8/6/2019 11e Chp5-IM Stud (1)

1/23

CHAPTER 5

COMPUTER FRAUD AND ABUSE

INTRODUCTION TO FRAUD

Fraudis any and all means a person uses to gain an unfair advantage over anotherperson. Legally, for an act to be considered fraudulent there must be:

1. A false statement, representation, or disclosure

2. A material fact, which is something that induces a person to act

3. An intent to deceive

4. A justifiable reliance; that is, the person relies on the misrepresentation

to take an action

5. An injury or loss suffered by the victim

Fraud Perpetrators are also referred to asWhite-Collar Criminals

Fraudtakes two forms

Misappropriation of Assets and

Fraudulent Financial Reporting

Misappropriation of Assets

Misappropriation of Assets often referred to as Employee Fraud

Some examples include:

Albert Miano, amanager at Readers Digest responsible forprocessing bills from painters and carpenters, embezzled $1

million over a 5-year period.

Forged signature on checks and deposited the monies in his

account

Bought an expensive home, five cars and a boat.

A Bank vice president approved $1 billion inbad loans inexchange for $585,000 in kickbacks.

The bank had to shut down

Page 1 of 23

Learning Objective One

Define fraud and describe the process one followsto perpetuate a fraud.

8/6/2019 11e Chp5-IM Stud (1)

2/23

AnAccounting Information Systems manager at a Florida newspaperwent to work for a competitor after he was fired.

It was discovered that themanager still had an activeaccount andpasswordas the firm where he was fired

So, the manager was able to regularly browse the old

newspaper companys computer files for information on

exclusive stories

A Typical Employee Fraud has a Number of Important Elements or

Characteristics:

The fraud perpetrator must gain the trust or confidence of the

person or company being defrauded

Instead of a weapon or physical force to commit a crime, fraudperpetrators use trickery, cunning, or false or misleading

information to obtain money or assets.

They hide their tracks by falsifying records or other information

Few frauds are terminated voluntarily. Instead, the fraudperpetrator continues due to need or greed.

Often, perpetrators begin to depend on the extra income

and get to a point where they cannot afford to stop.

Other times they move to a higher lifestyle that

even requires a greater amount of money

Its at this point where they get braver, or should we see more

relaxed, where the perpetrator gets greedy and starts stealing

larger amounts of money; this is where they normally get caught.

Fraud perpetrators spend their ill-gotten gains, usually on anextravagant lifestyle. Rarely do they save or invest the moneythey take. Some of these high cost luxurious items include, big

homes, fancy cars, gambling or just a big spender type person

Many perpetrators that become greedy, not only start taking

greater amounts of monies, but also take the monies more often.

As previously mentioned, perpetrators at some point start getting

braver and grow careless or overconfident. This is the point

where they can also make a mistake and get caught.

The fraud perpetrator cannot get away with stealing cash or

property forever. At some point, although it may take some time,they are going to get caught.

The most significant contributing factors in most employee fraudsis the absence of internal controls or failure to enforce

existing internal controls.

After all, if a person that is already dishonest in

his/her nature; if they find out the management is not

concerned about internal controls

Page 2 of 23

8/6/2019 11e Chp5-IM Stud (1)

3/23

this makes it very easy for them to become a fraud

perpetrator and start stealing cash or property

Fraudulent Financial Reporting

The Treadway Commission defined fraudulent financial reporting as intentionalor reckless conduct, whether by act or omission, that results in materially

misleading financial statements

Executives cook the books, as they say, by fictitiously inflating revenues,

recognizing revenues before they are earned, closing the books early

(delaying current period expenses to a later period), overstating inventories

or fixed assets, and concealing losses and liabilities.

The Treadway Commission recommended four actions to reduce the possibility offraudulent financial reporting:

1. Establish an organizational environment that contributes to the

integrity of the financial reporting process.

2. Identify and understand the factors that lead to fraudulent financial

reporting

3. Assess the risk of fraudulent financial reporting within the company

4. Design and implement internal controls to provide reasonable assurance

that fraudulent financial reporting is prevented.

A study by the Association of Certified Fraud Examiners found that misappropriation

of assets by employees is more than 17 times more likely than fraudulent financial

reporting.

Who Perpetrates Fraud and Why It Occurs

Perpetrators of computer fraud tend to be younger and possess more computer

knowledge, experience, and skills

Some hackers and computer fraud perpetrators are more motivated by curiosity, a

quest for knowledge, the desire to learn how things work, and the challenge of

beating the system.

Most have no previous criminal record

Research shows that three conditions are necessary for fraud to occur: apressure,an opportunity, and a rationalization. This is referred to as the fraud triangleand is shown as the middle triangle in Figure 5-1 on Page 148.

Pressures

A pressure is a persons incentive or motivation for committing the fraud. The

three common types of pressures are 1) Financial, Emotional and Lifestyle which is

Page 3 of 23

Learning Objective Two

Discuss who perpetrates fraud and why it occurs,including the pressures, opportunities and

rationalizations that are present in most frauds

8/6/2019 11e Chp5-IM Stud (1)

4/23

summarized in Table 5-2 on Page 149. Table 5-3 on Page 150 provides the pressuresthat can lead to financial statement fraud.

