase
• Perpetrator only needtheir salaries how the system
to understand
operates – Create a fictitious employee
– Can take a number
– Retain of forms, including:
a terminated employee on the records.
• Disbursement
• In the frauds
latter two instances, the perpetrator
• Inventoryintercepts
frauds and cashes the resulting paychecks.
• Payroll frauds
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 93 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
• The perpetrator hides the theft by falsifying
– Can take a number
system of forms, including:
input.
• Disbursement
• EXAMPLE: frauds Cash of $200 is received. The
• Inventoryperpetrator
frauds records a cash receipt of $150 and
pockets the $50 difference.
• Payroll frauds
• Cash receipt frauds
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 94 of 175
APPROACHES TO COMPUTER FRAUD
• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only need to understand how the system
operates
– Can take a number of forms, including:
• Disbursement frauds
• Inventory frauds
• Payroll• frauds
The perpetrator files for an undeserved refund,
such
• Cash receipt as a tax refund.
frauds
• Fictitious refund fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 95 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 96 of 175
APPROACHES TO COMPUTER FRAUD
• Processor Fraud
– Involves computer fraud committed through
unauthorized system use.
– Includes theft of computer time and services.
– Incidents could involve employees:
• Surfing the Internet;
• Using the company computer to conduct personal business;
or
• Using the company computer to conduct a competing
business.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 97 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 98 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 99 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 100 of 175
APPROACHES TO COMPUTER FRAUD
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 101 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 102 of 175
APPROACHES TO COMPUTER FRAUD
• Data Fraud
– Involves:
• Altering or damaging a company’s data files; or
• Copying, using, or searching the data files without
authorization.
– In many cases, disgruntled employees have
scrambled, altered, or destroyed data files.
– Theft of data often occurs so that perpetrators can
sell the data.
• Most identity thefts occur when insiders in financial
institutions, credit agencies, etc., steal and sell financial
information about individuals from their employer’s database.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 103 of 175
COMPUTER FRAUD CLASSIFICATIONS
Data
Fraud
Computer
Instructions
Fraud
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 104 of 175
APPROACHES TO COMPUTER FRAUD
• Output Fraud
– Involves stealing or misusing system output.
– Output is usually displayed on a screen or printed on
paper.
– Unless properly safeguarded, screen output can
easily be read from a remote location using
inexpensive electronic gear.
– This output is also subject to prying eyes and
unauthorized copying.
– Fraud perpetrators can use computers and peripheral
devices to create counterfeit outputs, such as checks.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 105 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 106 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
• Changing data before, during, or after it
is entered into the system.
• Can involve adding, deleting, or altering
key system data.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 107 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
Data leakage
• Unauthorized copying of company data.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 108 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
• An attacker overloads and shuts down an Internet Service
Provider’s email system by sending email bombs at a rate
of thousands per second—often from randomly generated
email addresses.
• May also involve shutting down a web server by sending a
load of requests for the web pages.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 109 of 175
• Carried out as follows:
COMPUTER FRAUD AND
– The attacker ABUSE
infects dozens of
computers that have broadband
TECHNIQUESInternet access with denial-of-service
programs. These infected computers
Perpetrators have devised are the methods
many zombies. to commit
computer fraud and abuse. – The attacker
These then activates the
include:
denial-of-service programs, and the
Data diddling
zombies send pings (emails or
Data leakage requests for data) to the target
Denial of service attacks server. The victim responds to each,
not realizing they have fictitious
return addresses, and waits for
responses that don’t come.
– While the victim waits, system
performance degrades until the
system freezes up or crashes.
– The attacker terminates the program
after an hour or two to limit the
victim’s ability to trace the source.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 110 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
• Experts estimate there as many as 5,000
denial-of-service attacks weekly in the
U.S.
• A denial-of-service can cause severe
economic damage to its victim or even
drive them out of business.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 111 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
• Perpetrators surreptitiously observe
private communications or transmission
of data.
