CHAPTER 9

COMPUTER FRAUD AND SECURITY

I.

INTRODUCTION

II.

THE FRAUD PROCESS

III.

WHY FRAUD OCCURS

Pressures
Opportunities
Rationalizations

IV.

COMPUTER FRAUD

V.

The Rise in Computer Fraud

Computer Fraud Classifications
Computer Fraud and Abuse Techniques
Computer Viruses

PREVENTING AND DETECTING COMPUTER FRAUD

Make Fraud Less Likely to Occur

Increase the Difficulty of Committing Fraud
Improve Detection Methods
Reduce Fraud Losses
Prosecute and Incarcerate Fraud Perpetrators

9-1

Ch. 9: Computer Fraud and Security

CHAPTER 9
COMPUTER FRAUD AND SECURITY
LEARNING OBJECTIVES
After studying this chapter you should be able to:
Define fraud and describe the process one follows to perpetrate a fraud.
Discuss why fraud occurs, including the pressures, opportunities, and rationalizations that are
present in most frauds.
Compare and contrast the approaches and techniques that are used to commit computer fraud.
Describe how to deter and detect computer fraud.

CHAPTER OUTLINE AND TEACHING NOTES

I. INTRODUCTION
A. Fraud - any means a person uses to gain unfair advantage over another person
1. A violation of trust or confidence relied upon by the other party
2. Economic losses due to fraud in U.S. are estimated to be $500 billion per year
3. Usually involves misrepresentation of facts and reliance upon those facts by the
victim
a) Knowledgeable insiders much more likely to commit fraud than
nonemployees
b) Fraud perpetrators are referred to as white-collar criminals
c) Misappropriation of assets - also called employee fraud, committed for
personal financial gain
d) Fraudulent financial reporting - materially misleading financial
statements designed to mislead investors and creditors; perpetrators
receive indirect benefits like increased stock values
4. Treadway Commission recommended four actions to reduce fraudulent financial
reporting
a) Establish organizational environment that contributes to the integrity
of financial reporting process
b) Identify and understand the factors that lead to fraudulent financial
reporting
c) Assess the risk of fraudulent financial reporting in the company
d) Design and implement internal controls for prevention

9-2

Accounting Information Systems

II. THE FRAUD PROCESS

A. Most frauds involve three steps:
1. Theft of something of value, i.e., cash, inventory, supplies
2. Conversion of stolen assets into cash
3. Concealment of the crime to avoid detection - when assets are stolen or inflated,
the only way to conceal is to inflate other assets or decrease liabilities or equity
a) Charge stolen asset to expense accounts
b) Lapping - misapply cash payments by one customer to another account
and steal part of cash received
c) Kiting - cover theft of cash by transfer of money between banks
Question 9.2 deals with kiting.
III. WHY FRAUD OCCURS
A. White-collar criminals - few differences with the general public
B. Fraud perpetrators characteristics
1. Spend their illegal proceeds rather than save it
2. Once they begin it is hard to stop
3. Rely on the income and want more as their greed increases
4. May become careless and overconfident as time goes on
5. Perpetrators of computer fraud tend to be younger and have more computer
knowledge
a) Motivation may be curiosity or challenge of beating the system
(1) 32% were women (68% men) and 43% were minorities (57%
majority)
(2) May be unhappy with employer or disgruntled with job
(3) May appear to be ideal employee, dedicated, hardworking
(4) Often no previous criminal record
C. Three conditions are necessary for fraud to occur:
1. Pressure may be a persons motivation to commit fraud (Table 9.1)
a) Financial, work-related, or other such as family/peer pressure,
emotional instability, or challenge of beating the system
2. Opportunity is the condition that allows a person to commit and conceal the fraud
a) Lack of internal controls or failure to enforce controls, other factors
such as excessive trust in key employees, incompetent supervisory
personnel, inattention to details, inadequate staffing, etc.
3. Rationalization - justification of illegal behavior, just borrowing, intent to pay
back, not really hurting a person, everyone else does it, or I'm just above the rules
- all are common rationalizations