Opportunities

As shown in the opportunity triangle in Figure 5-1 on Page 148, opportunity is thecondition or situation that allows a person or organization to do three things:

1. Commit the fraud

Most fraudulent financial reporting consists of the overstatement of assets

or revenues or the understatement of liabilities, or the failure to disclose

information.

2. Conceal the fraud

A common and effective way to hide a theft is to charge the stolen item to an

expense account. For example, charge supplies to an expense account when they

are initially purchased; before they are used. This allows the perpetrator

the opportunity to use some of the supplies for personal benefit at the

expense of the company. These unused supplies should have been recorded as an

asset called Supplies until they are used.

Another way to hide a decrease in assets is by lapping. In a lapping scheme,the perpetrator steals the cash or check that customer A mails in to pay its

accounts receivable. Funds received at a later date from customer B are used

to pay off customer As balance. And so forth, funds from customer C are used

to pay off customer B.

In a kiting scheme, the perpetrator covers up a theft by creating cashthrough the transfer of money between banks. For example, suppose a fraud

perpetrator opens checking accounts in three banks, called bank A, B and C,

and deposits $100 in each account. Then the perpetrator creates cash by

depositing a $1,000 check from bank A into bank B and then withdraws the

$1,000 from bank B. It takes two days for his check to clear bank A. Since

there are insufficient funds in bank A to cover the $1,000 check, the

perpetrator deposits a $1,000, check from bank C to bank A before his check

to bank B clears the bank A. Since bank C also has insufficient funds, $1,000

must be deposited to bank C before the check to bank A clears. The check to

bank C is written from bank B, which also has insufficient funds. And the

scheme continues. I have also seen situations where kiting also includes

credit cards in with the use of checking accounts.

Since most banks would require you to deposit so money to start a checking account,an initial deposit of $100 in each bank was included above. In addition, the belowcharts provide a somewhat picture explanation of the above kiting scheme. The chart

below uses dates, balances and NSF due dates.

Page 4 of 23

8/6/2019 11e Chp5-IM Stud (1)

5/23

BANK A BANK BPERPETRATOR BANK C

#1 1/1 1,000 check 1,000Bal. -1,000 1/1 Bal. +1,000NSF due on 1/3 #2 1/2 W/D -1,000 1/2

+1,000Bal. -0-No NSF Due

1/3 +1,000#3 1/3 1,000 checkBal. -0-

Bal.-1,000No NSF Due

NSF Due 1/5#4 1/5 1,000 check

+1,000Bal. -1,000

Bal. -0-NSF Due 1/7

No NSF DueDeposit +1,0001

Note #1: At this point the perpetrator may want to deposit the$1,000 he has had for 5 days (1/2 through 1/6), on the morning of1/7 and start over again with Bank A.

Legend: W/D = withdraws cash NSF = nonsufficient funds Bal. =balance

3. Convert the Theft or Misrepresentation to Personal Gain

In employee fraud, all fraud perpetrators go through the

conversion phase unless they steal actual cash that can be spent

or use the asset personally.

Table 5-4 on Page 152 list some of the more frequently mentionedopportunities that permit employee and financial statement fraud.

Opportunities for fraud often stem from internal control factors.

A control feature many companies lack is a background check on

all potential employees.

Rationalizations

Rationalization allows perpetrators to justify their illegal

behavior.

A list of some of the rationalizations people use:

Page 5 of 23

8/6/2019 11e Chp5-IM Stud (1)

6/23

I am only borrowing the money (or asset) and will

repay my loan.

You would understand if you know how badly I needed it

What I did was not that serious

It was for a good cause (the Robin Hood syndrome,

robbing from the rich to give to the poor).

I occupy a very important position of trust. I am

above the rules.

Everyone else is doing it, so it is not that wrong.

No one will ever know

The company owes it to me, and I am taking no more

than is rightfully mine

Computer Fraud

The U.S. Department of Justice defines computer fraudas anyillegal act for which knowledge of computer technology is

essential for its perpetration, investigation or prosecution.

More specifically, computer fraud includes the following:

Unauthorized theft, use, access, modification, copying and

destruction of software or data

Theft of money by altering computer records

Theft of computer time

Theft or destruction of computer hardware

Use or the conspiracy to use computer resources to commit a

felony

Intent to illegally obtain information or tangible property

through the use of computers

Page 6 of 23

Learning Objective Three

Define computer fraud and discuss the differentcomputer fraud classifications.

8/6/2019 11e Chp5-IM Stud (1)

7/23

The Association of the Certified Fraud Examiners provides thegeneral definition of computer fraud:

Any defalcation or embezzlement accomplished by tampering

with computer programs, data files, operations, equipment,

or media and resulting in losses sustained by the

organization whose computer system was manipulated.

Another definition of Computer:

In a computer crime, the computer is involved directly or

indirectly in committing the criminal act. Sabotage of

computer facilities is classified as a direct computer

crime and unauthorized access of stored data is an indirect

computer crime because the presence of the computer created

the environment for committing the crime.