• Equipment to commit these “electronic
wiretaps” is readily available at
electronics stores.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 112 of 175
COMPUTER FRAUD AND ABUSE
• A threatening message is sent to a victim to induce the victim to
TECHNIQUES
do something that would make it possible to be defrauded.
• Several banks in the Midwest were contacted by an overseas
Perpetrators haveindicated
perpetrator who devisedthat:
many methods to commit
computer
– He hadfraud andinto
broken abuse. These include:
their computer system and obtained
Data
personal
diddlingand banking information about all of the bank’s
customers.
Data leakage
– He would
Denial notify
of service the bank’s customers of this breach if he
attacks
was not paid a specified sum of money.
Eavesdropping
Email threats
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 113 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
• Involves sending an email message that
appears to have come from someone
other than the actual sender.
Perpetrators have devised many methods to commit
• Email spoofers may:
computer fraud and abuse. These include:
– Claim to be system administrators
Data diddling and ask users to change their
Data leakage passwords to specific values.
Denial of service attacks – Pretend to be management and
Eavesdropping request a copy of some sensitive
Email threats information.
Email forgery (aka, spoofing)
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 114 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
• Unauthorized access to and use of computer systems—usually by
computer fraud and abuse. These include:
means of a personal computer and a telecommunications
network.
Data diddling
• Most
Data leakagebreak into systems using known flaws in operating
hackers
systems,
Denial ofapplications
service attacks
programs, or access controls.
• Some
Eavesdropping
are not very malevolent and mainly motivated by curiosity
and a desire
Email to overcome a challenge.
threats
• Others
Emailhave malicious
forgery intent and can do significant damage.
(aka, spoofing)
Hacking
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 115 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping • Hacking that attacks phone systems and
Email threats uses phone lines to transmit viruses
and to access, steal, and destroy data.
Email forgery (aka, spoofing)
• They also steal telephone services and
Hacking
may break into voice mail systems.
Phreaking
• Some hackers gain access to systems
through dial-up modem lines.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 116 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
Data leakage
Denial of service attacks
Eavesdropping
Email threats
Email forgery (aka, spoofing)
Hacking • Involves gaining control of someone
Phreaking else’s computer to carry out illicit
Hijacking activities without the user’s knowledge.
• The illicit activity is often the
perpetuation of spam emails.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 117 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
• Assuming someone’s identity, typically for economic gain, by
illegally obtaining
Perpetrators and using
have devised manyconfidential
methods information
to commit such as
the person’s social security number, bank account number,
computer fraud and abuse. These include:
or credit card number.
Data diddling
• Identity thieves benefit financially by:
Data leakage
– Taking funds out of the victim’s bank account.
Denial of service attacks
– Taking out mortgages or other loans under the victim’s
Eavesdropping
identity.
Email threats out credit cards and running up large balances.
– Taking
•Email forgery
If the (aka,
thief is spoofing)
careful and ensures that bills and notices are
Hacking
sent to an address he controls, the scheme may be
prolonged until such time as the victim attempts to buy a
Phreaking
home or car and finds out that his credit is destroyed.
Hijacking
Identity theft
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 118 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Data diddling
Data leakage
• Victims can usually clear their credit, but the effort requires a
Denial of service
significant attacks
amount of time and expense.
•Eavesdropping
Identity theft was made a federal offense in 1998, but it is a
Email threats
growing crime industry.
•Email
Oneforgery (aka, spoofing)
U.S. postal inspector, whose job duties involved
investigation of identity thefts, was himself a victim. The
Hacking
thief ran up $80,000 in debt under the postal inspector’s
Phreaking
identity before the inspector discovered the problem.
Hijacking
Identity theft
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 119 of 175
• Identity thieves can steal corporate or individual identities by:
COMPUTER
– Shoulder surfing FRAUD AND ABUSE
• Watching people enter telephone calling card numbers or credit card
TECHNIQUES
numbers or listening to communications as they provide this
information to sales clerks or others.
Scavenging
– Perpetrators
or have devised
dumpster divingmany methods to commit
• Searchingfraud
computer andorabuse.
corporate personalThese
recordsinclude:
by rifling garbage cans,
communal trash bins, and city dumps for documents with confidential
Data diddling
company information.
