CHAPTER 5

COMPUTER FRAUD AND ABUSE

Learning Objective One

Define fraud and describe the process one follows

to perpetuate a fraud.

INTRODUCTION TO FRAUD

Fraud is any and all means a person uses to gain an unfair advantage over another
person. Legally, for an act to be considered fraudulent there must be:

1. A false statement, representation, or disclosure

2. A material fact, which is something that induces a person to act

3. An intent to deceive

4. A justifiable reliance; that is, the person relies on the misrepresentation

to take an action

5. An injury or loss suffered by the victim

Fraud Perpetrators are also referred to as White-Collar Criminals

Fraud takes two forms

 Misappropriation of Assets and

 Fraudulent Financial Reporting

Misappropriation of Assets

Misappropriation of Assets often referred to as Employee Fraud

Some examples include:

 Albert Miano, a manager at Reader’s Digest responsible for

processing bills from painters and carpenters, embezzled $1
million over a 5-year period.

Forged signature on checks and deposited the monies in his

account

Bought an expensive home, five cars and a boat.

 A Bank vice president approved $1 billion in bad loans in

exchange for $585,000 in kickbacks.

The bank had to shut down

Page 1 of 23
  An Accounting Information Systems manager at a Florida newspaper
went to work for a competitor after he was fired.

It was discovered that the manager still had an active

account and password as the firm where he was fired

So, the manager was able to regularly browse the old

newspaper company’s computer files for information on
exclusive stories

A Typical Employee Fraud has a Number of Important Elements or

Characteristics:

 The fraud perpetrator must gain the trust or confidence of the

person or company being defrauded

 Instead of a weapon or physical force to commit a crime, fraud

perpetrators use trickery, cunning, or false or misleading
information to obtain money or assets.

 They hide their tracks by falsifying records or other information

 Few frauds are terminated voluntarily. Instead, the fraud

perpetrator continues due to “need or greed.”

Often, perpetrators begin to depend on the “extra” income

and get to a point where they cannot afford to stop.

Other times they move to a higher lifestyle – that

even requires a greater amount of money

It’s at this point where they get braver, or should we see more
relaxed, where the perpetrator gets greedy and starts stealing
larger amounts of money; this is where they normally get caught.

 Fraud perpetrators spend their ill-gotten gains, usually on an

extravagant lifestyle. Rarely do they save or invest the money
they take. Some of these high cost luxurious items include, big
homes, fancy cars, gambling or just a big spender type person

 Many perpetrators that become greedy, not only start taking

greater amounts of monies, but also take the monies more often.

 As previously mentioned, perpetrators at some point start getting

braver and grow careless or overconfident. This is the point
where they can also make a mistake and get caught.

 The fraud perpetrator cannot get away with stealing cash or

property forever. At some point, although it may take some time,
they are going to get caught.

 The most significant contributing factors in most employee frauds

is the absence of internal controls or failure to enforce
existing internal controls.

After all, if a person that is already dishonest in

his/her nature; if they find out the management is not
concerned about internal controls

Page 2 of 23
  this makes it very easy for them to become a fraud
perpetrator and start stealing cash or property

Fraudulent Financial Reporting

The Treadway Commission defined fraudulent financial reporting as intentional

or reckless conduct, whether by act or omission, that results in materially
misleading financial statements

Executives cook the books, as they say, by fictitiously inflating revenues,

recognizing revenues before they are earned, closing the books early
(delaying current period expenses to a later period), overstating inventories
or fixed assets, and concealing losses and liabilities.
The Treadway Commission recommended four actions to reduce the possibility of
fraudulent financial reporting:

1. Establish an organizational environment that contributes to the

integrity of the financial reporting process.

2. Identify and understand the factors that lead to fraudulent financial

reporting

3. Assess the risk of fraudulent financial reporting within the company

4. Design and implement internal controls to provide reasonable assurance

that fraudulent financial reporting is prevented.