The Rise in Computer Fraud

Computer systems are particularly vulnerable to computer crimes

for the following reasons:

Billions of characters of data are stored in company

databases. People who manage to break into these

databases can steal, destroy or alter massive amounts of

data in very little time.

Organizations want employees, customers and suppliers to

have access to their system. The number and variety of

these access points significantly increase the risks.

Computer programs only need to be changed or modifiedonce without permission for the system to operate

improperly for as long as the system is in use.

Modern systems utilize personal computers (PCs), whichare inherently more vulnerable to security risks. It is

difficult to control physical access to each networked

PC. In addition, PCs and their data can be lost, stolen

or misplaced.

Computer systems face a number of unique challenges:

reliability (i.e. accuracy, completeness), equipment

failure, environmental dependency (i.e. power, damage

from water or fire), vulnerability to electromagnetic

interference and interruption, eavesdropping and

misrouting

The increase in computer fraud schemes is due to some of the

following reasons:

1. Not everyone agrees on what constitutes computer fraud

2. Many computer frauds go undetected

Page 7 of 23

8/6/2019 11e Chp5-IM Stud (1)

8/23

The FBI estimated that only one percent of all computercrime was detected; while others estimated it to be between

5 and 20%.

3. A high percentage of uncovered frauds are not reported

4. Many networks have a low level of security

5. Many Internet pages give step-by-step instructions on how

to perpetrate computer crimes and abuses

6. Law enforcement is unable to keep up with the growing

number of computer frauds

7. The total dollar value of losses is difficult to calculate

Computer Fraud Classifications

As shown in Figure 5-2 on Page 156, one way to categorizecomputer fraud is to use the data processing model: input,

processor, computer instructions, stored data and output.

Input

The simplest and most common way to commit fraud is to alter

computer input. It requires little, if any computer skills.

Instead, perpetrators need only understand how the system

operates so they can cover their tracks.

To commit payroll fraud, perpetrators can enter data to increase

their salary, create a fictitious employee, or retain a

terminated employee on the records.

Example of input fraud, a New York bank employee changes the

company deposit slips to forged deposit slips. For three days he

deposited bank deposits in his personal account for three days.

Then he disappeared and was not caught as he used an alias name.

There are more examples on pages 155 and 156.

Processor

Computer fraud can be committed through unauthorized system use,

including the theft of computer time and services.

Example of processor fraud, employees of an insurance company

were running an illegal gambling web site. These employees hid

the computers under the floor.

There are more examples on page 156.

Computer Instructions

Computer fraud can be accomplished by tampering with the software

that processes company data.

Page 8 of 23

8/6/2019 11e Chp5-IM Stud (1)

9/23

Data

The greatest exposure in data fraud comes from employees with

access to the data.

The most frequent type of data fraud is the illegal use of

company data, typically by copying it, using it, or searching it

without permission.

For example, an employee using a small flash drive or an iPod can

steal large amounts of data and remove it without being detected.

The following are some recent examples of stolen data:

The office manager of a Wall Street law firm foundinformation about prospective mergers and acquisition in

the firms Word files. He sold the information to friends

and relatives, who made several million dollars trading the

securities illegally.

A 22-year old Kazakhstan mane broke into Bloombergs

network and stole account information, including that of

Michael Bloomberg, the mayor of New York and the founder of

the financial news company. He demanded $200,000 in

exchange for not using or selling the information. He was

arrested in London when accepting the ransom.

A software engineer tried to steal Intels plans for a new

microprocessor. Because he could view but not copy or print

the manufacturing plans, he photographed them screen by

screen late at night in his office. One of Intels controls

was to notify security when the plans were viewed after

hours. He was caught photographing the plans.

Cbyer-criminals used sophisticated hacking and identitytheft techniques to hack into seven major online brokerage

firm accounts. They sold the securities in those accounts

and used the cash to pump up the price of 15 low-priced,

thinly traded public companies they already owned. They

then dumped the 15 stocks in their personal accounts for

huge gains. E-trade lost $18 million and Ameritrade $4

million in similar pump-and-dump schemes.

The U.S. Department of Veterans Affairs was sued because an

employee laptop that contained the records of 26.5 million

veterans was stolen, exposing them all to identity theft.Later, another laptop with the records of 38,000 people

disappeared from a subcontractors office.

Data can also be changed, damaged, destroyed or defaced.

Data also can be lost due to negligence or carelessness.

Page 9 of 23

8/6/2019 11e Chp5-IM Stud (1)

10/23

Deleting files does not erase them. Even reformatting a hard

drive often does not erase files or wipe the drive clean.

Output

Computer output, displayed on monitors or printed on paper, can

be stolen or misused.

Fraud perpetrators can use computers and output devices to forge

authentic-looking outputs. For example, a company laser-printer

could be sued to prepare paychecks.

Computer Fraud and Abuse Techniques

These techniques are summarized in Table 5-5 on Page 158

Computer Attacks

Hacking is the unauthorized access to and use of computersystems, usually by means of a personal computer and a

telecommunications network. Most hackers are able to break into

systems using known flaws in operating systems or application

programs, or as a result of poor access controls. Some hackers

are motivated by the challenge of breaking into computer systems

and just browse or look for things to copy and keep. Other

hackers have malicious intentions.

