BATAAN PENINSULA STATE UNIVERSITY

COLLEGE OF BUSINESS AND ACCOUNTANCY

CHAPTER 6
Handout
Computer Fraud and Abuse

Companies face four types of threats to their information systems:

– Natural and political disasters
– Software errors and malfunction
– Unintentional acts
– Intentional Acts

Natural and Political Disasters

• Include:
– Fire or excessive heat
– Floods
– Earthquakes
– High winds
– War and terrorist attack
• When a natural or political disaster strikes, many companies can be affected at the
same time.
– Example: Bombing of the World Trade Center in NYC.
• The US Defense Science Board has predicted that attacks on information systems
by foreign countries, espionage agents, and terrorists will soon be widespread.

Software errors and Malfunction

• Include:
– Hardware or software failures
– Software errors or bugs
– Operating system crashes
– Power outages and fluctuations
– Undetected data transmission errors
• Estimated annual economic losses due to software bugs = $60 billion.
• 60% of companies studied had significant software errors in previous year.

Unintentional Acts
• Include
– Accidents caused by:
• Human carelessness
• Failure to follow established procedures
• Poorly trained or supervised personnel
– Innocent errors or omissions
– Lost, destroyed, or misplaced data
– Logic errors
– Systems that do not meet needs or are incapable of performing intended
tasks
 • Information Systems Security Assn. estimates 65% of security problems are
caused by human error.

Intentional Acts
• Include:
– Sabotage
– Computer fraud
– Misrepresentation, false use, or unauthorized disclosure of data
– Misappropriation of assets
– Financial statement fraud
• Information systems are increasingly vulnerable to these malicious attacks.

Fraud is any and all means a person uses to gain an unfair advantage over another
person.
Fraudulent acts include:
 Lies/false statement uttered with an intention to deceive
 Suppressions of the truth
 Tricks and cunning
 Violation of trust and confidence
 And suffers injury or loss as a result

When is it considered FRAUD?

• There must be a false representation, statement or a nondisclosure.
• There must be a material fact, a substantial factor in inducing someone to act.
• There must be intent to deceive.
• The misrepresentation must have resulted in justifiable reliance causing someone
to act.
• The deception must have caused injury or loss to the victim of the fraud

Financial Losses from Fraud

The actual cost of fraud is difficult to quantify for a number of reasons:
• Not all frauds are detected
• Of that detected, not all are reported
• In many fraud cases, incomplete information is gathered
• Information is not properly reported to management or law enforcement
• Often, organizations decide to take no civil or criminal action against the
perpetrators
• Since fraudsters don’t make journal entries to record their frauds, losses
caused by fraudulent acts are only estimates.
• The Association of Certified Fraud Examiners (ACFE) estimates that total
fraud losses in the U.S. run around 6% of annual revenues or approximately
$660 billion.

Who commits FRAUD?

– Former or current employees called knowledgeable insiders
– More likely to commit fraud
– Their understanding of the company’s systems and its weaknesses
enabled them to commit fraud
– They can cover their tracks
 – An external party.

White-collar criminals
– Fraud perpetrators are often referred to as white-collar criminals.
– The term is used to distinguish them from violent criminals.

Factors that characterized the perpetrators of Fraud

• Positions in the organization
• Gender
• Age
• Education

Types of Fraud
• Occupational Fraud (Employee Fraud)
 Asset Misappropriation
• Theft of Cash
• Fraudulent disbursements
• Theft of inventory and other assets
 Corruption
• Bribery
• Illegal gratuities
• Economic extortion
• Conflict of interest
 Fraudulent Statements
• Financial
• Non-financial
• Other Types of Fraud
 Intellectual Property Theft Consumer Fraud
 Tax fraud Insurance Fraud
 Financial institution fraud Securities Fraud
 Money Laundering Bankruptcy Fraud
 Check and Credit cards fraud Computer and Internet Fraud

