C HAPTER 1

Computer Fraud and Abuse

 INTRODUCTION

• Information systems are becoming

increasingly more complex and society is
becoming increasingly more dependent on
these systems.
– Companies also face a growing risk of these systems being
compromised.

• Companies face four types of threats to their

information systems:
– Natural and political disasters
– Software errors and equipment malfunction
– Unintentional acts
– Intentional acts (computer crime)
 THE FRAUD PROCESS

• Fraud is any and all means a person uses to

gain an unfair advantage over another person.
• In most cases, to be considered fraudulent, an
act must involve:
– A false statement (oral or in writing)
– About a material fact
– Knowledge that the statement was false when it was
uttered (which implies an intent to deceive)
– A victim relies on the statement
– And suffers injury or loss as a result
 THE FRAUD PROCESS

• Common approaches to “cooking the

books” include:
– Recording fictitious revenues
– Recording revenues prematurely
– Recording expenses in later periods
– Overstating inventories or fixed assets
(WorldCom)
– Concealing losses and liabilities
 The “Fraud Triangle”
Donald Cressey

Op
re
su

po
es

rtu
Pr

ni
ty
Rationalization
 WHO COMMITS FRAUD AND WHY

• Opportunity is the opening or gateway that

allows an individual to:
– Commit the fraud
– Conceal the fraud
– Convert the proceeds
 WHO COMMITS FRAUD AND WHY

• Committing the fraud might involve acts

such as:
– Misappropriating assets.
– Issuing deceptive financial statements.
– Accepting a bribe in order to make an
arrangement that is not in the company’s best
interest.
 WHO COMMITS FRAUD AND WHY

• Concealing the fraud often takes more time and

effort and leaves more evidence than the actual
theft or misrepresentation.
• Examples of concealment efforts:
– Charge a stolen asset to an expense account or to an
account receivable that is about to be written off.
– Create a ghost employee who receives an extra
paycheck.
– Lapping.
– Kiting.
 WHO COMMITS FRAUD AND WHY

• There are many opportunities that enable

fraud. Some of the most common are:
– Lack of internal controls
– Failure to enforce controls (the most prevalent
reason)
– Excessive trust in key employees
– Incompetent supervisory personnel
– Inattention to details
– Inadequate staff
 WHO COMMITS FRAUD AND WHY

• Management may allow fraud by:

– Not getting involved in the design or
enforcement of internal controls;
– Inattention or carelessness;
– Overriding controls; and/or
– Using their power to compel subordinates to
carry out the fraud.
 WHO COMMITS FRAUD AND WHY

• How many people do you know who regard

themselves as being unprincipled or sleazy?
• It is important to understand that fraudsters do
not regard themselves as unprincipled.
– In general, they regard themselves as highly
principled individuals.
– That view of themselves is important to them.
– The only way they can commit their frauds and
maintain their self image as principled individuals is to
create rationalizations that recast their actions as
“morally acceptable” behaviors.
 WHO COMMITS FRAUD AND WHY
• These rationalizations take many forms,
including:
– I was just borrowing the money.
– It wasn’t really hurting anyone. (Corporations are
often seen as non-persons, therefore crimes against
them are not hurting “anyone.”)
– Everybody does it.
– I’ve worked for them for 35 years and been underpaid
all that time. I wasn’t stealing; I was only taking what
was owed to me.
– I didn’t take it for myself. I needed it to pay my child’s
medical bills.
 WHO COMMITS FRAUD AND WHY

• Creators of worms and viruses often use

rationalizations like:
– The malicious code helped expose security flaws, so I
did a good service.
– It was an accident.
– It was not my fault—just an experiment that went bad.
– It was the user’s fault because they didn’t keep their
security up to date.
– If the code didn’t alter or delete any of their files, then
what’s the problem?
 WHO COMMITS FRAUD AND WHY
• Fraud occurs when:
– People have perceived, non-shareable pressures;
– The opportunity gateway is left open; and
– They can rationalize their actions to reduce the moral impact in
their minds (i.e., they have low integrity).

• Fraud is much less likely to occur when:

– There is low pressure, low opportunity, and high integrity.

• Unfortunately, there is usually a mixture of these forces

in play, and it can be very difficult to determine the
pressures that may apply to an individual and the
rationalizations he/she may be able to produce.
 COMPUTER FRAUD

• The U.S. Department of Justice defines

computer fraud as any illegal act for
which knowledge of computer technology
is essential for its:
– Perpetration;
– Investigation; or
– Prosecution.
 APPROACHES TO COMPUTER FRAUD

• Computer fraud includes the following:

– Unauthorized theft, use, access, modification, copying, and
destruction of software or data.

– Theft of assets covered up by altering computer records.

– Theft of computer time.

– Theft or destruction of computer hardware.

– Use or the conspiracy to use computer resources to commit a felony.