A study by the Association of Certified Fraud Examiners found that misappropriation

of assets by employees is more than 17 times more likely than fraudulent financial
reporting.

Learning Objective Two

Discuss who perpetrates fraud and why it occurs,

including the pressures, opportunities and
rationalizations that are present in most frauds

Who Perpetrates Fraud and Why It Occurs

Perpetrators of computer fraud tend to be younger and possess more computer
knowledge, experience, and skills

Some hackers and computer fraud perpetrators are more motivated by curiosity, a
quest for knowledge, the desire to learn how things work, and the challenge of
“beating the system.”

Most have no previous criminal record

Research shows that three conditions are necessary for fraud to occur: a pressure,
an opportunity, and a rationalization. This is referred to as the fraud triangle
and is shown as the middle triangle in Figure 5-1 on Page 148.

Pressures

A pressure is a person’s incentive or motivation for committing the fraud. The

three common types of pressures are 1) Financial, Emotional and Lifestyle which is

Page 3 of 23
summarized in Table 5-2 on Page 149. Table 5-3 on Page 150 provides the pressures
that can lead to financial statement fraud.

Opportunities

As shown in the opportunity triangle in Figure 5-1 on Page 148, opportunity is the
condition or situation that allows a person or organization to do three things:

1. Commit the fraud

Most fraudulent financial reporting consists of the overstatement of assets

or revenues or the understatement of liabilities, or the failure to disclose
information.

2. Conceal the fraud

A common and effective way to hide a theft is to charge the stolen item to an
expense account. For example, charge supplies to an expense account when they
are initially purchased; before they are used. This allows the perpetrator
the opportunity to use some of the supplies for personal benefit at the
expense of the company. These unused supplies should have been recorded as an
asset called Supplies until they are used.

Another way to hide a decrease in assets is by lapping. In a lapping scheme,

the perpetrator steals the cash or check that customer A mails in to pay its
accounts receivable. Funds received at a later date from customer B are used
to pay off customer A’s balance. And so forth, funds from customer C are used
to pay off customer B.

In a kiting scheme, the perpetrator covers up a theft by creating cash

through the transfer of money between banks. For example, suppose a fraud
perpetrator opens checking accounts in three banks, called bank A, B and C,
and deposits $100 in each account. Then the perpetrator “creates” cash by
depositing a $1,000 check from bank A into bank B and then withdraws the
$1,000 from bank B. It takes two days for his check to clear bank A. Since
there are insufficient funds in bank A to cover the $1,000 check, the
perpetrator deposits a $1,000, check from bank C to bank A before his check
to bank B clears the bank A. Since bank C also has insufficient funds, $1,000
must be deposited to bank C before the check to bank A clears. The check to
bank C is written from bank B, which also has insufficient funds. And the
scheme continues. I have also seen situations where kiting also includes
credit cards in with the use of checking accounts.

Since most banks would require you to deposit so money to start a checking account,
an initial deposit of $100 in each bank was included above. In addition, the below
charts provide a somewhat picture explanation of the above kiting scheme. The chart
below uses dates, balances and NSF due dates.

Page 4 of 23
 BANK A BANK B
PERPETRATOR BANK C

#1 1/1 1,000 check 1,000

Bal. -1,000 1/1 Bal. +1,000
NSF due on 1/3 #2 1/2 W/D -1,000 1/2
+1,000
Bal. -0-
No NSF Due
1/3 +1,000
#3 1/3 1,000 check
Bal. -0-
Bal.-1,000
No NSF Due
NSF Due 1/5
#4 1/5 1,000 check
+1,000
Bal. -1,000
Bal. -0-
NSF Due 1/7
No NSF Due
Deposit +1,0001

Note #1: At this point the perpetrator may want to deposit the
$1,000 he has had for 5 days (1/2 through 1/6), on the morning of
1/7 and start over again with Bank A.