Factors that contribute to Fraud

• SITUATIONAL PRESSURES
 Financial
• Living beyond means
• High personal debt/expenses
• “Inadequate” salary/income
• Poor credit ratings
• Heavy financial losses
• Bad investments
• Tax avoidance
• Meet unreasonable quotas/goals
 EMOTIONAL
• Greed
• Unrecognized performance
 • Job dissatisfaction
• Fear of losing job
• Power or control
• Pride or ambition
• Beating the system
• Frustration
• Non-conformity
• Envy, resentment
• Arrogance, dominance
• Non-rules oriented
 LIFESTYLE
• Support gambling habit
• Drug or alcohol addiction
• Support sexual relationships
• Family/peer pressure

Pressures that lead to FR Fraud

• In the case of financial statement frauds, common pressures include:
– To prop up earnings or stock price so that management can:
• Receive performance-related compensation.
• Preserve or improve personal wealth held in company stock or stock
options.
• Keep their jobs.
– To cover the inability to generate cash flow.
– To obtain financing.
– To appear to comply with requirements
– May be opposite of propping up earnings in cases involving income-tax
motivations, government contracts, or regulation.

• OPPORTUNITIES
 Opportunity is the opening or gateway that allows an individual to:
– Commit the fraud
– Conceal the fraud
– Convert the proceeds
 There are many opportunities that enable fraud. Some of the most common
are:
– Lack of internal controls
– Failure to enforce controls (the most prevalent reason)
– Excessive trust in key employees
– Incompetent supervisory personnel
– Inattention to details
– Inadequate staff
 Internal controls that may be lacking or un-enforced include:
– Authorization procedures
– Clear lines of authority
– Adequate supervision
– Adequate documents and records
– A system to safeguard assets
– Independent checks on performance
– Separation of duties
 One control feature that many companies lack is a background check on all
potential employees.
Management may allow fraud by:
– Not getting involved in the design or enforcement of internal controls;
– Inattention or carelessness;
– Overriding controls; and/or
– Using their power to compel subordinates to carry out the fraud.

• INTEGRITY/ETHICS/RATIONALIZATION
 It is important to understand that fraudsters do not regard themselves as
unprincipled.
• In general, they regard themselves as highly principled individuals.
• That view of themselves is important to them.
• The only way they can commit their frauds and maintain their self
image as principled individuals is to create rationalizations that recast
their actions as “morally acceptable” behaviors.
 These rationalizations take many forms, including:
• I was just borrowing the money.
• It wasn’t really hurting anyone. (Corporations are often seen as non-
persons; therefore crimes against them are not hurting “anyone.”)
• Everybody does it.
• I’ve worked for them for 35 years and been underpaid all that time. I
wasn’t stealing; I was only taking what was owed to me.
• I didn’t take it for myself. I needed it to pay my child’s medical bills.

• CONCLUSION
• Fraud occurs when:
 People have perceived, non-shareable pressures;
 The opportunity gateway is left open; and
 They can rationalize their actions to reduce the moral impact in their minds
(i.e., they have low integrity).
• Fraud is much less likely to occur when
 There is low pressure, low opportunity, and high integrity.