– Intent to illegally obtain information or tangible property through the

use of computers.
 APPROACHES TO COMPUTER FRAUD

• In using a computer, fraud perpetrators

can steal:
– More of something
– In less time
– With less effort
• They may also leave very little evidence,
which can make these crimes more
difficult to detect.
 APPROACHES TO COMPUTER FRAUD

• Computer systems are particularly vulnerable to

computer crimes for several reasons:
– Company databases can be huge and access
privileges can be difficult to create and enforce.

– Organizations often want employees, customers,

suppliers, and others to have access to their system
from inside the organization and without.

– Computer programs only need to be altered once,

and they will operate that way until:
• The system is no longer in use; or
• Someone notices.
APPROACHES TO COMPUTER FRAUD

– Modern systems are accessed by PCs, which

are inherently more vulnerable to security
risks and difficult to control.
• It is hard to control physical access to each PC.
• PCs are portable, and if they are stolen, the data
and access capabilities go with them.
• PCs tend to be located in user departments, where
one person may perform multiple functions that
should be segregated.
• PC users tend to be more oblivious to security
concerns.
APPROACHES TO COMPUTER FRAUD

– Computer systems face a number of unique

challenges:
• Reliability (accuracy and completeness)
• Equipment failure
• Environmental dependency (power, water damage,
fire)
• Vulnerability to electromagnetic interference and
interruption
• Eavesdropping
COMPUTER FRAUD CLASSIFICATIONS

Data
Fraud

Input Processor Output

Fraud Fraud Fraud

Computer
Instructions
Fraud
 APPROACHES TO COMPUTER FRAUD

• Input Fraud
– The simplest and most common way to commit a fraud is to alter
computer input.
• Requires little computer skills.
• Perpetrator only needs to understand how the system
operates
– Can take a number of forms, including:
• Disbursement frauds
• Inventory frauds
• Payroll frauds
• Cash receipt frauds
• Fictitious refund fraud
 APPROACHES TO COMPUTER FRAUD

• Processor fraud
– Involves computer fraud committed through
unauthorized system use.
– Includes theft of computer time and services.
– Incidents could involve employees:
• Surfing the Internet;
• Using the company computer to conduct personal business;
or
• Using the company computer to conduct a competing
business.
 APPROACHES TO COMPUTER FRAUD

• Computer instructions fraud

– Involves tampering with the software that
processes company data.
– May include:
• Modifying the software
• Making illegal copies
• Using it in an unauthorized manner
– Also might include developing a software
program or module to carry out an
unauthorized activity.
 APPROACHES TO COMPUTER FRAUD

• Data fraud
– Involves:
• Altering or damaging a company’s data files; or
• Copying, using, or searching the data files without
authorization.
– In many cases, disgruntled employees have
scrambled, altered, or destroyed data files.
– Theft of data often occurs so that perpetrators can
sell the data.
• Most identity thefts occur when insiders in financial
institutions, credit agencies, etc., steal and sell financial
information about individuals from their employer’s database.
 APPROACHES TO COMPUTER FRAUD

• Output fraud
– Involves stealing or misusing system output.
– Output is usually displayed on a screen or printed on
paper.
– Unless properly safeguarded, screen output can
easily be read from a remote location using
inexpensive electronic gear.
– This output is also subject to prying eyes and
unauthorized copying.
– Fraud perpetrators can use computers and peripheral
devices to create counterfeit outputs, such as checks.
 COMPUTER FRAUD AND ABUSE
TECHNIQUES
 Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
 Data diddling
 Data leakage
 Denial of service attacks
 Eavesdropping
 Email threats
 Email forgery (aka, spoofing)
 Hacking
 Phreaking
 Hijacking
 Identity theft
 COMPUTER FRAUD AND ABUSE
TECHNIQUES
 Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
 Internet misinformation
 Internet terrorism
 Logic time bombs
 Masquerading or impersonation
 Packet sniffers
 Password cracking • Involves the theft of tiny
 Phishing slices of money over a
 Piggybacking period of time.
 Round-down technique• The round-down is just a
special form of a salami
 Salami technique
technique.
 COMPUTER FRAUD AND ABUSE
TECHNIQUES
 Perpetrators have devised many methods to commit
computer fraud and abuse. These include:
 Social engineering
 Software piracy
 Spamming
 Spyware
 Keystroke loggers
 Superzapping
 Trap doors
 Trojan horse
 War dialing
 War driving
 IMPACT OF COMPUTER FRAUD
• Auditors are concerned about computer crimes and frauds because
they indicate a breakdown in internal controls
• Financial loss
• Cyber attacks often result in substantial financial loss arising from:
-theft of corporate information
-theft of financial information (eg bank details or payment card details)
-theft of money
-disruption to trading (eg inability to carry out transactions online)
-loss of business or contract
-Businesses that suffered a cyber breach will also generally incur costs associated with repairing
affected systems, networks and devices.

• Reputational damage
• Legal consequences of cyber breach
• Damage to intellectual property resulting in the loss of a competitive edge.