Legend: W/D = withdraws cash NSF = nonsufficient funds Bal. =

balance

3. Convert the Theft or Misrepresentation to Personal Gain

In employee fraud, all fraud perpetrators go through the

conversion phase unless they steal actual cash that can be spent
or use the asset personally.

Table 5-4 on Page 152 list some of the more frequently mentioned
opportunities that permit employee and financial statement fraud.

Opportunities for fraud often stem from internal control factors.

A control feature many companies lack is a background check on

all potential employees.

Rationalizations

Rationalization allows perpetrators to justify their illegal

behavior.

A list of some of the rationalizations people use:

Page 5 of 23
  I am only “borrowing” the money (or asset) and will
repay my “loan.”

 You would understand if you know how badly I needed it

 What I did was not that serious

 It was for a good cause (the Robin Hood syndrome,

robbing from the rich to give to the poor).

 I occupy a very important position of trust. I am

above the rules.

 Everyone else is doing it, so it is not that wrong.

 No one will ever know

 The company owes it to me, and I am taking no more

than is rightfully mine

Learning Objective Three

Define computer fraud and discuss the different

computer fraud classifications.

Computer Fraud
The U.S. Department of Justice defines computer fraud as any
illegal act for which knowledge of computer technology is
essential for its perpetration, investigation or prosecution.
More specifically, computer fraud includes the following:

 Unauthorized theft, use, access, modification, copying and

destruction of software or data

 Theft of money by altering computer records

 Theft of computer time

 Theft or destruction of computer hardware

 Use or the conspiracy to use computer resources to commit a

felony

 Intent to illegally obtain information or tangible property

through the use of computers

Page 6 of 23
The Association of the Certified Fraud Examiners provides the
general definition of computer fraud:

Any defalcation or embezzlement accomplished by tampering

with computer programs, data files, operations, equipment,
or media and resulting in losses sustained by the
organization whose computer system was manipulated.

Another definition of Computer:

In a computer crime, the computer is involved – directly or

indirectly – in committing the criminal act. Sabotage of
computer facilities is classified as a direct computer
crime and unauthorized access of stored data is an indirect
computer crime because the presence of the computer created
the environment for committing the crime.

The Rise in Computer Fraud

Computer systems are particularly vulnerable to computer crimes

for the following reasons:

 Billions of characters of data are stored in company

databases. People who manage to break into these
databases can steal, destroy or alter massive amounts of
data in very little time.

 Organizations want employees, customers and suppliers to

have access to their system. The number and variety of
these access points significantly increase the risks.

 Computer programs only need to be changed or modified

once without permission for the system to operate
improperly for as long as the system is in use.

 Modern systems utilize personal computers (PCs), which

are inherently more vulnerable to security risks. It is
difficult to control physical access to each networked
PC. In addition, PCs and their data can be lost, stolen
or misplaced.

 Computer systems face a number of unique challenges:

reliability (i.e. accuracy, completeness), equipment
failure, environmental dependency (i.e. power, damage
from water or fire), vulnerability to electromagnetic
interference and interruption, eavesdropping and
misrouting

The increase in computer fraud schemes is due to some of the

following reasons:

1. Not everyone agrees on what constitutes computer fraud

2. Many computer frauds go undetected

Page 7 of 23
 The FBI estimated that only one percent of all computer
crime was detected; while others estimated it to be between
5 and 20%.

3. A high percentage of uncovered frauds are not reported

4. Many networks have a low level of security

5. Many Internet pages give step-by-step instructions on how

to perpetrate computer crimes and abuses

6. Law enforcement is unable to keep up with the growing

number of computer frauds

7. The total dollar value of losses is difficult to calculate

Computer Fraud Classifications

As shown in Figure 5-2 on Page 156, one way to categorize

computer fraud is to use the data processing model: input,
processor, computer instructions, stored data and output.

