Computer fraud and other abuse are major, often unrecognized, threats to
modern organization, online crime is now bigger than the global illegal drug
trade “over $100 billion a year”, Cyber criminals have devised an
ever-increasing number of ways to commit fraud and abuse, some criminals claim
to be making $10,000 a day through these action.
Information systems are becoming increasingly more complex and society
is becoming increasingly more dependent on these systems.
– Companies face four types of threats to their information
(1) Natural and political disasters
(2) Software errors and equipment malfunction (3) Unintentional acts (4) Intentional acts (computer crime).
– We will be focusing and discussing the intentional acts.
THE FRAUD PROCESS
Fraud is any and all means a person uses
to gain an unfair advantage over another person. In most cases, to be considered fraudulent,
an act must involve:
(1) A false statement (oral or in writing). (2) About a material fact.
(3) Knowledge that the statement
was false when it was uttered (which implies an intent to deceive).
(4) A victim who relies on the statement. (5) Injury suffered by the
companies may be committed by an employee or an external party. Former and current employees called knowledgeable
insiders are much more likely than non-employees to perpetrate frauds
against companies. These acts are
largely owing to their understanding of the company’s systems and its
weaknesses, which enables them to commit the fraud and cover their tracks.
must utilize controls to make it difficult for both insiders and outsiders
to steal from the company.
perpetrators are often referred to as white-collar criminals, which
distinguishes them from violent criminals.
WHO COMMITS FRAUD AND
Perpetrators of computer fraud tend to
be younger and possess more computer knowledge, experience, and skills. Hackers and computer fraud perpetrators tend
to be more motivated by curiosity, a quest for knowledge, the desire to learn
how things work, and the challenge of beating the system. They may view their actions as a game rather
than dishonest behavior.
Criminologist Donald Cressey,
interviewed 200+ convicted white-collar criminals in an attempt to determine
the common threads in their crimes. As a
result of his research, he determined that three factors were present in the
commission of each crime.
These three factors have come to be known as the fraud triangle.
Pressure Opportunity Rationalization
The U.S. Department of Justice defines
computer fraud as any illegal act for which knowledge of computer technology is
essential for its perpetration, investigation; or prosecution.
In using a computer, fraud perpetrators
can steal more of something in less time and with less effort. They may also leave very little evidence,
which can make these crimes more difficult to detect.
COMPUTER FRAUD AND
Phishing: communications that request recipients to disclose
confidential information by responding to an e-mail or visiting a website.
Phishing is typically carried out by
email spoofing or instant messaging, And it often directs users to enter
personal information at a fake website, the look and feel of which are
identical to the legitimate one and the only difference is the URL of the website
in concern. Communications purporting to be from social web sites, auction
sites, banks, online payment processors or IT administrators are often used to
lure victims. Phishing emails may contain links to websites that are infected
Password cracking: penetrating system defenses, stealing passwords, and
decrypting them to access system program, files, and data.
cryptanalysis and computer security, password cracking is the process of
recovering passwords from data that have been stored in or transmitted by a
computer system. A common approach (brute-force attack) is to try guesses
repeatedly for the password and check them against an available cryptographic
hash of the password.
Adware: spyware that collects and forwards data in advertising
companies or causes banner ads to pop-up as the internet is surfed.
Adware, or advertising-supported
software, is software that generates revenue for its developer by automatically
generating online advertisements in the user interface of the software or on a
screen presented to the user during the installation process. if the user
clicks on the advertisement. The software may implement advertisements in a
variety of ways, including a static box display, a banner display, full screen,
a video, pop-up ad or in some other form.
SMS spoofing: Using short message service “SMS” to change the
name or number a text message appears to come from.
occurs when a sender manipulates
address information. Often it is done in order to impersonate a user that has
roamed onto a foreign network and is submitting messages to the home network.
Frequently, these messages are addressed to destinations outside the home
network with the home SMSC essentially
being “hijacked” to send messages into other networks. In advanced cases they
can even hijack existing contacts in your phone.
Pretesting: Acting under false pretense to gain confidential
Is an excuse to do
something or say something that is not accurate, Pretexts may be based on a
half-truth or developed in the context of a misleading fabrication. Pretexts
have been used to conceal the true purpose or rationale behind actions and
Virus: Executable code that attaches itself to software,
replicates itself, and spreads to other systems of files. When triggered, it
makes unauthorized alterations to the way a system operates.
Salami Technique: Stealing tiny slices of money over time.
Is the fraudulent practice of stealing
money repeatedly in extremely small quantities, usually by taking advantage of
rounding to the nearest cent in financial transactions. It would be done by
always rounding down, and putting the fractions of a cent into another account.
The idea is to make the change small enough that any single transaction will go
Denial of service Attack: An attack designed to make computer resources unavailable to
A denial-of-service attack “DoS
attack” is a cyber-attack where the perpetrator seeks to make a machine or
network resource unavailable to its intended users by temporarily or
indefinitely disrupting services of a host connected to the Internet. Denial of
service is typically accomplished by flooding the targeted machine or resource
with superfluous requests in an attempt to overload systems and prevent some or
all legitimate requests from being fulfilled.
Worm: similar to a virus, a program rather
than a code segment, hidden in a host program. Actively transmits itself to
other systems. It usually dose not live long but its quite destructive while
Trojan Horse: Unauthorized code in an authorized
and properly functioning program.
Is any malicious computer program which misleads users of its true intent.
The term is derived from the Ancient Greek story of the deceptive wooden horse
that led to the fall of the city of Troy.
Identity Theft: Assuming someone’s identity by
illegally obtaining confidential information such as a social security number.
Botnet, Bot Herders: A network of
hijacked computers, called zombies, in a varety of attacks.
A botnet is a number of Internet-connected devices, each of which is
running one or more bots. Botnets can be used to perform distributed
denial-of-service attack “DDoS attack”, steal data, send spam, and
allow the attacker access to the device and its connection. The owner can
control the botnet using command and control “C&C” software. The
word “botnet” is a combination of the words “robot” and
“network”. The term is usually used with a negative or malicious
PREVENTING AND DETECTING COMPUTER FRAUD
Make fraud less
likely to occur – By creating an ethical cultural,
adopting an appropriate organizational structure, requiring active
oversight, assigning authority and responsibility, assessing risk,
developing security policies, implementing human resource policies,
supervising employees effectively, training employees, requiring
vacations, implementing development and acquisition controls, and
prosecuting fraud perpetrators vigorously.
difficulty of committing fraud – By designing strong internal controls,
segregating duties, restricting access, requiring appropriate authorizations,
utilizing documentation, safeguarding assets, requiring independent checks on
performance, implementing computer-based controls, encrypting data, and fixing
Improve detection methods – By creating an audit trail,
conducting periodic audits, installing fraud detection software, implementing a
fraud hotline, employing a computer security officer, monitoring system
activities, and using intrusion detection systems.