• Dataalso
May leakage
look for personal information such as checks, credit card
statements, bank statements,
Denial of service attacks tax returns, discarded applications for
pre-approved credit cards, or other records that contain social security
Eavesdropping
numbers, names, addresses, phone numbers, and other data that allow
Emailtothreats
them assume an identity.
Email forgery
– Redirecting mail (aka, spoofing)
• Intercepting
Hacking mail and having it delivered to a location where others can
access it.
Phreaking
– Using Internet, email, and other technology in spoofing, phishing,
Hijacking
eavesdropping, impersonating, social engineering, and data
Identity theft
leakage schemes.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 120 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
• Thefraud
computer U.S. Department
and abuse.ofThese
Justiceinclude:
suggests the following
four ways to minimize the chances of being victimized by
Data diddling
identity theft:
Data leakage
– Do not give out corporate or personal information
Denial of unless
service there
attacks
is a good reason to trust the person to
Eavesdropping
whom it is given.
– Check financial information regularly for what should
Email threats
be there,
Email forgery (aka, as well as for what should not be there.
spoofing)
Hacking– Periodically review your credit report.
– Maintain careful records of banking and financial
Phreaking
Hijackingaccounts.
Identity theft
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 121 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
• Using the Internet to spread false or misleading information about
people or companies.
• May involve:
– Planting inflammatory messages in online chat rooms.
– Websites with misinformation.
– Pretending to be someone else online and making inflammatory
comments that will be attributed to that person.
– A “pump-and-dump” occurs when an individual spreads
misinformation, often through Internet chat rooms, to cause a run-
up in the value a stock and then sells off his shares of the stock. A
number of pump-and-dump cases have been prosecuted by the
SEC.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 122 of 175
• AnotherCOMPUTER FRAUD AND ABUSE
common form of Internet misinformation is the spreading of
“urban legends”—oftenTECHNIQUES
by innocently forwarding emails.
– Urban legends may often include damaging implications about
company products,
Perpetrators havesuch as a recent
devised many email
methodssuggesting that certain
to commit
lipsticks
computer contain
fraudlead
andorabuse.
that using plastic
These cookware in the
include:
microwave can cause cancer.
Internet misinformation
– Before forwarding any emails with negative information about
individuals, companies, or their products, it’s a good idea to check
the veracity of the information first.
– Emails with urban legends often attribute their “facts” to credible
sources, such as the federal government, Stanford University
researchers, the FBI, etc.
– There are several websites that attempt to verify the truth of emails
that are circulated. One such website is www.snopes.com. You
can easily locate the email you received on these websites, by
searching under a key term in the email, such as “lipstick.”
– You are likely to find that most emails you were getting ready to
forward are either false or only partially true.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 123 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
• Hackers use the Internet to disrupt electronic commerce and
destroy company and individual communications.
• Viruses and worms are two main forms of Internet terrorism.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 124 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
• A program that lies idle until triggered by some circumstance or a
particular time.
• Once triggered, it sabotages the system, destroying programs,
data, or both.
• Usually written by disgruntled programmers.
• EXAMPLE: A programmer places a logic bomb in a payroll
application that will destroy all the payroll records if the
programmer is terminated.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 125 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
• The perpetrator gains access to the system by pretending to be an
authorized user.
• The perpetrator must know the legitimate user’s ID and password.
• Once in the system, he enjoys the same privileges as the legitimate
user.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 126 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
• Programs that capture data from information packets as they travel
over the Internet or company networks.
• Confidential information and access information can be gleaned
from the captured data—some of which is later sold.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 127 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking
• An intruder penetrates a system’s defenses, steals the file of valid
passwords, decrypts them, and then uses them to gain access to
almost any system resources.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 128 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
• Sending out a spoofed email that appears to come from a
Perpetrators have devised
legitimate company, such as amany methods
financial to commit
institution. EBay, PayPal,
computer fraud
and banks are and abuse.
commonly These include:
spoofed.