Input

The simplest and most common way to commit fraud is to alter

computer input. It requires little, if any computer skills.
Instead, perpetrators need only understand how the system
operates so they can cover their tracks.

To commit payroll fraud, perpetrators can enter data to increase

their salary, create a fictitious employee, or retain a
terminated employee on the records.

Example of input fraud, a New York bank employee changes the

company deposit slips to forged deposit slips. For three days he
deposited bank deposits in his personal account for three days.
Then he disappeared and was not caught as he used an alias name.

There are more examples on pages 155 and 156.

Processor

Computer fraud can be committed through unauthorized system use,

including the theft of computer time and services.

Example of processor fraud, employees of an insurance company

were running an illegal gambling web site. These employees hid
the computers under the floor.

There are more examples on page 156.

Computer Instructions

Computer fraud can be accomplished by tampering with the software

that processes company data.

Page 8 of 23
Data

The greatest exposure in data fraud comes from employees with

access to the data.

The most frequent type of data fraud is the illegal use of

company data, typically by copying it, using it, or searching it
without permission.

For example, an employee using a small flash drive or an iPod can

steal large amounts of data and remove it without being detected.

The following are some recent examples of stolen data:

 The office manager of a Wall Street law firm found

information about prospective mergers and acquisition in
the firm’s Word files. He sold the information to friends
and relatives, who made several million dollars trading the
securities illegally.

 A 22-year old Kazakhstan mane broke into Bloomberg’s

network and stole account information, including that of
Michael Bloomberg, the mayor of New York and the founder of
the financial news company. He demanded $200,000 in
exchange for not using or selling the information. He was
arrested in London when accepting the ransom.

 A software engineer tried to steal Intel’s plans for a new

microprocessor. Because he could view but not copy or print
the manufacturing plans, he photographed them screen by
screen late at night in his office. One of Intel’s controls
was to notify security when the plans were viewed after
hours. He was caught photographing the plans.

 Cbyer-criminals used sophisticated hacking and identity

theft techniques to hack into seven major online brokerage
firm accounts. They sold the securities in those accounts
and used the cash to pump up the price of 15 low-priced,
thinly traded public companies they already owned. They
then dumped the 15 stocks in their personal accounts for
huge gains. E-trade lost $18 million and Ameritrade $4
million in similar pump-and-dump schemes.

 The U.S. Department of Veterans Affairs was sued because an

employee laptop that contained the records of 26.5 million
veterans was stolen, exposing them all to identity theft.
Later, another laptop with the records of 38,000 people
disappeared from a subcontractor’s office.

Data can also be changed, damaged, destroyed or defaced.

Data also can be lost due to negligence or carelessness.

Page 9 of 23
 Deleting files does not erase them. Even reformatting a hard
drive often does not erase files or wipe the drive clean.

Output

Computer output, displayed on monitors or printed on paper, can

be stolen or misused.

Fraud perpetrators can use computers and output devices to forge

authentic-looking outputs. For example, a company laser-printer
could be sued to prepare paychecks.

Computer Fraud and Abuse Techniques

These techniques are summarized in Table 5-5 on Page 158

Computer Attacks

Hacking is the unauthorized access to and use of computer

systems, usually by means of a personal computer and a
telecommunications network. Most hackers are able to break into
systems using known flaws in operating systems or application
programs, or as a result of poor access controls. Some hackers
are motivated by the challenge of breaking into computer systems
and just browse or look for things to copy and keep. Other
hackers have malicious intentions.

The following examples illustrate hacking attacks and the damage

they cause:

• Several years ago, Russian hackers broke into Citibank’s

system and stole $10 million from customer accounts

• During Operation Desert Storm, Dutch hackers broke into

computers at 34 different military sites and extracted
confidential information. Among the information stolen
were the troop movements and weapons used in the Iraq
war. The group offered to sell the information it Iraq,
but the government declines, probably because it feared
it was a setup.

