Computer Fraud and Security - azizd.com · non-employees to perpetrate frauds (and big ones) against companies. • Largely owing to their understanding of the company’s systems

www.azizd.com

CHAPTER 5CHAPTER 5

COMPUTER FRAUD COMPUTER FRAUD AND SECURITY AND SECURITY

www.azizd.com

OverviewOverview

•• Information systems are becoming Information systems are becoming increasingly more complex and society is increasingly more complex and society is becoming increasingly more dependent on becoming increasingly more dependent on these systems.these systems.–– Companies also face a growing risk of these Companies also face a growing risk of these

systems being compromised.systems being compromised.–– Recent surveys indicate 67% of companies Recent surveys indicate 67% of companies

suffered a security breach in the last year with suffered a security breach in the last year with almost 60% reporting financial losses.almost 60% reporting financial losses.

www.azizd.com

OverviewOverview

The information security system is the subsystem The information security system is the subsystem of the organization that controls the special risks of the organization that controls the special risks associated with computerassociated with computer--based information based information systems.systems.

The information security system has the basicThe information security system has the basicelements of any information system, such as elements of any information system, such as

hardware, databases, procedures, and reports.hardware, databases, procedures, and reports.

www.azizd.com

OverviewOverview

•• Companies face four types of threats to Companies face four types of threats to their information systems:their information systems:11-- Natural and political disastersNatural and political disasters

•• Include:Include:–– Fire or excessive heatFire or excessive heat–– FloodsFloods–– EarthquakesEarthquakes–– High windsHigh winds–– War and terrorist attackWar and terrorist attack

•• When a natural or political disaster strikes, many companies canWhen a natural or political disaster strikes, many companies can be affected at be affected at the same time.the same time.

–– Example: Bombing of the World Trade Center in NYC.Example: Bombing of the World Trade Center in NYC.•• The Defense Science Board has predicted that attacks on informatThe Defense Science Board has predicted that attacks on information systems ion systems

by foreign countries, espionage agents, and terrorists will soonby foreign countries, espionage agents, and terrorists will soon be widespread.be widespread.

www.azizd.com

OverviewOverview

22-- Software errors and equipment Software errors and equipment malfunctionmalfunction

•• Include:Include:–– Hardware or software failuresHardware or software failures–– Software errors or bugsSoftware errors or bugs–– Operating system crashesOperating system crashes–– Power outages and fluctuationsPower outages and fluctuations–– Undetected data transmission errorsUndetected data transmission errors

•• Estimated annual economic losses due to software bugs = $60 billEstimated annual economic losses due to software bugs = $60 billion.ion.•• 60% of companies studied had significant software errors in prev60% of companies studied had significant software errors in previous year.ious year.

www.azizd.com

OverviewOverview

33-- Unintentional actsUnintentional acts

•• IncludeInclude–– Accidents caused by:Accidents caused by:

•• Human carelessnessHuman carelessness•• Failure to follow established proceduresFailure to follow established procedures•• Poorly trained or supervised personnelPoorly trained or supervised personnel

–– Innocent errors or omissionsInnocent errors or omissions–– Lost, destroyed, or misplaced dataLost, destroyed, or misplaced data–– Logic errorsLogic errors–– Systems that do not meet needs or are incapable of performing Systems that do not meet needs or are incapable of performing

intended tasksintended tasks•• Information Systems Security Assn. estimates 65% of security proInformation Systems Security Assn. estimates 65% of security problems are blems are

caused by human error.caused by human error.

www.azizd.com

OverviewOverview

44-- Intentional acts (computer crime)Intentional acts (computer crime)

•• Include:Include:–– SabotageSabotage–– Computer fraudComputer fraud–– Misrepresentation, false use, or unauthorized disclosure of dataMisrepresentation, false use, or unauthorized disclosure of data–– Misappropriation of assetsMisappropriation of assets–– Financial statement fraudFinancial statement fraud

•• Information systems are increasingly vulnerable to these malicioInformation systems are increasingly vulnerable to these malicious us attacks.attacks.

www.azizd.com

The Information SecurityThe Information SecuritySystem in the OrganizationSystem in the Organization

The information security system must beThe information security system must bemanaged by a chief security officer (CSO).managed by a chief security officer (CSO).