9-3

Ch. 9: Computer Fraud and Security

Figure 9.1 shows fraud as a result of interaction of three factors: pressures, opportunities,
and rationalizations. Tables 9.1 and 9.2 provide a comprehensive listing of pressures and
opportunities that lead to fraud.
Problems 9.1, 9.2, 9.4, 9.5, 9.6, and 9.8 deal with the concept of fraud, indicators or red
flags of fraud, incidence of fraud, and embezzlement schemes. Case 9.2 provides a profile
of a white-collar criminal, the ease with which fraud can be committed, and the lax law
enforcement; is very educational.
IV. COMPUTER FRAUD
A. Computer fraud - any illegal act for which knowledge of computer technology is
essential for its perpetration, investigation, or prosecution
1. Unauthorized use, access, modification, copying, or destruction of software
2. Theft of cash or other assets by altering computer records
3. Theft or destruction of computer hardware
4. Use or conspiracy to use a computer to commit a felony
5. Intent to illegally obtain information or property by use of a computer
B. Reasons for rise of computer fraud
1. Not everyone agrees on what constitutes computer fraud
2. Many computer frauds go undetected; estimates between 1 and 20% are detected
3. An estimated 80%-90% of the frauds that are uncovered are not reported
C. Computer fraud is large and growing
1. Dollar losses rose fifteen fold from 1997 to 1998, each incident now costs $2.81
million
2. Even Defense Department and Pentagon networks are not completely secure; 70%
of friendly hacks are successful
3. Even thought there are a growing number of competent computer users, there is a
belief that it just cant happen to us
4. Most networks have a low level of security
5. Many Internet sites provide guidance on how to commit computer crimes
6. Law enforcement is unable to keep up with the number of computer frauds
7. An especially rapidly growing type of fraud is economic espionage, which is the
theft of information and intellectual property

9-4

Accounting Information Systems

D. Computer fraud classifications

1. Computer fraud can affect input, processor, computer instructions, stored data,
and output (Figure 9.1)
a) Input - easy to commit, alteration of inputs to manipulate
disbursements, inventory, payroll, or cash receipts
b) Processor - theft of computer time or employee goofing (Internet
surfing)
c) Computer instructions - modifying software to carry out an
unauthorized activity, making illegal copies
d) Data - alteration or damage to data files or by copying or using without
authorization, stealing the data
e) Output - theft or misuse of outputs, even screen output can be read
electronically by the use of some inexpensive electronic gear

9-5

Ch. 9: Computer Fraud and Security

E.Computer fraud and abuse techniques (Table 9.2)
1. Trojan Horse - unauthorized code hidden in a legitimate program
2. Round-down technique - rounded off amounts from calculations, fraction
deposited in perpetrator's account
3. Salami technique - small amounts sliced off and stolen from many projects over a
period of time
4. Trap door - bypass of normal system controls
5. Superzapping - use of a special program to bypass regular controls
6. Software piracy - unauthorized copying of software, probably the most committed
computer crime, losses between $15 and $18 billion per year
7. Data diddling - changing data in an unauthorized way
8. Data leakage - unauthorized copying of data files
9. Piggybacking - latching onto a legitimate user in data communications
10. Masquerading or Impersonation - the perpetrator gains access to the system by
pretending to be an authorized user
11. Social engineering - a perpetrator tricks an employee into giving him the
information he needs to get into the system
12. Logic time bomb - idle until some event or time triggers it
13. Hacking - unauthorized access and use of a computer system
14. Scavenging - gaining access to confidential data by searching corporate records in
dumpsters or computer storage
15. Eavesdropping - observation of private communications by wiretapping or other
surveillance techniques
16. E-mail threats - threatening legal action and asking for money via e-mail
17. E-mail forgery - removing message headers, using such anonymous e-mail for
criminal activity
18. Denial of service attack - sending hundreds of e-mail messages from false
addresses until the attacked server shuts down
19. Internet terrorism - crackers using the Internet to disrupt electronic commerce and
communication lines
20. Internet misinformation - using the Internet to spread false or misleading
information
21. War dialing - searching for idle modem by dialing thousands of telephones and
intruding systems through idle modems
22. Spamming - e-mailing the same message to everyone on one or more Usenet
groups