• A 17-hear-old hacker, nicknamed Shadow Hawk, was

convicted of electronically penetrating the Bell
Laboratories national network, destroying files valued
at $174,000, and copying 52 proprietary software
programs worth $1.2 million. He published confidential
information – such as telephone numbers, passwords and
instructions on how to breach AT&T’s computer security
system – on underground bulletin boards. He was
sentenced to nine months in prison and given a $10,000
fine. Like Shadow Hawk, many hackers are fairly young,
some as young as 12 and 13.

Page 10 of 23
 Hackers who search for dial-up modem lines by programming
computers to dial thousands of phone lines is referred to
as war dialing.

War driving is driving around looking for unprotected

wireless networks.

Some war drivers draw chalk symbols on sidewalks to mark

unprotected wireless networks, referred to as war chalking.

One enterprising group of researches went war rocketing.

They sent rockets into the air that let loose wireless
access points, each attached to a parachute.

A botnet, short for robot network, is a network of hijacked

computers. Hijacking is gaining control of someone else’s
computer to carry out illicit activities without the user’s
knowledge.

Hackers who control the hijacked computers, called bot

herders, use the combined power of the infected machines,
called zombies.

A denial-of-service attack occurs when an attacker sends so many

e-mail bombs (thousands per second), often from randomly
generated false addresses, that the Internet service provider’s
e-mail server is overloaded and shuts down. Another denial-of-
service attack is sending so many requests for Web pages that the
Web server crashes.

A good example was when a lot of people were receiving so

many emails so fast that they could not even delete them
all; it was just a constant flow of emails in which these
people could not do anything else. As a result, some people
now have more than one email provider, one which they only
use to catch the junk emails.

Most denial-of-service attacks are quite easy to accomplish and

involve the following:

 The attacker infects a botnet with a denial-of-service

program.

 The attacker activates the program and the zombie

computers begin sending pings (e-mails or requests for
data) to the computer being attacked. The victim
computer responds to each ping, not realizing the zombie
computer sent it a fictitious return address, and waits
for a response that never comes.

 Because the victim computer is waiting for so many

responses that never come, system performance begins to
degrade until the computer finally freezes (it does
nothing but respond to the pings) or it crashes.

Page 11 of 23
 The attacker terminates the attack after an hour or two
to limit the victim’s ability to trace the source of the
attacks.

Spamming is the emailing the same unsolicited message to

many people at the same time, often in an attempt to sell
them something.

Spammers use very creative means to find valid email

addresses. They scan the Internet for addresses
posted online and also hack into company databases
and steal mailing lists. In addition, spammers stage
dictionary attacks (also called direct harvesting
attacks) designed to uncover valid email addresses.

Hackers also spam blogs, which are Web sites

containing online journals, by placing random or
nonsensical comments to blogs that allow visitor
comments.

Splogs, or spam blogs, promote affiliated Web sites

in increase their Google Page Rank, a measure of how
often a Web page is referenced by other Web pages.

Spoofing is making an e-mail message look as if

someone else sent it.

A former Oracle employee was charged with breaking

into the company’s computer network, falsifying
evidence, and committing perjury for forging an e-
mail message to support her charge that she was fired
for ending a relationship with the company’s chief
executive. The employee was found guilty of forging
the e-mail messaged and faced up to six years in jail.

A zero-day attack (or zero-hour attack) is an attack

between the time a new software vulnerability is
discovered and the software developers and the
security vendors releases software, called a patch,
that fixes the problem.

Password cracking is penetrating a system’s defenses,

stealing the file containing valid passwords,
decrypting them and using them to gain access to
programs, files and data.

In masquerading, or impersonation, the perpetrator gains

access to the system by pretending to be an authorized
user. This approach requires a perpetrator to know the
legitimate user’s ID number and password.

Piggybacking is tapping into a telecommunications line and

latching on to a legitimate user before the user logs into
a system. The legitimate user unknowingly carries the
perpetrator into the system.