This individual should report directlyThis individual should report directlyto the board of directors in order toto the board of directors in order tomaintain complete independence.maintain complete independence.

www.azizd.com

The Fraud ProcessThe Fraud Process

•• FraudFraud is any and all means a person uses to is any and all means a person uses to gain an unfair advantage over another person.gain an unfair advantage over another person.

•• In most cases, to be considered fraudulent, an In most cases, to be considered fraudulent, an act must involve:act must involve:–– A false statement (oral or in writing)A false statement (oral or in writing)–– About a material factAbout a material fact–– Knowledge that the statement was false when it was Knowledge that the statement was false when it was

uttered (which implies an intent to deceive)uttered (which implies an intent to deceive)–– A victim relies on the statementA victim relies on the statement–– And suffers injury or loss as a resultAnd suffers injury or loss as a result

www.azizd.com


•• Since fraudsters donSince fraudsters don’’t make journal entries to record t make journal entries to record their frauds, we can only estimate the amount of losses their frauds, we can only estimate the amount of losses caused by fraudulent acts:caused by fraudulent acts:–– The Association of Certified Fraud Examiners (ACFE) estimates The Association of Certified Fraud Examiners (ACFE) estimates

that total fraud losses in the U.S. run around 6% of annual that total fraud losses in the U.S. run around 6% of annual revenues or approximately $660 billion in 2004.revenues or approximately $660 billion in 2004.•• More than we spend on education and roads in a year.More than we spend on education and roads in a year.•• 6 times what we pay for the criminal justice system.6 times what we pay for the criminal justice system.

–– Income tax fraud (the difference between what taxpayers owe Income tax fraud (the difference between what taxpayers owe and what they pay to the government) is estimated to be over and what they pay to the government) is estimated to be over $200 billion per year.$200 billion per year.

–– Fraud in the healthcare industry is estimated to exceed $100 Fraud in the healthcare industry is estimated to exceed $100 billion a year.billion a year.

www.azizd.com


•• Fraud against companies may be committed by Fraud against companies may be committed by an employee or an external party.an employee or an external party.–– Former and current employees (called Former and current employees (called

knowledgeable insidersknowledgeable insiders) are much more likely than ) are much more likely than nonnon--employees to perpetrate frauds (and big ones) employees to perpetrate frauds (and big ones) against companies.against companies.•• Largely owing to their understanding of the companyLargely owing to their understanding of the company’’s s

systems and its weaknesses, which enables them to commit systems and its weaknesses, which enables them to commit the fraud and cover their tracks.the fraud and cover their tracks.

–– Organizations must utilize controls to make it difficult Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the for both insiders and outsiders to steal from the company.company.

www.azizd.com

Types of FraudsTypes of Frauds

•• OCCUPATIONALOCCUPATIONAL•• Fraudulent StatementsFraudulent Statements

–– FinancialFinancial–– NonNon--financialfinancial

•• Asset MisappropriationAsset Misappropriation–– Theft of CashTheft of Cash–– Fraudulent Fraudulent

disbursementsdisbursements–– Inventory and other Inventory and other

assetsassets•• Bribery and CorruptionBribery and Corruption

–– BriberyBribery–– Illegal gratuitiesIllegal gratuities–– Economic extortionEconomic extortion–– Conflict of interestConflict of interest

OTHEROTHER•• Intellectual property theftIntellectual property theft•• Financial institution fraudFinancial institution fraud•• Check and credit card fraudCheck and credit card fraud•• Insurance fraudInsurance fraud•• Healthcare fraudHealthcare fraud•• Bankruptcy fraudBankruptcy fraud•• Tax fraudTax fraud•• Securities fraudSecurities fraud•• Money launderingMoney laundering•• Consumer fraudConsumer fraud•• Computer and Internet fraudComputer and Internet fraud

www.azizd.com


•• Three types of occupational fraud:Three types of occupational fraud:11-- Misappropriation of assetsMisappropriation of assets

•• Involves theft, embezzlement, or misuse of company Involves theft, embezzlement, or misuse of company assets for personal gain.assets for personal gain.

•• Examples include billing schemes, check tampering, Examples include billing schemes, check tampering, skimming, and theft of inventory.skimming, and theft of inventory.