9-6

Accounting Information Systems

F. Computer viruses - a segment of executable code that attaches to software and is

intended to replicate and do damage to computer systems and/or data
1. Computers can get infected in four ways:
a) Opening an e-mail attachment which carries the virus
b) Opening a file that contains the virus
c) By booting, or starting, using an infected diskette (boot sector virus)
d) By running a program that has been infected (program file virus)
2. Viruses are contagious and can easily spread from one system to another
a) E-mail containing hidden viruses is the fastest growing way to spread
viruses
b) Viruses can replicate themselves faster than they can be destroyed, can
have long lives
3. Worm - is like a virus, but a whole program rather than a code segment hidden in
a host program replicates itself and can be quite destructive
Figure 9.1 categorizes computer frauds in the context of the data processing model. Table
9.2 provides a list of computer fraud and abuse techniques; however, this list is sorted
alphabetically (but not so in the text). Focus 9.1 presents the case of a worm that crashed a
substantial portion of the Internet. An interesting question is can such a feat be
accomplished today? If yes, how much will it cost?
Questions 9.3 and 9.9 deal with hacking. Problem 9.3 is a descriptive question on various
fraud methods. Problems 9.7 and 9.9 deal with computer viruses. Case 9.1 is a portrait of
the infamous hacker Kevin Mitnick.

9-7

Ch. 9: Computer Fraud and Security

V. PREVENTING AND DETECTING COMPUTER FRAUD
A. Make fraud less likely to occur
1. Hiring and firing practices - thorough scrutiny, background checks, etc.
2. Managing disgruntled employees
3. Employee training - most important element in any security program
a) Security measures - take seriously
b) Telephone disclosures - dialing the caller back, verifying a persons
identity, etc.
c) Fraud awareness - training concerning causes and prevention of fraud
d) Ethical considerations - ethical code or standards, tone set at the top
e) Punishment for unethical behavior - consequences should be spelled
out
4. Manage and track software licenses
5. Confidentiality agreements - employees, vendors, and contractors should be made
to sign and abide by it
B. Increase the difficulty of committing fraud
1. Develop a strong system of internal controls - this is managements responsibility
2. Segregate duties
3. Require vacations and rotation of duties
4. Restrict access to computer equipment and data
5. Encrypt data and programs
6. Protect telephone lines from hackers who attack through phone systems
(phreakers)
a) Attach electronic lock and key to telephones
b) Control dial-up modems
7. Protect the system from viruses - use virus protection, detection, and
identification programs
8. Control sensitive data - apply appropriate access restrictions
9. Control laptop computers
10. Monitor hacker/cracker sites about how to break into your systems
C. Improve detection methods
1. Conduct frequent audits and random surveillance
2. Use a computer security officer
3. Set up a fraud hot line
4. Use computer consultants
5. Monitor system activities
6. Use forensic accountants
7. Use fraud detection software for insurance claims etc.

9-8

Accounting Information Systems

D. Reduce fraud losses

1. Maintain adequate insurance
2. Keep current backup copies of all programs and data files in off-site location
3. Develop a contingency plan for fraud occurrence and other disasters
4. Use special software to monitor system activity
E. Prosecute and incarcerate fraud perpetrators
1. Most cases go undetected
2. Companies are reluctant to report computer fraud because of the embarrassment
factor, probably only 10% are reported
3. Courts are very busy with violent crimes
4. Investigation of computer crimes is difficult, costly, and time consuming
a) Computer Fraud and Abuse Act of 1986 deals specifically with
computer crimes and might be helpful
5. Many law enforcement officials, lawyers, and judges lack the computer skills to
investigate, prosecute, or evaluate computer crimes
6. Convictions often result in only light sentences - often the perpetrators have been
model citizens and not had previous criminal records
Focus 9.2 provides practical suggestions on keeping microcomputers free from viruses.
Questions 9.1, 9.4, 9.5, 9.6, 9.7, and 9.8 deal with the effects of hiring practices, diskless
PCs, biometric devices, software sabotage, software licensing, and determined defrauders
on internal controls. Case 9.3 poses questions on effects of strengths and weaknesses in
controls on the management information and embezzlement risk. Case 9.4 presents gray
areas in software licensing.

9-9