The following examples illustrate hacking attacks and the damage

they cause:

Several years ago, Russian hackers broke into Citibanks

system and stole $10 million from customer accounts

During Operation Desert Storm, Dutch hackers broke into

computers at 34 different military sites and extracted

confidential information. Among the information stolen

were the troop movements and weapons used in the Iraq

war. The group offered to sell the information it Iraq,

but the government declines, probably because it feared

it was a setup.

A 17-hear-old hacker, nicknamed Shadow Hawk, was

convicted of electronically penetrating the Bell

Laboratories national network, destroying files valued

at $174,000, and copying 52 proprietary softwareprograms worth $1.2 million. He published confidential

information such as telephone numbers, passwords and

instructions on how to breach AT&Ts computer security

system on underground bulletin boards. He was

sentenced to nine months in prison and given a $10,000

fine. Like Shadow Hawk, many hackers are fairly young,

some as young as 12 and 13.

Page 10 of 23

8/6/2019 11e Chp5-IM Stud (1)

11/23

Hackers who search for dial-up modem lines by programming

computers to dial thousands of phone lines is referred to

as war dialing.

War driving is driving around looking for unprotectedwireless networks.

Some war drivers draw chalk symbols on sidewalks to mark

unprotected wireless networks, referred to as war chalking.

One enterprising group of researches went war rocketing.They sent rockets into the air that let loose wireless

access points, each attached to a parachute.

Abotnet, short for robot network, is a network of hijackedcomputers. Hijacking is gaining control of someone elsescomputer to carry out illicit activities without the users

knowledge.

Hackers who control the hijacked computers, calledbotherders, use the combined power of the infected machines,called zombies.

A denial-of-service attackoccurs when an attacker sends so manye-mail bombs (thousands per second), often from randomly

generated false addresses, that the Internet service providers

e-mail server is overloaded and shuts down. Another denial-of-

service attack is sending so many requests for Web pages that the

Web server crashes.

A good example was when a lot of people were receiving so

many emails so fast that they could not even delete them

all; it was just a constant flow of emails in which these

people could not do anything else. As a result, some people

now have more than one email provider, one which they only

use to catch the junk emails.

Most denial-of-service attacks are quite easy to accomplish andinvolve the following:

The attacker infects abotnet with a denial-of-serviceprogram.

The attacker activates the program and the zombiecomputers begin sendingpings (e-mails or requests for

data) to the computer being attacked. The victimcomputer responds to each ping, not realizing the zombie

computer sent it a fictitious return address, and waits

for a response that never comes.

Because the victim computer is waiting for so many

responses that never come, system performance begins to

degrade until the computer finally freezes (it does

nothing but respond to the pings) or it crashes.

Page 11 of 23

8/6/2019 11e Chp5-IM Stud (1)

12/23

The attacker terminates the attack after an hour or two

to limit the victims ability to trace the source of the

attacks.

Spamming is the emailing the same unsolicited message tomany people at the same time, often in an attempt to sell

them something.

Spammers use very creative means to find valid email

addresses. They scan the Internet for addresses

posted online and also hack into company databases

and steal mailing lists. In addition, spammers stage

dictionary attacks (also called direct harvestingattacks) designed to uncover valid email addresses.

Hackers also spamblogs, which are Web sitescontaining online journals, by placing random or

nonsensical comments to blogs that allow visitor

comments.

Splogs, or spam blogs, promote affiliated Web sitesin increase their Google Page Rank, a measure of how

often a Web page is referenced by other Web pages.

Spoofing is making an e-mail message look as ifsomeone else sent it.

A former Oracle employee was charged with breaking

into the companys computer network, falsifying

evidence, and committing perjury for forging an e-

mail message to support her charge that she was fired

for ending a relationship with the companys chief

executive. The employee was found guilty of forging

the e-mail messaged and faced up to six years in jail.

A zero-day attack (or zero-hour attack) is an attackbetween the time a new software vulnerability is

discovered and the software developers and the

security vendors releases software, called apatch,that fixes the problem.

Password cracking is penetrating a systems defenses,stealing the file containing valid passwords,

decrypting them and using them to gain access to

programs, files and data.

Inmasquerading,or impersonation, the perpetrator gains

access to the system by pretending to be an authorizeduser. This approach requires a perpetrator to know the

legitimate users ID number and password.

Piggybackingis tapping into a telecommunications line andlatching on to a legitimate user before the user logs into

a system. The legitimate user unknowingly carries the

perpetrator into the system.

Page 12 of 23

8/6/2019 11e Chp5-IM Stud (1)

13/23

Piggybacking has several meanings:

1. The clandestine use of a neighbors Wi-Fi network;

this can be prevented by enabling the security

feature in the wireless network.

2. Tapping into a telecommunications line and

electronically latching on to a legitimate user

before the user enters a secure system; the

legitimate user unknowingly carries the perpetrator

into the system.

3. An unauthorized person passing through a secure

door when an authorized person opens it, thereby

bypassing physical security controls such as

keypads, ID cards, or biometric identification

scanners.

Data diddling is changing data before, during, or after it is

entered into the system. The change can be made to delete, alter,or add key system data.

Data leakagerefers to the unauthorized copying of company data.