COMPUTER FRAUD
Computer fraud is defined as any illegal act for which knowledge of computer
technology is essential for its perpetration, investigation and/or prosecution.
• Computer fraud includes the following:
– Unauthorized theft, use, access, modification, copying, and destruction of
software or data.
– Theft of money by altering computer records.
– Theft of computer time.
– Theft or destruction of computer hardware.
– Use or the conspiracy to use computer resources to commit a felony.
– Intent to illegally obtain information or tangible property through the use of
computers.
• In using a computer, fraud perpetrators can steal:
 – More of something
– In less time
– With less effort
• They may also leave very little evidence, which can make these crimes more
difficult to detect.
• Computer systems are particularly vulnerable to computer crimes for several
reasons:
– Company databases can be huge and access privileges can be difficult to
create and enforce. Consequently, individuals can steal, destroy, or alter
massive amounts of data in very little time.
– Organizations often want employees, customers, suppliers, and others to
have access to their system from inside the organization and without. This
access also creates vulnerability.
– Computer programs only need to be altered once, and they will operate that
way until:
• The system is no longer in use; or
• Someone notices.
– Modern systems are accessed by PCs, which are inherently more
vulnerable to security risks and difficult to control.
• It is hard to control physical access to each PC.
• PCs are portable, and if they are stolen, the data and access
capabilities go with them.
• PCs tend to be located in user departments, where one person may
perform multiple functions that should be segregated.
• PC users tend to be more oblivious to security concerns.
– Computer systems face a number of unique challenges:
• Reliability (accuracy and completeness)
• Equipment failure
• Environmental dependency (power, water damage, fire)
• Vulnerability to electromagnetic interference and interruption
• Eavesdropping
• Misrouting

• Organizations that track computer fraud estimate that most U.S. businesses have
been victimized by at least one incident of computer fraud.
• These frauds cost billions of dollars each year, and their frequency is increasing
because:
– Not everyone agrees on what constitutes computer fraud.
• Many don’t believe that taking an unlicensed copy of software is
computer fraud. (It is and can result in prosecution.)
• Some don’t think it’s a crime to browse through someone else’s
computer if their intentions aren’t malicious.
– Many computer frauds go undetected.
– An estimated 80-90% of frauds that are uncovered are not reported because
of fear of:
• Adverse publicity
• Copycats
 • Loss of customer confidence.
– There are a growing number of competent computer users, and they are
aided by easier access to remote computers through the Internet and other
data networks.
– Some folks believe “it can’t happen to us.”
– Many networks have a low level of security.
– Instructions on how to perpetrate computer crimes and abuses are readily
available on the Internet.
– Law enforcement is unable to keep up with the growing number of frauds.
– The total dollar value of losses is difficult to calculate.
• Economic espionage, the theft of information and intellectual property, is growing
especially fast.
• This growth has led to the need for investigative specialists or cybersleuths.

• Computer Fraud Classification

– Frauds can be categorized according to the data processing model:
• Input
• Processor
• Computer instructions
• Stored data
• Output
Input Fraud
– The simplest and most common way to commit a fraud is to alter computer
input.
• Requires little computer skills.
• Perpetrator only need to understand how the system operates
– Can take a number of forms, including:
• Disbursement frauds – the perpetrator causes a company to:
• Pay too much for ordered goods; or
• Pay for goods never ordered.
• Inventory frauds
• The perpetrator enters data into the system to show that
stolen inventory has been scrapped.
• Payroll frauds
• Perpetrators may enter data to:
• Increase their salaries
• Create a fictitious employee
• Retain a terminated employee on the records.
• In the latter two instances, the perpetrator intercepts and
cashes the resulting paychecks.
• Cash receipt frauds
• The perpetrator hides the theft by falsifying system input.
• EXAMPLE: Cash of $200 is received. The perpetrator
records a cash receipt of $150 and pockets the $50 difference.
• Fictitious refund fraud
 • The perpetrator files for an undeserved refund, such as a tax
refund.
Processor Fraud
– Involves computer fraud committed through unauthorized system use.
– Includes theft of computer time and services.
– Incidents could involve employees:
• Surfing the Internet;
• Using the company computer to conduct personal business; or
• Using the company computer to conduct a competing business.
Computer Instruction Fraud
– Involves computer fraud committed by tampering with the software that
processes company data.
– May include:
• Modifying the software
• Making illegal copies
• Using it in an unauthorized manner
• Also might include developing a software program or module to carry
out an unauthorized activity.
– Computer instruction fraud used to be one of the least common types of
frauds because it required specialized knowledge about computer
programming beyond the scope of most users.
– Today these frauds are more frequent--courtesy of web pages that instruct
users on how to create viruses and other schemes.
Data Fraud
– Involves:
• Altering or damaging a company’s data files; or
• Copying, using, or searching the data files without authorization.
– In many cases, disgruntled employees have scrambled, altered, or
destroyed data files.
– Theft of data often occurs so that perpetrators can sell the data.
– Most identity thefts occur when insiders in financial institutions, credit
agencies, etc., steal and sell financial information about individuals from their
employer’s database.
Output Fraud
– Involves stealing or misusing system output.
– Output is usually displayed on a screen or printed on paper.
– Unless properly safeguarded, screen output can easily be read from a
remote location using inexpensive electronic gear.
– This output is also subject to prying eyes and unauthorized copying.
– Fraud perpetrators can use computers and peripheral devices to create
counterfeit outputs, such as checks.