•• In the 2004 In the 2004 Report to the Nation on Occupational Report to the Nation on Occupational Fraud and AbuseFraud and Abuse, 92.7% of occupational frauds , 92.7% of occupational frauds involved asset misappropriation at a median cost of involved asset misappropriation at a median cost of $93,000.$93,000.

www.azizd.com


22-- CorruptionCorruption

•• Corruption involves the wrongful use of a Corruption involves the wrongful use of a position, contrary to the responsibilities of that position, contrary to the responsibilities of that position, to procure a benefit.position, to procure a benefit.

•• Examples include kickback schemes and Examples include kickback schemes and conflict of interest schemes.conflict of interest schemes.

•• About 30.1% of occupational frauds include About 30.1% of occupational frauds include corruption schemes at a median cost of corruption schemes at a median cost of $250,000.$250,000.

www.azizd.com


33-- Fraudulent statementsFraudulent statements

•• Financial statement fraud involves misstating the financial condFinancial statement fraud involves misstating the financial condition of ition of an entity by intentionally misstating amounts or disclosures in an entity by intentionally misstating amounts or disclosures in order to order to deceive users.deceive users.

•• Financial statements can be misstated as a result of intentionalFinancial statements can be misstated as a result of intentional efforts efforts to deceive or as a result of undetected asset misappropriations to deceive or as a result of undetected asset misappropriations that that are so large that they cause misstatement.are so large that they cause misstatement.

•• About 7.9% of occupational frauds involve fraudulent statements About 7.9% of occupational frauds involve fraudulent statements at a at a median cost of $1 million. (The median pales in comparison to tmedian cost of $1 million. (The median pales in comparison to the he maximum cost.)maximum cost.)

www.azizd.com


•• A typical employee fraud has a number of important elements or A typical employee fraud has a number of important elements or characteristics:characteristics:–– The fraud perpetrator must gain the trust or confidence of the pThe fraud perpetrator must gain the trust or confidence of the person or erson or

company being defrauded in order to commit and conceal the fraudcompany being defrauded in order to commit and conceal the fraud..–– Instead of using a gun, knife, or physical force, fraudsters useInstead of using a gun, knife, or physical force, fraudsters use weapons weapons

of deceit and misinformation.of deceit and misinformation.–– Frauds tend to start as the result of a perceived need on the paFrauds tend to start as the result of a perceived need on the part of the rt of the

employee and then escalate from need to greed. Most fraudsters employee and then escalate from need to greed. Most fraudsters cancan’’t t stop once they get started, and their frauds grow in size.stop once they get started, and their frauds grow in size.

–– The fraudsters often grow careless or overconfident over time.The fraudsters often grow careless or overconfident over time.–– Fraudsters tend to spend what they steal. Very few save it.Fraudsters tend to spend what they steal. Very few save it.–– In time, the sheer magnitude of the frauds may lead to detectionIn time, the sheer magnitude of the frauds may lead to detection..–– The most significant contributing factor in most employee fraudsThe most significant contributing factor in most employee frauds is the is the

absence of internal controls and/or the failure to enforce existabsence of internal controls and/or the failure to enforce existing ing controls.controls.

www.azizd.com


•• Financial statements can be falsified to:Financial statements can be falsified to:–– Deceive investors and creditorsDeceive investors and creditors–– Cause a companyCause a company’’s stock price to rises stock price to rise–– Meet cash flow needsMeet cash flow needs–– Hide company losses and problemsHide company losses and problems

www.azizd.com


•• Fraudulent financial reporting is of great Fraudulent financial reporting is of great concern to independent auditors, because concern to independent auditors, because undetected frauds lead to half of the undetected frauds lead to half of the lawsuits against auditors.lawsuits against auditors.

•• In the case of Enron, a financial statement In the case of Enron, a financial statement fraud led to the total elimination of Arthur fraud led to the total elimination of Arthur Andersen, a premiere international public Andersen, a premiere international public accounting firm.accounting firm.

www.azizd.com


•• SAS 99SAS 99: The Auditor: The Auditor’’s Responsibility to s Responsibility to Detect FraudDetect Fraud–– In 1997, SASIn 1997, SAS--8282, , Consideration of Fraud in a Consideration of Fraud in a

Financial Statement AuditFinancial Statement Audit, was issued to , was issued to clarify the auditorclarify the auditor’’s responsibility to detect s responsibility to detect fraud.fraud.