A fraud perpetrator can use the salami technique, to embezzlelarge sums of money a salami slice at a time from many

different accounts (tiny slices of money are stolen over a period

of time).

The round-down fraud techniques is used most frequently infinancial institutions that pay interest. In the typical

scenario, the programmer instructs the computer to round down all

interest calculation to two decimal places. The fraction of a

cent that is rounded down on each calculation is put into the

programmers account or one that he or she controls.

Phreaking is attacking phone systems to obtain free phone lineaccess. Phreakers also use the telephone lines to transmitviruses and to access, steal and destroy data.

Economic espionage is the theft of information, trade secrets andintellectual property. This has increased by 323% during one

five-year period. The U.S. Department of Justice estimates that

intellectual property theft losses total $250 billion a year.

Almost 75% of these losses are to an employer, former employer,

contractor, or supplier.

A growing problem is cyber-extortion, in which fraud perpetratorsthreaten to harm a company if it does not pay a specified amount

of money.

Internet terrorismoccurs when hackers use the Internet todisrupt electronic commerce and to destroy company and individual

communications.

Page 13 of 23

8/6/2019 11e Chp5-IM Stud (1)

14/23

Internet misinformation is using the Internet to spread false ormisleading information about people or companies. This can be

done in a number of ways, including inflammatory messages in

online chats, setting up Web sites and spreading urban legends.

Fraud perpetrators are beginning to use unsolicited email threatsto defraud people. For example, Global Communications sent a

message to many people threatening legal action if an unspecified

overdue amount was not paid within 24 hours.

Many companies advertise online and pay based on how many users

click on ads that take them to the companys Web site.

Advertisers pay from a few cents to over $10 for each click.

Click fraudis intentionally clicking on these ads numerous timesto inflate advertising bills.

Software piracy is copying software without the publisherspermission. It is estimated that for every legal copy of software

there are seven to eight illegal ones. I have seen some places

where this is almost like an acceptable practice.

Social Engineering

In social engineering, perpetrators trick employees into givingthem the information they need to get into the system.

Identity theftis assuming someones identity, usually foreconomic gain, by illegally obtaining and using confidential

information such as the persons Social Security number or their

bank account or credit card number. Identity thieves benefit

financially by taking funds out of the victims bank accounts,

taking out mortgages or other loan obligations, and taking out

credit cards and running up large debts.

In one case, a convicted felon incurred $100,000 of credit card

debt, took out a home loan, purchased homes and consumer goods,

and then filed for bankruptcy in the victims name.

Inpretexting, people act under false pretenses to gainconfidential information. For example, they might conduct a

security and lull the person into disclosing confidential

information by asking 10 innocent questions before asking the

confidential ones.

Posing is creating a seemingly legitimate business, collectingpersonal information while making a sale, and never delivering a

product.

Phishing sending out an email, instant message, or text messagepretending to be a legitimate company, usually a financial

institution, and requesting information. The recipient is asked

to either respond to the email request or visit a Web page and

submit the data or responding to a text message.

Page 14 of 23

8/6/2019 11e Chp5-IM Stud (1)

15/23

In voice phishing, orvishing e-mail recipients are asked to calla specified phone number, where a recording tells them to enter

confidential data.

Phished (and otherwise stolen) credit card numbers can be bought

and sold, which is called carding.

Pharming is redirecting a Web sites traffic to a bogus (spoofed)Web site, usually to gain access to personal and confidential

information. So how does pharming work? If you dont know

someones phone number, you look it up in a phone book. If you

could change XYZ Companys number in the phone book to your phone

number, people calling XYZ Company would reach you instead. You

could then ask them to divulge information only they would know

to verify their identity.

An evil twin is when a hacker sets up a wireless network with thesame name (called Service Set Identifier, or SSID) as the

wireless access point at a local hot sport or a corporations

wireless network.

Typosquatting, also called URL hijacking, is setting up Web siteswith names very similar to real Web sites so when user make

mistakes, such as typographical errors, in entering a Web site

name the user is sent to an invalid site.

The typosquatters site may do the following:

Trick the user into thinking she is at the real site by

using a copied or a similar logo, Web site layout, or

content. These sites often contain advertising that

would appeal to the person looking for the real domain

name. The typosquater might also be a competitor.

Send the user to a site very different from what was

wanted. In one famous case, a typosquater sent people

looking for sites that appealed to children to a

pornographic Web site.

Use the false address to distribute viruses, adware,

spyware, or other malware.

Scavenging,or dumpster diving gaining access to confidentialinformation by searching corporate or personal records. Some

identity thieves search garbage cans, communal trash bins, and

city dumps to find documents or printouts with confidential

company information. They also look for personal information such

as checks, credit card statements, bank statements, tax returns,

discarded applications for reapproved credit cards or other

records that contains Social Security numbers, names, addresses,

telephone numbers, and other data that allow them to assume an

identity. Be sure to tear up (or preferably shred) your personal

correspondence from banks and credit card companies to the point

that the number cannot be read, before you throw it in to the

trash; especially in a public trash container.

