COMPUTER FRAUD

Common Threats to AIS

-Natural Disasters and Terrorist Threats

-Software Errors and/or Equipment Malfunction

-Unintentional Acts(Human Error)

-Intentional Acts (Computer Crimes)

FRAUD

-Gaining an unfair advantage over another person

- A false statement, representation, or disclosure

- A material fact that induces a person to act

-An intent to deceive

- A justifiable reliance on the fraudulent fact in which a person takes action

- An injury or loss suffered by the victim

• Individuals who commit fraud are referred to as white-collar criminals.

FORMS OF FRAUD

1. Misappropriation of assets

ex. Theft of a companies assets

Largest factors for theft of assets:

• Absence of internal control system

• Failure to enforce internal control system

2. Fraudulent financial reporting

“…intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements”
(The Treadway Commission).

Reasons for Fraudulent Financial Statements

1. Deceive investors or creditors

2. Increase a company’s stock price

3. Meet cash flow needs

4. Hide company losses or other problems

Treadway Commission Actions to Reduce Fraud

1. Establish environment which supports the integrity of the financial reporting process.

2. Identification of factors that lead to fraud.

3. Assess the risk of fraud within the company.

SAS #99

Auditors responsibility to detect fraud

1. Understand fraud

- Discuss risks of material fraudulent statements

- Among members of audit team

2. Obtain information

- Look for fraud risk factors

Identify, assess, and respond to risk

3. Evaluate the results of audit tests

- Determine impact of fraud on financial statements

4. Document and communicate findings

- See Chapter 3

Incorporate a technological focus

The Fraud Triangle

Three conditions that are present when Fraud occurs.

A. Pressure

- Motivation or incentive to commit fraud

Types:

1. Employee

-Financial

-Emotional

-Lifestyle

2. Financial

- Industry conditions

- Management characteristics

B. Opportunity

- Condition or situation that allows a person or organization to:

1. Commit the fraud

2. Conceal the fraud

-Lapping

-Kiting

3. Convert the theft or misrepresentation to personal gain

Justification of illegal behavior

1. Justification

- I am not being dishonest.

2. Attitude

-I don’t need to be honest.

3. Lack of personal integrity

-Theft is valued higher than honesty or integrity.

Computer Fraud

- Any illegal act in which knowledge of computer technology is necessary for:

a. Perpetration

b. Investigation

c. Prosecution

Rise of Computer Fraud

1. Definition is not agreed on

2. Many go undetected

3. High percentage is not reported

4. Lack of network security

5. Step-by-step guides are easily available

6. Law enforcement is overburdened

7. Difficulty calculating loss

Computer Fraud Classifications

1. Input Fraud

- Alteration or falsifying input

2. Processor Fraud

- Unauthorized system use

3. Computer Instructions Fraud

- Modifying software, illegal copying of software, using software in an unauthorized manner, creating software to undergo
unauthorized activities

4. Data Fraud

- Illegally using, copying, browsing, searching, or harming company data

5. Output Fraud

- Stealing, copying, or misusing computer printouts or displayed information

Computer Fraud and Abuse Techniques

Computer Attacks and Abuse

- Unauthorized access, modification, or use of a computer system or other electronic device.

2. Social Engineering

- Techniques, usually psychological tricks, to gain access to sensitive data or information

Used to gain access to secure systems or location

3. Malware

- Any software which can be used to do harm

Types of Computer Attacks

1. Botnet—Robot Network

- Network of hijacked computers

Hijacked computers carry out processes without users knowledge

Zombie—hijacked computer

2. Denial-of-Service (DoS) Attack

- Constant stream of requests made to a Web-server (usually via a Botnet) that overwhelms and shuts down service

3. Spoofing

- Making an electronic communication look as if it comes from a trusted official source to lure the recipient into providing
information