www.azizd.com


•• A revision to SASA revision to SAS--82, SAS82, SAS--99, was issued in 99, was issued in December 2002. SASDecember 2002. SAS--99 requires auditors to:99 requires auditors to:–– Understand fraudUnderstand fraud–– Discuss the risks of material fraudulent misstatementsDiscuss the risks of material fraudulent misstatements–– Obtain informationObtain information–– Identify, assess, and respond to risksIdentify, assess, and respond to risks–– Evaluate the results of their audit testsEvaluate the results of their audit tests–– Communicate findingsCommunicate findings–– Document their audit workDocument their audit work–– Incorporate a technology focusIncorporate a technology focus

www.azizd.com

Approaches to Computer FraudApproaches to Computer Fraud

•• Computer fraud includes the following:Computer fraud includes the following:–– Unauthorized theft, use, access, modification, Unauthorized theft, use, access, modification,

copying, and destruction of software or data.copying, and destruction of software or data.–– Theft of money by altering computer records.Theft of money by altering computer records.–– Theft of computer time.Theft of computer time.–– Theft or destruction of computer hardware.Theft or destruction of computer hardware.–– Use or the conspiracy to use computer Use or the conspiracy to use computer

resources to commit a felony.resources to commit a felony.–– Intent to illegally obtain information or tangible Intent to illegally obtain information or tangible

property through the use of computers.property through the use of computers.

www.azizd.com


•• In using a computer, fraud perpetrators In using a computer, fraud perpetrators can steal:can steal:–– More of somethingMore of something–– In less timeIn less time–– With less effortWith less effort

•• They may also leave very little evidence, They may also leave very little evidence, which can make these crimes more which can make these crimes more difficult to detect.difficult to detect.

www.azizd.com


•• Computer systems are particularly vulnerable to Computer systems are particularly vulnerable to computer crimes for several reasons:computer crimes for several reasons:–– Company databases can be huge and access Company databases can be huge and access

privileges can be difficult to create and enforce. privileges can be difficult to create and enforce. Consequently, individuals can steal, destroy, or alter Consequently, individuals can steal, destroy, or alter massive amounts of data in very little time.massive amounts of data in very little time.

–– Organizations often want employees, customers, Organizations often want employees, customers, suppliers, and others to have access to their system suppliers, and others to have access to their system from inside the organization and without. This access from inside the organization and without. This access also creates vulnerability.also creates vulnerability.

–– Computer programs only need to be altered once, Computer programs only need to be altered once, and they will operate that way until:and they will operate that way until:

•• The system is no longer in use; orThe system is no longer in use; or•• Someone notices.Someone notices.

www.azizd.com


–– Modern systems are accessed by PCs, which Modern systems are accessed by PCs, which are inherently more vulnerable to security are inherently more vulnerable to security risks and difficult to control.risks and difficult to control.•• It is hard to control physical access to each PC.It is hard to control physical access to each PC.•• PCs are portable, and if they are stolen, the data PCs are portable, and if they are stolen, the data

and access capabilities go with them.and access capabilities go with them.•• PCs tend to be located in user departments, where PCs tend to be located in user departments, where

one person may perform multiple functions that one person may perform multiple functions that should be segregated.should be segregated.

•• PC users tend to be more oblivious to security PC users tend to be more oblivious to security concerns.concerns.

www.azizd.com


–– Computer systems face a number of unique Computer systems face a number of unique challenges:challenges:•• Reliability (accuracy and completeness)Reliability (accuracy and completeness)•• Equipment failureEquipment failure•• Environmental dependency (power, water damage, Environmental dependency (power, water damage,

fire)fire)•• Vulnerability to electromagnetic interference and Vulnerability to electromagnetic interference and

interruptioninterruption•• EavesdroppingEavesdropping•• MisroutingMisrouting

www.azizd.com


•• Organizations that track computer fraud Organizations that track computer fraud estimate that most U.S. businesses have estimate that most U.S. businesses have been victimized by at least one incident of been victimized by at least one incident of computer fraud.computer fraud.

www.azizd.com


•• These frauds cost billions of dollars each These frauds cost billions of dollars each year, and their frequency is increasing year, and their frequency is increasing because:because:–– Not everyone agrees on what constitutes Not everyone agrees on what constitutes

computer fraud.computer fraud.•• Many donMany don’’t believe that taking an unlicensed copy t believe that taking an unlicensed copy

of software is computer fraud. (It is and can result of software is computer fraud. (It is and can result in prosecution.)in prosecution.)