Page 15 of 23

8/6/2019 11e Chp5-IM Stud (1)

16/23

Shoulder surfing watching people as they enter telephonecalling card or credit card numbers or listening to conversations

as people give their credit card number over the telephone or to

sales clerks.

Skimming is double-swiping a credit card in a legitimate terminalor covertly swiping a credit card in a small, hidden, handheld

card reader that records credit card data for later use.

Chipping is posing as a service engineer and planting a smallchip in a legitimate credit card reader.

Eavesdropping enables perpetrators to observe privatecommunications or transmissions of data. One way to intercept

signals is by setting up a wiretap.

Malware

This section describesmalware, which is any software that can beused to do harm.

Spywaresoftware secretly collects personal information aboutusers and sends it to someone else without the users permission.

The information is gathered by logging keystrokes, monitoring

computing habits such as Web sites visited, and scanning

documents on the computers hard disk.

Spyware infections, of which users are usually unaware, come from

the following:

Downloads such as file sharing programs, system

utilities, games, wallpaper, screensavers, music and

videos.

Web sites that secretly download spyware when they arevisited. This is call drive-by downloading.

A hacker using security holes in Web browsers and other

software.

Programs masquerading as anti-spyware security software.

A worm or virus

Public wireless network. For example, users receive a

message they believe is from the coffee shop or hotel

where they are using wireless technology. Clicking on

the message inadvertently downloads a Trojan horse or

spyware application.

One type of spyware, called adware (short for advertisingsupported software), does two things: First, it causes banner ads

to pop up on your monitor as you surf the Net. Second, it

collects information about the users Web-surfing and spending

Page 16 of 23

8/6/2019 11e Chp5-IM Stud (1)

17/23

habits and forwards it to the company gathering the data, often

an advertising or large media organization.

In a recent survey, 55% of companies had experienced a spyware,

adware, or some other malware infection. In larger organizations,

the average cost of getting rid of spyware is over $1.5 million a

year.

Another form of spyware, called a key logger, records computeractivity, such as a users keystrokes, emails sent and received,

Web sites visited, and chat session participation.

A Trojan horse is a set of malicious, unauthorized computerinstructions in an authorized and otherwise properly functioning

program. Some Trojan horses give the creator the power to

remotely control the victims computer. Unlike viruses and worms,

the code does not try to replicate itself.

Time bombs and logic bombs are Trojan horses that lie idle untiltriggered by a specified time or circumstance. Once triggered,

the bomb goes off, destroying programs, data or both.

Company insiders, typically disgruntled programmers or other

systems personnel who want to get even with their company, write

many bombs.

A trap door, or back door, is a way into a system that bypassesnormal system controls. Programmers use trap doors to modify

programs during systems development and normally remove them

before the system is put into operation.

Packet sniffers are programs that capture data from informationpackets as they travel over the Internet or company networks.

Captured data is sifted to find confidential information such as

user IDs and passwords, and confidential or proprietary

information that can be sold or otherwise used.

Stenography programs hide data from one file inside a host file,such as a large image or sound file. There are more than 200

different stenographic software programs available on the

Internet.

A rootkit is software that conceals processes, files, networkconnections, memory addresses, systems utility programs, and

system data from the operating system and other programs.

Rootkits often modify parts of the operating system or install

themselves as drivers.

Superzapping is the unauthorized use of special system programsto bypass regular system controls and perform illegal acts.

A computervirusis a segment of self-replicating, executablecode that attaches itself to software. Many viruses have two

phases. In the first phase, the virus replicates itself and

spreads to other systems or files when some predefined event

Page 17 of 23

8/6/2019 11e Chp5-IM Stud (1)

18/23

occurs. In the attack phase, also triggered by some predefined

event, the virus carries out its mission.

In one survey, almost 90% of the respondents said their company

was infected with a virus within the prior 12 months.

During the attack phase, triggered by some predefined event,

viruses destroy or alter data or programs, take control of the

computer, destroy the hard disks file allocation table, delete

or rename files or directories, reformat the hard disk, change

the content of files.

Symptoms of a computer virus include computers that will not

start or execute; unexpected read or write operations; an

inability to save files; long program load times; abnormally

large file sizes; slow systems operation; and unusual screen

activity, error messages, or file names.

The Sobig virus, written by Russian hackers, infected anestimated 1 of every 17 e-mails several years ago.

TheMyDoomvirus infected 1 in 12 e-mails and did $4.75 billionin damages.

It is estimated that viruses and worms cost businesses over $20

billion a year.

Most viruses attack computers, but all devices connected to the

Internet or that are part of a communications network run the

risk of being infected. Recent viruses have attacked cell phones

and personal digital assistants. These devices are infected

through text messages, Internet page downloads and Bluetooth

wireless technology.

Flows in Bluetooth applications have opened up the system to

attack. Bluesnarfing is stealing (snarfing) contact lists, imagesand other data from other devises using Bluetooth. Bluebugging istaking control of someone elses phone to make calls or send text

messages, or to listen to phone calls and monitor text messages

received.

A wormis similar to a virus except for the following twodifferences. First, a virus is a segment of code hidden in a host

program or executable file, a worm is a stand-alone program.