Page 12 of 23
 Piggybacking has several meanings:

1. The clandestine use of a neighbor’s Wi-Fi network;

this can be prevented by enabling the security
feature in the wireless network.

2. Tapping into a telecommunications line and

electronically latching on to a legitimate user
before the user enters a secure system; the
legitimate user unknowingly carries the perpetrator
into the system.

3. An unauthorized person passing through a secure

door when an authorized person opens it, thereby
bypassing physical security controls such as
keypads, ID cards, or biometric identification
scanners.

Data diddling is changing data before, during, or after it is

entered into the system. The change can be made to delete, alter,
or add key system data.

Data leakage refers to the unauthorized copying of company data.

A fraud perpetrator can use the salami technique, to embezzle

large sums of money a “salami slice” at a time from many
different accounts (tiny slices of money are stolen over a period
of time).

The round-down fraud techniques is used most frequently in

financial institutions that pay interest. In the typical
scenario, the programmer instructs the computer to round down all
interest calculation to two decimal places. The fraction of a
cent that is rounded down on each calculation is put into the
programmer’s account or one that he or she controls.

Phreaking is attacking phone systems to obtain free phone line

access. Phreakers also use the telephone lines to transmit
viruses and to access, steal and destroy data.

Economic espionage is the theft of information, trade secrets and

intellectual property. This has increased by 323% during one
five-year period. The U.S. Department of Justice estimates that
intellectual property theft losses total $250 billion a year.
Almost 75% of these losses are to an employer, former employer,
contractor, or supplier.

A growing problem is cyber-extortion, in which fraud perpetrators

threaten to harm a company if it does not pay a specified amount
of money.

Internet terrorism occurs when hackers use the Internet to

disrupt electronic commerce and to destroy company and individual
communications.

Page 13 of 23
Internet misinformation is using the Internet to spread false or
misleading information about people or companies. This can be
done in a number of ways, including inflammatory messages in
online chats, setting up Web sites and spreading urban legends.

Fraud perpetrators are beginning to use unsolicited email threats

to defraud people. For example, Global Communications sent a
message to many people threatening legal action if an unspecified
overdue amount was not paid within 24 hours.

Many companies advertise online and pay based on how many users
click on ads that take them to the company’s Web site.
Advertisers pay from a few cents to over $10 for each click.
Click fraud is intentionally clicking on these ads numerous times
to inflate advertising bills.

Software piracy is copying software without the publisher’s

permission. It is estimated that for every legal copy of software
there are seven to eight illegal ones. I have seen some places
where this is almost like an acceptable practice.

Social Engineering

In social engineering, perpetrators trick employees into giving

them the information they need to get into the system.

Identity theft is assuming someone’s identity, usually for

economic gain, by illegally obtaining and using confidential
information such as the person’s Social Security number or their
bank account or credit card number. Identity thieves benefit
financially by taking funds out of the victim’s bank accounts,
taking out mortgages or other loan obligations, and taking out
credit cards and running up large debts.

In one case, a convicted felon incurred $100,000 of credit card

debt, took out a home loan, purchased homes and consumer goods,
and then filed for bankruptcy in the victim’s name.

In pretexting, people act under false pretenses to gain

confidential information. For example, they might conduct a
security and lull the person into disclosing confidential
information by asking 10 innocent questions before asking the
confidential ones.

Posing is creating a seemingly legitimate business, collecting

personal information while making a sale, and never delivering a
product.

Phishing – sending out an email, instant message, or text message

pretending to be a legitimate company, usually a financial
institution, and requesting information. The recipient is asked
to either respond to the email request or visit a Web page and
submit the data or responding to a text message.

Page 14 of 23
In voice phishing, or vishing e-mail recipients are asked to call
a specified phone number, where a recording tells them to enter
confidential data.

Phished (and otherwise stolen) credit card numbers can be bought

and sold, which is called carding.