Internet
• The misinformation
recipient is advised that information or a security check is
Internet
needed on terrorism
his account, and advised to click on a link to the
company’s
Logic timewebsite
bombs to provide the information.
• The link connectsorthe
Masquerading individual to a website that is an imitation of
impersonation
the spoofed company’s actual website. These counterfeit websites
Packet sniffers
appear very authentic, as do the emails.
Password cracking
Phishing
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 129 of 175
COMPUTER FRAUD AND ABUSE
•
TECHNIQUES
One newly graduated college student recently took a job in
California and deposited his first paycheck of approximately $5,000
Perpetrators
in the bank. have devised many methods to commit
• computer fraud he
That same night, and abuse.anThese
received include:
email from the bank, inviting him
click
to Internet
on misinformation
the link in the email to set up online banking for his new
bank account.
Internet terrorism
• He followed
Logic timedirections
bombs and provided the requested information to
set up online banking.
Masquerading or impersonation
• Two hourssniffers
later, he was nervous and called the bank—only to find
Packet
out that his bank account had been cleaned out and closed.
Password cracking
Phishing
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 130 of 175
COMPUTER FRAUD AND ABUSE
• As a rule of thumb, it is a good idea not to click on any link
provided in an emailTECHNIQUES
and to go directly to the website instead.
• PayPal, whose email address is commonly spoofed for phishing
Perpetrators
scams, offers the have devised
following many methods to commit
advice:
computer
– If PayPalfraud
ever and
sends abuse.
you an These include:
email, they will include your first
Internet
and lastmisinformation
name in the salutation of the email.
– Internet terrorism
If you need to enter PayPal’s website, type “https:” in the URL
instead
Logic timeof bombs
“http:” in order to enter on the company’s secured
server.
Masquerading or impersonation
– If you receive a suspicious email, get out of your browser and
Packet sniffers
go back in before proceeding directly to a company website.
Password cracking
Phishing
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 131 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised
In 2004, a phishing-related many
scam tookmethods to commit
place in South America with
respect to three
computer fraudlarge
and South
abuse.American
These banks.
include:Once an individual
opened themisinformation
Internet related email, a script was downloaded on their
computer. The script would alter the individual’s web browser so
Internet
that terrorism
if the user entered the URL of one of these three banks, the
Logic would
browser time bombs
redirect them to a counterfeit website for that bank.
Masquerading
The oblivious user or would provide ID and password information,
impersonation
and was instantly
Packet sniffers set up for a high-tech robbery of his bank
account.
Password cracking
Phishing
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 132 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time
• Consumer bombssuggests that if you have any questions about
Reports
Masquerading
the legitimacy of ora website, you should try entering the wrong
impersonation
password. A phishing website will typically accept an incorrect
Packet sniffers
password—which cues you that it is a phishing scam.
Password cracking
Phishing
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 133 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Example of a website produced for a phishing scam.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 134 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking • Tapping into a telecommunications line and
Phishing latching onto a legitimate user before that
Piggybacking user logs into a system.
• The legitimate user unknowingly carries the
perpetrator into the system.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 135 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
• Made famous in the movie,
Packet sniffers Office Space.
Password cracking • The programmer instructs the
Phishing computer to round interest
calculations down to two
Piggybacking
decimal places and deposits
Round-down technique the remaining fraction into the
account of a programmer or an
accomplice.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 136 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Internet misinformation
Internet terrorism
Logic time bombs
Masquerading or impersonation
Packet sniffers
Password cracking • Involves the theft of tiny
Phishing slices of money over a
Piggybacking period of time.
Round-down technique• The round-down is just a
special form of a salami
Salami technique
technique.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 137 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
• Perpetrators trick employees into giving them information
they need to get into the system.
• A perpetrator might call an employee and indicate he is
the systems administrator and needs to get the
employee’s password.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 138 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
Software piracy
• Copying software without the publisher’s permission.
• In the U.S., it’s estimated that 26% of software in use is pirated.
• Fines for individuals and corporations are stiff, and individuals
convicted of software piracy can serve jail terms of up to 5 years.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 139 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
• Emailing an unsolicited message to multitudes of
people, often in an attempt to sell a product.