Second, a virus requires a human to do something (run a program,

open a file, etc.) to replicate itself; whereas a worm replicates

itself automatically. Worms often reside in email attachments,

which, when opened or activated, can damage the users system.

A computer wormis a self-replicating computer program similar toa virus except for the following three differences:

1. A virus is a segment of code hidden in or attached to a

host program or executable file, while a worm is a stand-

alone program.

Page 18 of 23

8/6/2019 11e Chp5-IM Stud (1)

19/23

2. A virus requires a human to do something (run a program,

open a file, etc.) to replicate itself, whereas a worm does

not and actively seeks to send copies of itself to other

devices on a network.

3. Worms harm networks (If only by consuming bandwidth),

whereas viruses infect or corrupt files or data on a

targeted computer.

Worms often reside in e-mail attachments, which, when opened or

activated, can damage the users system.

A worm usually does not live very long, but it is quite

destructive while alive.

More recently, MySpace had to go offline to disable a worm that

added over 1 million friends to the hackers site in less than a

day.

Table 5-6 on Page 174 provides a Summary of ways to Prevent and DetectComputer Fraud.

- Make Fraud Less Likely To Occur

- Increase The Difficulty Of Committing Fraud

- Improve Detection Methods

- Reduce Fraud Losses

EMPLOYEE FRAUD SCHEMES

Cash

Cash is the focal point of most accounting entries. Cash, both on

deposit in banks and petty cash, can be misappropriated through many

different schemes. These schemes can be either on-book or off-book,

depending on where they occur. Generally, cash schemes are smaller than

other internal fraud schemes because companies have a tendency to have

comprehensive internal controls over cash and those internal controls

Page 19 of 23

Preventing and Detecting Computer Fraud and Abuse

Learning Objective Four

Compare and contrast the approaches and techniquesthat are used to commit computer fraud.

8/6/2019 11e Chp5-IM Stud (1)

20/23

are adhered to. Cash fraud schemes follow general basic patters,

including skimming, voids/underrings, swapping checks for cash,

alteration of cash receipts tapes, fictitious refunds and discounts,

journal entries and kiting.

Skimming

Skimming involves removing cash from the entity before the cash is

recorded in the accounting system. This is an off-book scheme; receipt

of the cash is never reported to the entity. A related type of scheme

is to ring up a sale for less than the actual sale amount. (The

difference between the actual sale and the amount on the cash register

tape can then be diverted.) This is of particular concern in retail

operations (for example, fast food restaurants) where much of the daily

sales are in cash, and not by check or credit card.

EXAMPLE

According to an investigation, fare revenues on the ChicagoTransit Authoritys (CTA) rail system allegedly were

misappropriated by agency employees. The statistics indicate thatthe thefts are not confined to the one station that originallywas suspected and that the fare-skimming by transit workers mighthave been reduced by news of the investigation. IN the four daysafter reports of skimming surfaced, about $792,000 was turned in

by station agents system wide. In a similar Monday through Fridayperiod only $723,000 was turned in by station agents.

CTA officials estimated that a planned installation of a $38million automated fare-collection system would eliminate $6.5million annually in revenue shrinkage, mostly from employeetheft. At least 10 workers have been investigated, including nineticket agents and one supervisor or clerk. Early reportsindicated that agents pocketed money after recording transferor monthly passes as cash-paying customers passed throughturnstiles.

Voids/Under-Rings

There are three basic voids/under-ring schemes. The first is to record

a sale/cash receipt and then void the same sale, thereby removing the

cash from the register. The second, and more common variation, is to

purchase merchandise at unauthorized discounts. The third scheme, which

is a variation of the unauthorized discount, is to sell merchandise to

a friend or co-conspirator using the employees discount. The con-

conspirator then returns the merchandise for a full refund,

disregarding the original discount.

EXAMPLE

Roberta Fellerman, a former Ball State University employee, wasindicted on federal charges of stealing about $105,000 from theschools bookstore operations. Fellerman was charged withstealing the money over a thirty-three month period.

The thefts allegedly were from proceeds of the sales of books tostudents who took Ball State courses through an off-campus

Page 20 of 23

8/6/2019 11e Chp5-IM Stud (1)

21/23

program at many cities around Indiana. Fellerman was in charge ofthe sale of the books from the book store.

Fellerman was accused of altering records and taking currencyfrom a cash drawer. She was also charged with income tax

violations for failing to report the stolen money on her federaltax returns.

Swapping Checks for Cash

One common method where an employee can misappropriate cash is to

exchange his own check for cash in the cash register or cash drawer.

Periodically, a new check is written to replace the old check. This

process can be continued so that on any given day, there is a current

check for the cash removed. This is a form of unauthorized borrowing

from the company. Obviously, if it is the company policy that cash

drawers or registers are reconciled at the conclusion of each day and

turned over to a custodian, then this fraud scheme is less likely to be

committed. However, if personnel are allowed to keep their own cash

drawers and only remit the days receipts, then this method of

unauthorized borrowing will be more common.

EXAMPLE

Lisa Smith, a Garfield High School fiscal clerk at a centraltreasurer function allegedly borrowed $2,400 by placing 23

personal checks in deposits which were made from various studentactivities at decentralized locations. Ms. Smith placed a

personal check in each deposit as a method of keeping track ofthe amount of money which had been borrowed. The transactionswere inappropriately delayed for up to 5 months.

