IntroductionComputer fraud and other abuse are major, often unrecognized, threats tomodern organization, online crime is now bigger than the global illegal drugtrade “over $100 billion a year”, Cyber criminals have devised anever-increasing number of ways to commit fraud and abuse, some criminals claimto be making $10,000 a day through these action.
Information systems are becoming increasingly more complex and societyis becoming increasingly more dependent on these systems.- Companies face four types of threats to their informationsystems: (1) Natural and political disasters (2) Software errors and equipment malfunction (3) Unintentional acts (4) Intentional acts (computer crime). – We will be focusing and discussing the intentional acts.THE FRAUD PROCESSFraud is any and all means a person usesto gain an unfair advantage over another person. In most cases, to be considered fraudulent,an act must involve: (1) A false statement (oral or in writing).
(2) About a material fact. (3) Knowledge that the statementwas false when it was uttered (which implies an intent to deceive). (4) A victim who relies on the statement. (5) Injury suffered by thevictim.· Fraud againstcompanies may be committed by an employee or an external party.
Former and current employees called knowledgeableinsiders are much more likely than non-employees to perpetrate fraudsagainst companies. These acts arelargely owing to their understanding of the company’s systems and itsweaknesses, which enables them to commit the fraud and cover their tracks. Organizations must utilize controls to make it difficult for both insiders and outsiders to steal from the company. Fraud perpetrators are often referred to as white-collar criminals, which distinguishes them from violent criminals.
WHO COMMITS FRAUD ANDWHY?Perpetrators of computer fraud tend tobe younger and possess more computer knowledge, experience, and skills. Hackers and computer fraud perpetrators tendto be more motivated by curiosity, a quest for knowledge, the desire to learnhow things work, and the challenge of beating the system. They may view their actions as a game ratherthan dishonest behavior.
Criminologist Donald Cressey,interviewed 200+ convicted white-collar criminals in an attempt to determinethe common threads in their crimes. As aresult of his research, he determined that three factors were present in thecommission of each crime. These three factors have come to be known as the fraud triangle.- Pressure Opportunity RationalizationAPPROACHES TOCOMPUTER FRAUDThe U.S. Department of Justice definescomputer fraud as any illegal act for which knowledge of computer technology isessential for its perpetration, investigation; or prosecution.In using a computer, fraud perpetratorscan steal more of something in less time and with less effort. They may also leave very little evidence,which can make these crimes more difficult to detect.
COMPUTER FRAUD ANDABUSE TECHNIQUES:Phishing: communications that request recipients to discloseconfidential information by responding to an e-mail or visiting a website.Phishing is typically carried out byemail spoofing or instant messaging, And it often directs users to enterpersonal information at a fake website, the look and feel of which areidentical to the legitimate one and the only difference is the URL of the websitein concern. Communications purporting to be from social web sites, auctionsites, banks, online payment processors or IT administrators are often used tolure victims. Phishing emails may contain links to websites that are infectedwith malware.Password cracking: penetrating system defenses, stealing passwords, anddecrypting them to access system program, files, and data. Incryptanalysis and computer security, password cracking is the process ofrecovering passwords from data that have been stored in or transmitted by acomputer system.
A common approach (brute-force attack) is to try guessesrepeatedly for the password and check them against an available cryptographichash of the password.Adware: spyware that collects and forwards data in advertisingcompanies or causes banner ads to pop-up as the internet is surfed.Adware, or advertising-supportedsoftware, is software that generates revenue for its developer by automaticallygenerating online advertisements in the user interface of the software or on ascreen presented to the user during the installation process. if the userclicks on the advertisement.
The software may implement advertisements in avariety of ways, including a static box display, a banner display, full screen,a video, pop-up ad or in some other form. SMS spoofing: Using short message service “SMS” to change thename or number a text message appears to come from.occurs when a sender manipulatesaddress information. Often it is done in order to impersonate a user that hasroamed onto a foreign network and is submitting messages to the home network.Frequently, these messages are addressed to destinations outside the homenetwork with the home SMSC essentiallybeing “hijacked” to send messages into other networks. In advanced cases theycan even hijack existing contacts in your phone. Pretesting: Acting under false pretense to gain confidentialinformation. Is an excuse to dosomething or say something that is not accurate, Pretexts may be based on ahalf-truth or developed in the context of a misleading fabrication.
Pretextshave been used to conceal the true purpose or rationale behind actions andwords. Virus: Executable code that attaches itself to software,replicates itself, and spreads to other systems of files. When triggered, itmakes unauthorized alterations to the way a system operates. Salami Technique: Stealing tiny slices of money over time.
Is the fraudulent practice of stealingmoney repeatedly in extremely small quantities, usually by taking advantage ofrounding to the nearest cent in financial transactions. It would be done byalways rounding down, and putting the fractions of a cent into another account.The idea is to make the change small enough that any single transaction will goundetected. Denial of service Attack: An attack designed to make computer resources unavailable toits users.A denial-of-service attack “DoSattack” is a cyber-attack where the perpetrator seeks to make a machine ornetwork resource unavailable to its intended users by temporarily orindefinitely disrupting services of a host connected to the Internet.
Denial ofservice is typically accomplished by flooding the targeted machine or resourcewith superfluous requests in an attempt to overload systems and prevent some orall legitimate requests from being fulfilled. Worm: similar to a virus, a program ratherthan a code segment, hidden in a host program. Actively transmits itself toother systems. It usually dose not live long but its quite destructive whilealive. Trojan Horse: Unauthorized code in an authorizedand properly functioning program.Is any malicious computer program which misleads users of its true intent.The term is derived from the Ancient Greek story of the deceptive wooden horsethat led to the fall of the city of Troy.
Identity Theft: Assuming someone’s identity byillegally obtaining confidential information such as a social security number. Botnet, Bot Herders: A network ofhijacked computers, called zombies, in a varety of attacks.A botnet is a number of Internet-connected devices, each of which isrunning one or more bots. Botnets can be used to perform distributeddenial-of-service attack “DDoS attack”, steal data, send spam, andallow the attacker access to the device and its connection. The owner cancontrol the botnet using command and control “C&C” software.
Theword “botnet” is a combination of the words “robot” and”network”. The term is usually used with a negative or maliciousconnotation.PREVENTING AND DETECTING COMPUTER FRAUD Make fraud less likely to occur – By creating an ethical cultural, adopting an appropriate organizational structure, requiring active oversight, assigning authority and responsibility, assessing risk, developing security policies, implementing human resource policies, supervising employees effectively, training employees, requiring vacations, implementing development and acquisition controls, and prosecuting fraud perpetrators vigorously.· Increase thedifficulty of committing fraud – By designing strong internal controls,segregating duties, restricting access, requiring appropriate authorizations,utilizing documentation, safeguarding assets, requiring independent checks onperformance, implementing computer-based controls, encrypting data, and fixingsoftware vulnerabilities.· Improve detection methods – By creating an audit trail,conducting periodic audits, installing fraud detection software, implementing afraud hotline, employing a computer security officer, monitoring systemactivities, and using intrusion detection systems.