Computer Fraud and Abuse Techniques – Check the other file for an updated list.
 DETER AND DETECT
• Organizations must take every precaution to protect their information systems.
• Certain measures can significantly decrease the potential for fraud and any
resulting losses.
• These measures include:
– Make fraud less likely to occur
• Create a culture that stresses integrity and commitment to ethical
values and competence.
• Adopt an organizational structure, management philosophy,
operating style, and appetite for risk that minimizes the likelihood of
fraud.
• Require oversight from an active, involved, and independent audit
committee.
• Assign authority and responsibility for business objectives to specific
departments and individuals, encourage initiative in solving problems,
and hold them accountable for achieving those objectives.
• Identify the events that lead to increased fraud risk, and take steps to
prevent, avoid, share, or accept that risk.
• Develop a comprehensive set of security policies to guide the design
and implementation of specific control procedures, and communicate
them effectively to company employees.
• Implement human resource policies for hiring, compensating,
evaluating, counseling, promoting, and discharging employees that
send messages about the required level of ethical behavior and
integrity.
• Effectively supervise employees, including monitoring their
performance and correcting their errors.
• Train employees in integrity and ethical considerations, as well as
security and fraud prevention measures.
• Require annual employee vacations, periodically rotate duties of key
employees, and require signed confidentiality agreements.
• Implement formal and rigorous project development and acquisition
controls, as well as change management controls.
• Increase the penalty for committing fraud by prosecuting fraud
perpetrators more vigorously.
– Increase the difficulty of committing fraud
• Develop a strong system of internal controls
• Segregate the accounting functions of:
• Authorization
• Recording
• Custody
• Implement a program segregation of duties between systems
functions
• Restrict physical and remote access to system resources to
authorized personnel
• Require transactions and activities to be authorized by appropriate
supervisory personnel. Have the system authenticate the person and
their right to perform the transaction before allowing the transaction to
 take place.
• Use properly designed documents and records to capture and
process transactions.
• Safeguard all assets, records, and data.
• Require independent checks on performance, such as reconciliation
of two independent sets of records, where possible and appropriate.
• Implement computer-based controls over data input, computer
processing, data storage, data transmission, and information output.
• Encrypt stored and transmitted data and programs to protect them
from unauthorized access and use.
• Fix known software vulnerabilities by installing the latest updates to
operating systems, security, and applications programs.
– Improve detection methods
• Create an audit trail so individual transactions can be traced through
the system to the financial statements and vice versa.
• Conduct periodic external and internal audits, as well as special
network security audits.
• Install fraud detection software.
• Implement a fraud hotline
• Employ a computer security officer, as well as computer consultants
and forensic specialists as needed.
• Monitor system activities, including computer and network security
efforts, usage and error logs, and all malicious actions.
• Use intrusion detection systems to help automate the monitoring
process.
– Reduce fraud losses
• Maintain adequate insurance.
• Develop comprehensive fraud contingency, disaster recovery, and
business continuity plans.
• Store backup copies of program and data files in a secure, off-site
location.
• Use software to monitor system activity and recover from fraud.