•• Some donSome don’’t think itt think it’’s a crime to browse through s a crime to browse through someone elsesomeone else’’s computer if their intentions arens computer if their intentions aren’’t t malicious.malicious.

www.azizd.com


–– Many computer frauds go undetected.Many computer frauds go undetected.–– An estimated 80An estimated 80--90% of frauds that are uncovered 90% of frauds that are uncovered

are not reported because of fear of:are not reported because of fear of:•• Adverse publicityAdverse publicity•• CopycatsCopycats•• Loss of customer confidence.Loss of customer confidence.

–– There are a growing number of competent computer There are a growing number of competent computer users, and they are aided by easier access to remote users, and they are aided by easier access to remote computers through the Internet and other data computers through the Internet and other data networks.networks.

www.azizd.com


–– Many networks have a low level of security.Many networks have a low level of security.–– Instructions on how to perpetrate computer Instructions on how to perpetrate computer

crimes and abuses are readily available on crimes and abuses are readily available on the Internet.the Internet.

–– Law enforcement is unable to keep up with Law enforcement is unable to keep up with the growing number of frauds.the growing number of frauds.

–– The total dollar value of losses is difficult to The total dollar value of losses is difficult to calculate.calculate.

www.azizd.com


•• Computer Fraud ClassificationComputer Fraud Classification–– Frauds can be categorized according to the Frauds can be categorized according to the

data processing model:data processing model:•• InputInput•• ProcessorProcessor•• Computer instructionsComputer instructions•• Stored dataStored data•• OutputOutput

www.azizd.com


•• Input FraudInput Fraud–– The simplest and most common way to The simplest and most common way to

commit a fraud is to alter computer input.commit a fraud is to alter computer input.•• Requires little computer skills.Requires little computer skills.•• Perpetrator only need to understand how Perpetrator only need to understand how

the system operatesthe system operates

www.azizd.com

Input FraudInput Fraud

–– Can take a number of forms, including:Can take a number of forms, including:11-- Disbursement fraudsDisbursement frauds

•• The perpetrator causes a company to:The perpetrator causes a company to:–– Pay too much for ordered goods; orPay too much for ordered goods; or–– Pay for goods never ordered.Pay for goods never ordered.

22-- Inventory fraudsInventory frauds

•• The perpetrator enters data into the system to show The perpetrator enters data into the system to show that stolen inventory has been scrapped.that stolen inventory has been scrapped.

www.azizd.com


33-- Payroll fraudsPayroll frauds

•• Perpetrators may enter data to:Perpetrators may enter data to:–– Increase their salariesIncrease their salaries–– Create a fictitious employeeCreate a fictitious employee–– Retain a terminated employee on the records.Retain a terminated employee on the records.

•• In the latter two instances, the perpetrator intercepts In the latter two instances, the perpetrator intercepts and cashes the resulting paychecks.and cashes the resulting paychecks.

www.azizd.com


44-- Cash receipt fraudsCash receipt frauds

•• The perpetrator hides the theft by falsifying system The perpetrator hides the theft by falsifying system input.input.

•• EXAMPLE: Cash of $200 is received. The EXAMPLE: Cash of $200 is received. The perpetrator records a cash receipt of $150 and perpetrator records a cash receipt of $150 and pockets the $50 difference.pockets the $50 difference.

55-- Fictitious refund fraudFictitious refund fraud

•• The perpetrator files for an undeserved refund, such The perpetrator files for an undeserved refund, such as a tax refund.as a tax refund.

www.azizd.com

Processor FraudProcessor Fraud

–– Involves computer fraud committed through Involves computer fraud committed through unauthorized system use.unauthorized system use.

–– Includes theft of computer time and services.Includes theft of computer time and services.–– Incidents could involve employees:Incidents could involve employees:

•• Surfing the Internet;Surfing the Internet;•• Using the company computer to conduct personal Using the company computer to conduct personal

business; orbusiness; or•• Using the company computer to conduct a Using the company computer to conduct a

competing business.competing business.

www.azizd.com

Processor FraudProcessor Fraud

•• In one example, an agriculture college at a major In one example, an agriculture college at a major state university was experiencing very sluggish state university was experiencing very sluggish performance from its server.performance from its server.