• Many times the product offers are fraudulent.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 140 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
• Spammers use creative means to find valid email addresses:
– Scanning the Internet for addresses posted online.
– Hacking into company databases and stealing mailing lists.
– Staging dictionary (aka direct harvesting) attacks.
• These attacks use special software to guess addresses at a
particular company and send blank emails.
• Messages not returned are usually valid.
• These attacks are very burdensome to corporate email
systems.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 141 of 175
• Companies may use filtering software to
detect dictionary attacks, search mail for
COMPUTER FRAUD AND ABUSE
competitive leaks, and block inappropriate
TECHNIQUES
attachments, such as pornography and
illegal MP3 files.
Perpetrators have devised
• Filtering is not
many always viable.
methods The director
to commit
of internal
computer fraud and abuse. auditinclude:
These at a major healthcare
company changes email addresses
Social engineering frequently because of the volume of spam
Software piracy email in his inbox. When asked why his
Spamming company did not filter the spam, he
replied, “Because we’re a healthcare
company, we cannot filter out any
references to body parts or prescription
medications.”
• There is increasing public clamor for laws
to clamp down on spamming. In
December 2004, a federal judge awarded
over $1 billion to a small Midwestern
Internet service provider in an action
against three spammers.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 142 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud
• and abuse.
Software that These include:
monitors computing habits, such
Social engineering
as web-surfing habits, and sends the data it
Software piracygathers to someone else, typically without the
Spamming user’s permission.
– One type, called adware (for advertising-
Spyware
supported software) does two things:
• Causes banner ads to pop up on your
monitor as you surf the net.
• Collects information about your Web-
surfing and spending habits and forwards
it to a company gathering the data—often
an advertising or large media organization.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 143 of 175
COMPUTER FRAUD AND
• Usually comesABUSE
bundled with
freeware and shareware
TECHNIQUES
downloaded from the Internet.
• May be disclosed in the
Perpetrators have devised many methods
licensing to commit
agreement, but users
computer fraud and abuse. are
These include:
unlikely to read it.
Social engineering • Reputable adware companies
Software piracy claim they don’t collect
sensitive or identifying data.
Spamming
– But there is no way for users to
Spyware control or limit the activity.
– It is not illegal, but many find it
objectionable.
• Software has been developed to
detect and eliminate spyware,
but it may also impair the
downloaded software.
– Some is intentionally difficult to
uninstall.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 144 of 175
COMPUTER FRAUD AND ABUSE
• A keystroke logger records a user’s
TECHNIQUES
keystrokes and emails them to or
saves them for the party that planted
Perpetrators have devisedthe
many methods
logger. These to
arecommit
sometimes
computer fraud and abuse.used
These
by: include:
Social engineering – Parents to monitor their children’s
Software piracy computer usage.
Spamming – Businesses to monitor employee
Spyware activity.
– Fraudsters to capture passwords,
Keystroke loggers
credit card numbers, etc.
– A keystroke logger can be a
hardware device attached to a
computer or can be downloaded
on an individual’s computer in the
same way that any Trojan horse
might be downloaded.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 145 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
Software piracy • Spyware and keystroke loggers are
very problematic for companies with
Spamming
employees who telecommute or
Spyware contact the company’s computer from
Keystroke loggers remote locations.
• Spyware on those computers makes
the company’s systems vulnerable.
• Individuals are also exposed when
they use wireless networks, such as
those that may be available in coffee
shops.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 146 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
• Unauthorized use of special system
Spyware
programs to bypass regular system
Keystroke loggers controls and perform illegal acts.
Superzapping • The name is derived from an IBM
software utility called Superzap that
was used to restored crashed
systems.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 147 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
• Also called back doors.
Software piracy
• Programmers create trap doors to
Spamming
modify programs.
Spyware
• The trap door is a way into the system
Keystroke loggersthat bypasses normal controls.
Superzapping • The trap door should be removed
Trap doors before the program is implemented.
• If it is not, the programmer or others
may later gain unauthorized access to
the system.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 148 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse.