Auditors detected the delayed transactions during an unannouncedcash count. On the day of the count, the fund custodian had onlya few hundred dollars in his bank account (confirmed by telephoneupon receipts of custodians authorization). When all 23 personalchecks were deposited in the districts account, several werereturned as NSF. After payday, all NSF checks subsequentlycleared the bank. The custodians employment with the districtwas terminated.

Alteration of cash Receipts documentation

A lack of segregation of duties can create an opportunity for an

employee to misappropriate company funds. For example, if the same

person is responsible for both collecting and depositing the cash

receipts, then this person has the opportunity to remove funds from the

business for his own personal use and conceal such theft through thedeposits. This is often the case in smaller organizations where there

are few personnel to divide the daily operations. A variation of this

scheme is to mutilate or destroy the cash receipts documentation so

that any attempt to reconcile the cash deposited with the cash receipts

is thwarted.

EXAMPLE

Page 21 of 23

8/6/2019 11e Chp5-IM Stud (1)

22/23

An elected county treasurer allegedly stole $62,400 over a threeyear period from property tax receipts. Every other day, aftercash receipt transactions were batched and posted to thesubsidiary accounting records, the treasurer altered the totalcash receipts and the actual deposit. Therefore, the controlaccount and the deposit were equal but that total did not matchthe total postings to the individual tax payers accounts. Ineach of the three years, the difference between the controlaccount receivable and the summation of the individuals in thesubsidiary accounts was written off. These were unsupportedaccounting adjustments.

Evidence was obtained by reconstructing the three years cashreceipts and matching the differences between the total cashreceipts, control account and the individual (subsidiary)accounts with the unsupported accounting adjustments.

Fictitious Refunds and Discounts

Fictitious refunds occur when an employee enters a transaction as if a

refund were given; however, no merchandise is returned, or no discountis approved with substantiates the refund or discount. The employee

misappropriates funds equal to the fictitious refund or discount. This

scheme is most prevalent in the retail/merchandise industry; however,

it can occur in any operation in which a refund or discount is given.

EXAMPLE

Dora Malfrici, a former New York University student financial aidofficial, was charged along with her husband Salvatore withstealing $4.1 million. This was allegedly done by falsifying morethan a thousand tuition refund checks. The loss was described ason of the largest embezzlements ever uncovered at a U.S.university. The money was allegedly taken from the Tuition

Assistance Program, operated by the New York State HigherEducation Services Corporation to provide expenses money to needystudents. However, NYU officials assert that the funds came froma University account, not from State money.

Malfricis job was to assure that students entitled to funds fromthe Corporation received their checks. According to the U.S.

Attorney, she arranged for checks to be made out to hundreds oflegitimate NYU students who were not entitled to receive anyfunds. These students were kept unaware of this because thechecks were deposited into bank accounts in Manhattan and NewJersey that allegedly were controlled by the Malfricis. Thesechecks were made over to Elizabeth Pappa before being deposited

into accounts in that name. Some other checks were made payabledirectly to Pappa. The FBI was unable to locate Elizabeth Pappaand believes that such a person never existed. Reportedly the

Malfricis spend $785,000 of the funds in question on expensivejewelry and $85,000 of the money on Florida real estate.

Kiting

Kiting is the process whereby cash is recorded in more than one bank

account, but in reality, the cash is either nonexistent or is in

Page 22 of 23

8/6/2019 11e Chp5-IM Stud (1)

23/23

transit. Kiting schemes can be perpetrated using one bank and more than

one account or between several banks and several different accounts.

Although banks generally have a daily repot that indicates potential

kiting schemes, experience has shown that they are somewhat hesitant to

report the scheme until the balance in their customers accounts is

zero.

There is one important element to check kiting schemes: all kiting

schemes require banks to pay on unfunded deposits. This is not to say

that all payments on unfunded deposits are kiting schemes, but rather,

that all kiting schemes require payments be made on unfunded deposits.

In other words, if a bank allows its customers to withdraw funds on

deposits that the bank has not yet collected the cash, then kiting

schemes are possible. In todays environment where customers use wire

transfers, kiting schemes can be perpetrated very quickly and in very

large numbers.

EXAMPLE

Ronald W.P. Sylvia, 59, and his son-in-law, Philip L. Grandone,33, both of Dartmouth, admitted to participating in a check-kiting scheme that bilked the Bank of Boston out of $907,000.Grandone, owner of two pharmacies in the New Bedford area, hadcash-flow problems when Sylvia, operator of two auto sales andleasing businesses, offered to write a check to cover some of hisson-in-laws operating expenses. Grandone repaid that $50,000loan within a few days, but borrowed again and again in every-increasing amounts to bring fresh infusions of cash into hisfaltering pharmacy businesses. An exchange of checks betweenGrandone and Sylvia eventually occurred literally daily untilSylvias bank caught on to the float scheme and froze Sylviasaccount.Cut off from Sylvias supply of cash, Grandones account with theBank of Boston was left overdrawn by $907,000. Grandone was

ordered to make restitution to the Bank of Boston.