•• Upon investigating, IT personnel discovered that an Upon investigating, IT personnel discovered that an individual outside the U.S. had effectively hijacked individual outside the U.S. had effectively hijacked the collegethe college’’s server to both store some of his/her s server to both store some of his/her research data and process it.research data and process it.

•• The college eliminated the individualThe college eliminated the individual’’s data and s data and blocked future access to the system.blocked future access to the system.

•• The individual subsequently contacted college The individual subsequently contacted college personnel to protest the destruction of the data.personnel to protest the destruction of the data.

www.azizd.com

Computer Instructions FraudComputer Instructions Fraud

–– Involves tampering with the software that Involves tampering with the software that processes company data.processes company data.

–– May include:May include:•• Modifying the softwareModifying the software•• Making illegal copiesMaking illegal copies•• Using it in an unauthorized mannerUsing it in an unauthorized manner

–– Also might include developing a software Also might include developing a software program or module to carry out an program or module to carry out an unauthorized activity.unauthorized activity.

www.azizd.com

Computer Instructions FraudComputer Instructions Fraud

•• Computer instruction fraud used to be one Computer instruction fraud used to be one of the least common types of frauds of the least common types of frauds because it required specialized knowledge because it required specialized knowledge about computer programming beyond the about computer programming beyond the scope of most users.scope of most users.

•• Today these frauds are more frequentToday these frauds are more frequent----courtesy of web pages that instruct users courtesy of web pages that instruct users on how to create viruses and other on how to create viruses and other schemes.schemes.

www.azizd.com

Data FraudData Fraud

–– Involves:Involves:•• Altering or damaging a companyAltering or damaging a company’’s data files; ors data files; or•• Copying, using, or searching the data files without Copying, using, or searching the data files without

authorization.authorization.

–– In many cases, disgruntled employees have In many cases, disgruntled employees have scrambled, altered, or destroyed data files.scrambled, altered, or destroyed data files.

–– Theft of data often occurs so that perpetrators can sell Theft of data often occurs so that perpetrators can sell the data.the data.

•• Most identity thefts occur when insiders in financial Most identity thefts occur when insiders in financial institutions, credit agencies, etc., steal and sell financial institutions, credit agencies, etc., steal and sell financial information about individuals from their employerinformation about individuals from their employer’’s database.s database.

www.azizd.com

Output FraudOutput Fraud

–– Involves stealing or misusing system output.Involves stealing or misusing system output.–– Output is usually displayed on a screen or printed on Output is usually displayed on a screen or printed on

paper.paper.–– Unless properly safeguarded, screen output can Unless properly safeguarded, screen output can

easily be read from a remote location using easily be read from a remote location using inexpensive electronic gear.inexpensive electronic gear.

–– This output is also subject to prying eyes and This output is also subject to prying eyes and unauthorized copying.unauthorized copying.

–– Fraud perpetrators can use computers and peripheral Fraud perpetrators can use computers and peripheral devices to create counterfeit outputs, such as checks.devices to create counterfeit outputs, such as checks.

www.azizd.com

Computer Fraud And Computer Fraud And Abuse TechniquesAbuse Techniques

•• Perpetrators have devised many methods Perpetrators have devised many methods to commit computer fraud and abuse. to commit computer fraud and abuse. These include:These include:•• Data diddlingData diddling

•• Changing data before, during, or after it is Changing data before, during, or after it is entered into the system.entered into the system.

•• Can involve adding, deleting, or altering Can involve adding, deleting, or altering key system data.key system data.

www.azizd.com


•• Data leakageData leakage

•• Unauthorized copying of company data.Unauthorized copying of company data.

•• Denial of service attacksDenial of service attacks•• An attacker overloads and shuts down an Internet Service ProvideAn attacker overloads and shuts down an Internet Service Providerr’’s email s email

system by sending email bombs at a rate of thousands per secondsystem by sending email bombs at a rate of thousands per second——often from often from randomly generated email addresses.randomly generated email addresses.