• A These include:
set of unauthorized computer
Social engineering instructions planted in an authorized
Software piracy and otherwise properly functioning
Spamming program.
Spyware • Allows the creator to control the
victim’s computer remotely.
Keystroke loggers
• The code does not try to replicate
Superzapping
itself but performs an illegal act at
Trap doors some specific time or when some
Trojan horse condition arises.
• Programs that launch denial of
service attacks are often Trojan
horses.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 149 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
• Hackers search for an idle modem by
Trap doors programming their computers to dial
Trojan horse thousands of phone lines.
War dialing • Hackers enter through the idle
modem and gain access to the
connected network.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 150 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Social engineering
Software piracy
Spamming
Spyware
Keystroke loggers
Superzapping
Trap doors • Driving around in cars looking for
unprotected home or corporate
Trojan horse
wireless networks.
War dialing
• If the hackers mark the sidewalk of
War driving the susceptible wireless network, the
practice is referred to as warchalking.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 151 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Virus
• Many viruses have two phases:
– First, when some predefined event occurs, the
virus replicates itself and spreads to other
systems or files.
– Another event triggers the attack phase in which
the virus carries out its mission.
– A virus may lay dormant or propagate itself
without causing damage for an extended period.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 152 of 175
COMPUTER FRAUD AND ABUSE
• Damage may take many forms:
TECHNIQUES
– Send email with the victim’s name as the alleged
source.
Perpetrators have devised
– Destroy many
or alter methods
data to commit
or programs.
computer fraud– and
Takeabuse. These
control of include:
the computer.
Virus – Destroy or alter file allocation tables.
– Delete or rename files or directories.
– Reformat the hard drive.
– Change file content.
– Prevent users from booting.
– Intercept and change transmissions.
– Print disruptive images or messages on the
screen.
– Change screen appearance.
• As viruses spread, they take up much space, clog
communications, and hinder system performance.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 153 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and symptoms:
• Virus abuse. These include:
Virus – Computer will not start or
execute
– Performs unexpected read or
write operations
– Unable to save files
– Long time to load programs
– Abnormally large file sizes
– Slow systems operation
– Unusual screen activity
– Error messages
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 154 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse.
• Viruses These include:
are contagious and easily spread from
Virus one system to another.
• They are usually spread by:
– Opening an infected email attachment or file
(most common); or
– Running an infected program.
• Some viruses can mutate, which makes them
more difficult to detect and destroy.
• The emails often appear to come from sources
like Microsoft and seem very convincing.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 155 of 175
• Virus protections include:
COMPUTER FRAUD
– Install AND
reliable virus ABUSE
software that scans for,
TECHNIQUES
identifies, and destroys viruses.
– Keep the antivus program up to date.
– Scan
Perpetrators have incoming
devised manyemail at the to
methods server level,
commit
rather than when it hits the desktops.
computer fraud and abuse. These include:
– Certify all software as virus-free before
Virus
loading it.
• Software from unknown sources may be
virus bait, especially if it seems too good
to be true.
– Deal with trusted software retailers.
– Use electronic techniques to make tampering
evident.
– Check new software on an isolated machine.
– Have two backups of all files.
– Do not put diskettes or CDs in strange
machines, or let others put unscanned disks
in your machine.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 156 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
Virus
• Viruses attack computers, but any device that is
part of the communications network is
vulnerable, including:
– Cell phones
– Smart phones
– PDAs
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 157 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
• Perpetrators havetodevised
A worm is similar many for:
a virus except methods to commit
computer
– A wormfraud and abuse.program,
is a stand-alone These while
include:
a virus is only a
Virus
segment of code hidden in a host program or executable file.
–Worms
A worm will replicate itself automatically, while a virus requires
a human to do something like open a file.
• Worms often reproduce by mailing themselves to the recipient’s
mailing list.
• They are not confined to PCs and have infected cell phones in
Japan.
• A worm typically has a short but very destructive life.
• It takes little technical knowledge to create worms or viruses;
several websites provide instructions.