Pharming is redirecting a Web site’s traffic to a bogus (spoofed)

Web site, usually to gain access to personal and confidential
information. So how does pharming work? If you don’t know
someone’s phone number, you look it up in a phone book. If you
could change XYZ Company’s number in the phone book to your phone
number, people calling XYZ Company would reach you instead. You
could then ask them to divulge information only they would know
to verify their identity.

An evil twin is when a hacker sets up a wireless network with the

same name (called Service Set Identifier, or SSID) as the
wireless access point at a local hot sport or a corporation’s
wireless network.

Typosquatting, also called URL hijacking, is setting up Web sites

with names very similar to real Web sites so when user make
mistakes, such as typographical errors, in entering a Web site
name the user is sent to an invalid site.

The typosquatter’s site may do the following:

 Trick the user into thinking she is at the real site by

using a copied or a similar logo, Web site layout, or
content. These sites often contain advertising that
would appeal to the person looking for the real domain
name. The typosquater might also be a competitor.

 Send the user to a site very different from what was

wanted. In one famous case, a typosquater sent people
looking for sites that appealed to children to a
pornographic Web site.

 Use the false address to distribute viruses, adware,

spyware, or other malware.

Scavenging, or dumpster diving – gaining access to confidential

information by searching corporate or personal records. Some
identity thieves search garbage cans, communal trash bins, and
city dumps to find documents or printouts with confidential
company information. They also look for personal information such
as checks, credit card statements, bank statements, tax returns,
discarded applications for reapproved credit cards or other
records that contains Social Security numbers, names, addresses,
telephone numbers, and other data that allow them to assume an
identity. Be sure to tear up (or preferably shred) your personal
correspondence from banks and credit card companies to the point
that the number cannot be read, before you throw it in to the
trash; especially in a public trash container.

Page 15 of 23
Shoulder surfing – watching people as they enter telephone
calling card or credit card numbers or listening to conversations
as people give their credit card number over the telephone or to
sales clerks.

Skimming is double-swiping a credit card in a legitimate terminal

or covertly swiping a credit card in a small, hidden, handheld
card reader that records credit card data for later use.

Chipping is posing as a service engineer and planting a small

chip in a legitimate credit card reader.
Eavesdropping enables perpetrators to observe private
communications or transmissions of data. One way to intercept
signals is by setting up a wiretap.

Malware

This section describes malware, which is any software that can be

used to do harm.

Spyware software secretly collects personal information about

users and sends it to someone else without the user’s permission.
The information is gathered by logging keystrokes, monitoring
computing habits such as Web sites visited, and scanning
documents on the computer’s hard disk.

Spyware infections, of which users are usually unaware, come from

the following:

 Downloads such as file sharing programs, system

utilities, games, wallpaper, screensavers, music and
videos.

 Web sites that secretly download spyware when they are

visited. This is call drive-by downloading.

 A hacker using security holes in Web browsers and other

software.

 Programs masquerading as anti-spyware security software.

 A worm or virus

 Public wireless network. For example, users receive a

message they believe is from the coffee shop or hotel
where they are using wireless technology. Clicking on
the message inadvertently downloads a Trojan horse or
spyware application.

One type of spyware, called adware (short for advertising

supported software), does two things: First, it causes banner ads
to pop up on your monitor as you surf the Net. Second, it
collects information about the user’s Web-surfing and spending

Page 16 of 23
habits and forwards it to the company gathering the data, often
an advertising or large media organization.

In a recent survey, 55% of companies had experienced a spyware,

adware, or some other malware infection. In larger organizations,
the average cost of getting rid of spyware is over $1.5 million a
year.

Another form of spyware, called a key logger, records computer

activity, such as a user’s keystrokes, emails sent and received,
Web sites visited, and chat session participation.