•• May also involve shutting down a web server by sending a load ofMay also involve shutting down a web server by sending a load of requests for requests for the web pages. the web pages. Experts estimate there as many as 5,000 denial-of-service attacks weekly in the U.S.

www.azizd.com


•• EavesdroppingEavesdropping•• Perpetrators surreptitiously observe private communications or Perpetrators surreptitiously observe private communications or

transmission of data.transmission of data.•• Equipment to commit these Equipment to commit these ““electronic wiretapselectronic wiretaps”” is readily available at is readily available at

electronics stores.electronics stores.

•• Email threatsEmail threats•• A threatening message is sent to a victim to induce the victim tA threatening message is sent to a victim to induce the victim to do something o do something

that would make it possible to be defrauded.that would make it possible to be defrauded.•• Several banks in the Midwest were contacted by an overseas perpeSeveral banks in the Midwest were contacted by an overseas perpetrator who trator who

indicated that:indicated that:–– He had broken into their computer system and obtained personal aHe had broken into their computer system and obtained personal and nd

banking information about all of the bankbanking information about all of the bank’’s customers.s customers.–– He would notify the bankHe would notify the bank’’s customers of this breach if he was not paid a s customers of this breach if he was not paid a

specified sum of money.specified sum of money.

www.azizd.com


•• Hacking Hacking

•• Unauthorized access to and use of computer systemsUnauthorized access to and use of computer systems——usually by usually by means of a personal computer and a telecommunications network.means of a personal computer and a telecommunications network.

•• Most hackers break into systems using known flaws in operating Most hackers break into systems using known flaws in operating systems, applications programs, or access controls.systems, applications programs, or access controls.

•• Some are not very malevolent and mainly motivated by curiosity aSome are not very malevolent and mainly motivated by curiosity and a nd a desire to overcome a challenge.desire to overcome a challenge.

•• Others have malicious intent and can do significant damage.Others have malicious intent and can do significant damage.

www.azizd.com


•• PhreakersPhreakers•• Hacking that attacks phone systems and uses phone lines to Hacking that attacks phone systems and uses phone lines to

transmit viruses and to access, steal, and destroy data.transmit viruses and to access, steal, and destroy data.•• They also steal telephone services and may break into voice mailThey also steal telephone services and may break into voice mail

systems.systems.•• Some hackers gain access to systems through dialSome hackers gain access to systems through dial--up modem up modem

lines.lines.

•• HijackingHijacking

•• Involves gaining control of someone elseInvolves gaining control of someone else’’s computer to carry out s computer to carry out illicit activities without the userillicit activities without the user’’s knowledge.s knowledge.

•• The illicit activity is often the perpetuation of spam emails.The illicit activity is often the perpetuation of spam emails.

www.azizd.com


•• Identity theftIdentity theft•• Assuming someoneAssuming someone’’s identity, typically for economic gain, by illegally obtaining s identity, typically for economic gain, by illegally obtaining and and

using confidential information such as the personusing confidential information such as the person’’s social security number, bank s social security number, bank account number, or credit card number.account number, or credit card number.

•• Identity thieves benefit financially by:Identity thieves benefit financially by:–– Taking funds out of the victimTaking funds out of the victim’’s bank account.s bank account.–– Taking out mortgages or other loans under the victimTaking out mortgages or other loans under the victim’’s identity.s identity.–– Taking out credit cards and running up large balances.Taking out credit cards and running up large balances.

•• If the thief is careful and ensures that bills and notices are sIf the thief is careful and ensures that bills and notices are sent to an address he ent to an address he controls, the scheme may be prolonged until such time as the viccontrols, the scheme may be prolonged until such time as the victim attempts to tim attempts to buy a home or car and finds out that his credit is destroyed.buy a home or car and finds out that his credit is destroyed.

•• Identity thieves can steal corporate or individual identities byIdentity thieves can steal corporate or individual identities by::-- Watching people enter telephone calling card numbers or credit Watching people enter telephone calling card numbers or credit card numbers or card numbers or

listening to communications as they provide this information to listening to communications as they provide this information to sales clerks or others. sales clerks or others. May also look for personal information such as checks, credit caMay also look for personal information such as checks, credit card statements, bank rd statements, bank statements, tax returns, discarded applications for prestatements, tax returns, discarded applications for pre--approved credit cards, or other approved credit cards, or other records that contain social security numbers, names, addresses, records that contain social security numbers, names, addresses, phone numbers, phone numbers, and other data that allow them to assume an identity.and other data that allow them to assume an identity.

www.azizd.com


•• Internet misinformationInternet misinformation•• Using the Internet to spread false or misleading information aboUsing the Internet to spread false or misleading information about people or ut people or

companies.companies.•• May involve:May involve:

–– Planting inflammatory messages in online chat rooms.Planting inflammatory messages in online chat rooms.–– Websites with misinformation.Websites with misinformation.