• Most exploit known software vulnerabilities that can be corrected
with a software patch, making it important to install all patches as
soon as they are available.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 158 of 175
COMPUTER FRAUD AND ABUSE
TECHNIQUES
Perpetrators have devised many methods to commit
• computer fraud
You receive and abuse.
an email These
from a friend, include: profusely that
apologizing
he/she
Virus has previously sent you an email that was infected with a
virus.
Worms
• The
Thefriend’s email
low-tech, gives you instructions
do-it-yourself attack to look for and remove
the offending virus.
• You delete the file from your hard drive. The only problem is that
the file you just deleted was part of your operating system.
• Your friend was well-intended and has done the same thing to
his/her computer.
• REMEDY: Before even considering following instructions of this
sort, check the list of hoaxes that are available on any virus
protection website, such as:
– www.norton.com
– www.mcafee.com
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 159 of 175
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 160 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 161 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 162 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Make fraud less likely to occur
– Create a culture that stresses integrity and
commitment to ethical values and competence.
– Adopt an organizational structure, management
philosophy, operating style, and appetite for risk that
minimizes the likelihood of fraud.
– Require oversight from an active, involved, and
independent audit committee.
– Assign authority and responsibility for business
objectives to specific departments and individuals,
encourage initiative in solving problems, and hold
them accountable for achieving those objectives.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 163 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Identify the events that lead to increased fraud risk,
and take steps to prevent, avoid, share, or accept that
risk.
– Develop a comprehensive set of security policies to
guide the design and implementation of specific
control procedures, and communicate them effectively
to company employees.
– Implement human resource policies for hiring,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
required level of ethical behavior and integrity.
– Effectively supervise employees, including monitoring
their performance and correcting their errors.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 164 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Train employees in integrity and ethical
considerations, as well as security and fraud
prevention measures.
– Require annual employee vacations, periodically
rotate duties of key employees, and require signed
confidentiality agreements.
– Implement formal and rigorous project development
and acquisition controls, as well as change
management controls.
– Increase the penalty for committing fraud by
prosecuting fraud perpetrators more vigorously.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 165 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 166 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Increase the difficulty of committing
fraud
– Develop a strong system of internal controls
– Segregate the accounting functions of:
• Authorization
• Recording
• Custody
– Implement a program segregation of duties
between systems functions
– Restrict physical and remote access to
system resources to authorized personnel
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 167 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Require transactions and activities to be authorized
by appropriate supervisory personnel. Have the
system authenticate the person and their right to
perform the transaction before allowing the
transaction to take place.
– Use properly designed documents and records to
capture and process transactions.
– Safeguard all assets, records, and data.
– Require independent checks on performance, such as
reconciliation of two independent sets of records,
where possible and appropriate.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 168 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Implement computer-based controls over data input,
computer processing, data storage, data
transmission, and information output.
– Encrypt stored and transmitted data and programs to
protect them from unauthorized access and use.
– Fix known software vulnerabilities by installing the
latest updates to operating systems, security, and
applications programs.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 169 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 170 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Improve detection methods.
– Create an audit trail so individual transactions
can be traced through the system to the
financial statements and vice versa.
– Conduct periodic external and internal audits,
as well as special network security audits.
– Install fraud detection software.
– Implement a fraud hotline.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 171 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
– Employ a computer security officer, as well as
computer consultants and forensic specialists
as needed.
– Monitor system activities, including computer
and network security efforts, usage and error
logs, and all malicious actions.
– Use intrusion detection systems to help
automate the monitoring process.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 172 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Organizations must take every precaution to
protect their information systems.
• Certain measures can significantly decrease the
potential for fraud and any resulting losses.
• These measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 173 of 175
PREVENTING AND DETECTING
COMPUTER FRAUD
• Reduce Fraud Losses
– Maintain adequate insurance.
– Develop comprehensive fraud contingency,
disaster recovery, and business continuity
plans.
– Store backup copies of program and data files
in a secure, off-site location.
– Use software to monitor system activity and
recover from fraud.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 174 of 175
SUMMARY
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 175 of 175