Types of Spoofing

1. E-mail

- E-mail sender appears as if it comes from a different source

2. Caller-ID

- Incorrect number is displayed

3. IP address

- Forged IP address to conceal identity of sender of data over the Internet or to impersonate another computer system

4. Address Resolution Protocol (ARP)

- Allows a computer on a LAN to intercept traffic meant for any other computer on the LAN

5. SMS

- Incorrect number or name appears, similar to caller-ID but for text messaging

6. Web page

- Phishing (see below)

7. DNS

- Intercepting a request for a Web service and sending the request to a false service

Hacking Attacks
1. Cross-Site Scripting (XSS)

- Unwanted code is sent via dynamic Web pages disguised as user input.

2. Buffer Overflow

- Data is sent that exceeds computer capacity causing program instructions to be lost and replaced with attacker
instructions.

3. SQL Injection (Insertion)

- Malicious code is inserted in the place of query to a database system.

4. Man-in-the-Middle

- Hacker places themselves between client and host.

Additional Hacking Attacks

1. Password Cracking

- Penetrating system security to steal passwords

2. War Dialing

Computer

- automatically dials phone numbers looking for modems.

3. Phreaking

- Attacks on phone systems to obtain free phone service.

4. Data Diddling

- Making changes to data before, during, or after it is entered into a system.

5. Data Leakage

- Unauthorized copying of company data.

Hacking Embezzlement Schemes

1. Salami Technique

- Taking small amounts from many different accounts.

2. Economic Espionage

- Theft of information, trade secrets, and intellectual property.

3. Cyber-Bullying

- Internet, cell phones, or other communication technologies to support deliberate, repeated, and hostile behavior that
torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.

4. Internet Terrorism

- Act of disrupting electronic commerce and harming computers and communications.

5. Internet Misinformation

- Using the Internet to spread false or misleading information

6. Internet Auction
- Using an Internet auction site to defraud another person

a. Unfairly drive up bidding

b. Seller delivers inferior merchandise or fails to deliver at all

c. Buyer fails to make payment

7. Internet Pump-and-Dump

- Using the Internet to pump up the price of a stock and then selling it.

Social Engineering Techniques

1. Identity Theft

- Assuming someone else’s identity

2. Pretexting

- Inventing a scenario that will lull someone into divulging sensitive information

3. Posing

- Using a fake business to acquire sensitive information

4. Phishing

- Posing as a legitimate company asking for verification type information: passwords, accounts, usernames

5. Pharming

- Redirecting Web site traffic to a spoofed Web site.

6. Typesquatting

- Typographical errors when entering a Web site name cause an invalid site to be accessed

7. Tabnapping

- Changing an already open browser tab

8. Scavenging

- Looking for sensitive information in items thrown away

9. Shoulder Surfing

- Snooping over someone’s shoulder for sensitive information

More Social Engineering

1. Lebanese Loping

- Capturing ATM pin and card numbers

2. Skimming

- Double-swiping a credit card

3. Chipping

- Planting a device to read credit card information in a credit card reader

4. Eavesdropping
- Listening to private communications

Type of Malware

1. Spyware

- Secretly monitors and collects personal information about users and sends it to someone else

• Adware

- Pops banner ads on a monitor, collects information about the user’s Web-surfing, and spending habits, and forward it to
the adware creator

2. Key logging

- Records computer activity, such as a user’s keystrokes, e-mails sent and received, Web sites visited, and chat session
participation

3. Trojan Horse

• Malicious computer instructions in an authorized and otherwise properly functioning program

• Time bombs/logic bombs

- Idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an
event that does not occur

More Malware

1. Trap Door/Back Door

- A way into a system that bypasses normal authorization and authentication controls

2. Packet Sniffers

• Capture data from information packets as they travel over networks

• Rootkit

- Used to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial-of-service or
an e-mail spam attack; and access user names and log-in information

3. Superzapping

- Unauthorized use of special system programs to bypass regular system controls and perform illegal acts, all without
leaving an audit trail