•• Internet terrorismInternet terrorism•• Hackers use the Internet to disrupt electronic commerce and destHackers use the Internet to disrupt electronic commerce and destroy company roy company

and individual communications.and individual communications.•• Viruses and worms are two main forms of Internet terrorism.Viruses and worms are two main forms of Internet terrorism.

www.azizd.com


•• Logic time bombsLogic time bombs•• Masquerading or impersonationMasquerading or impersonation•• Packet Packet snifferssniffers•• Password crackingPassword cracking•• PhishingPhishing•• PiggybackingPiggybacking•• RoundRound--down techniquedown technique•• Salami techniqueSalami technique

www.azizd.com


•• Social engineeringSocial engineering•• Software piracySoftware piracy•• SpammingSpamming•• SpywareSpyware•• Keystroke loggersKeystroke loggers•• SuperzappingSuperzapping•• Trap doorsTrap doors•• Trojan horseTrojan horse•• War dialingWar dialing•• War drivingWar driving

www.azizd.com


•• VirusVirusDamage may take many forms:Damage may take many forms:–– Send email with the victimSend email with the victim’’s name as the alleged source.s name as the alleged source.–– Destroy or alter data or programs.Destroy or alter data or programs.–– Take control of the computer.Take control of the computer.–– Destroy or alter file allocation tables.Destroy or alter file allocation tables.–– Delete or rename files or directories.Delete or rename files or directories.–– Reformat the hard drive.Reformat the hard drive.–– Change file content.Change file content.–– Prevent users from booting.Prevent users from booting.–– Intercept and change transmissions.Intercept and change transmissions.–– Print disruptive images or messages on the screen.Print disruptive images or messages on the screen.–– Change screen appearance.Change screen appearance.

As viruses spread, they take up much space, clog communications,As viruses spread, they take up much space, clog communications, and and hinder system performance.hinder system performance.

www.azizd.com

VirusVirus•• Virus symptoms:Virus symptoms:

–– Computer will not start or executeComputer will not start or execute–– Performs unexpected read or write operationsPerforms unexpected read or write operations–– Unable to save filesUnable to save files–– Long time to load programsLong time to load programs–– Abnormally large file sizesAbnormally large file sizes–– Slow systems operationSlow systems operation–– Unusual screen activityUnusual screen activity–– Error messagesError messages

•• They are usually spread by:They are usually spread by:–– Opening an infected email attachment or file (most common); orOpening an infected email attachment or file (most common); or–– Running an infected program.Running an infected program.

www.azizd.com

VirusVirus• Virus protections include:–– Install reliable virus software that scans for, identifies, and Install reliable virus software that scans for, identifies, and

destroys viruses.destroys viruses.–– Keep the antivirus program up to date.Keep the antivirus program up to date.–– Scan incoming email at the server level.Scan incoming email at the server level.–– Deal with trusted software retailers.Deal with trusted software retailers.–– Have two backups of all files.Have two backups of all files.–– Do not put diskettes or CDs in strange machines, or let others Do not put diskettes or CDs in strange machines, or let others

put put unscannedunscanned disks in your machine.disks in your machine.

–– Worm: Worm: It is a type of virus that spreads itself over a computer It is a type of virus that spreads itself over a computer network.network.

www.azizd.com

Preventing and Detecting Preventing and Detecting Computer FraudComputer Fraud

•• Organizations must take every precaution to Organizations must take every precaution to protect their information systems.protect their information systems.

•• Certain measures can significantly decrease the Certain measures can significantly decrease the potential for fraud and any resulting losses.potential for fraud and any resulting losses.

•• These measures include:These measures include:–– Make fraud less likely to occurMake fraud less likely to occur–– Increase the difficulty of committing fraudIncrease the difficulty of committing fraud–– Improve detection methodsImprove detection methods–– Reduce fraud lossesReduce fraud losses

Documents

Computer Fraud and Security - azizd.com · non-employees to perpetrate frauds (and big ones) against companies. • Largely owing to their understanding of the company’s systems