A Trojan horse is a set of malicious, unauthorized computer

instructions in an authorized and otherwise properly functioning
program. Some Trojan horses give the creator the power to
remotely control the victim’s computer. Unlike viruses and worms,
the code does not try to replicate itself.

Time bombs and logic bombs are Trojan horses that lie idle until
triggered by a specified time or circumstance. Once triggered,
the bomb goes off, destroying programs, data or both.

Company insiders, typically disgruntled programmers or other

systems personnel who want to get even with their company, write
many bombs.

A trap door, or back door, is a way into a system that bypasses

normal system controls. Programmers use trap doors to modify
programs during systems development and normally remove them
before the system is put into operation.

Packet sniffers are programs that capture data from information

packets as they travel over the Internet or company networks.
Captured data is sifted to find confidential information such as
user IDs and passwords, and confidential or proprietary
information that can be sold or otherwise used.

Stenography programs hide data from one file inside a host file,
such as a large image or sound file. There are more than 200
different stenographic software programs available on the
Internet.

A rootkit is software that conceals processes, files, network

connections, memory addresses, systems utility programs, and
system data from the operating system and other programs.
Rootkits often modify parts of the operating system or install
themselves as drivers.

Superzapping is the unauthorized use of special system programs

to bypass regular system controls and perform illegal acts.

A computer virus is a segment of self-replicating, executable

code that attaches itself to software. Many viruses have two
phases. In the first phase, the virus replicates itself and
spreads to other systems or files when some predefined event

Page 17 of 23
occurs. In the attack phase, also triggered by some predefined
event, the virus carries out its mission.

In one survey, almost 90% of the respondents said their company

was infected with a virus within the prior 12 months.

During the attack phase, triggered by some predefined event,

viruses destroy or alter data or programs, take control of the
computer, destroy the hard disk’s file allocation table, delete
or rename files or directories, reformat the hard disk, change
the content of files.

Symptoms of a computer virus include computers that will not

start or execute; unexpected read or write operations; an
inability to save files; long program load times; abnormally
large file sizes; slow systems operation; and unusual screen
activity, error messages, or file names.

The Sobig virus, written by Russian hackers, infected an

estimated 1 of every 17 e-mails several years ago.

The MyDoom virus infected 1 in 12 e-mails and did $4.75 billion

in damages.

It is estimated that viruses and worms cost businesses over $20

billion a year.

Most viruses attack computers, but all devices connected to the

Internet or that are part of a communications network run the
risk of being infected. Recent viruses have attacked cell phones
and personal digital assistants. These devices are infected
through text messages, Internet page downloads and Bluetooth
wireless technology.

Flows in Bluetooth applications have opened up the system to

attack. Bluesnarfing is stealing (snarfing) contact lists, images
and other data from other devises using Bluetooth. Bluebugging is
taking control of someone else’s phone to make calls or send text
messages, or to listen to phone calls and monitor text messages
received.

A worm is similar to a virus except for the following two

differences. First, a virus is a segment of code hidden in a host
program or executable file, a worm is a stand-alone program.
Second, a virus requires a human to do something (run a program,
open a file, etc.) to replicate itself; whereas a worm replicates
itself automatically. Worms often reside in email attachments,
which, when opened or activated, can damage the user’s system.

A computer worm is a self-replicating computer program similar to

a virus except for the following three differences:

1. A virus is a segment of code hidden in or attached to a

host program or executable file, while a worm is a stand-
alone program.

Page 18 of 23
 2. A virus requires a human to do something (run a program,
open a file, etc.) to replicate itself, whereas a worm does
not and actively seeks to send copies of itself to other
devices on a network.

3. Worms harm networks (If only by consuming bandwidth),

whereas viruses infect or corrupt files or data on a
targeted computer.

Worms often reside in e-mail attachments, which, when opened or

activated, can damage the user’s system.

A worm usually does not “live” very long, but it is quite

destructive while “alive.”

More recently, MySpace had to go offline to disable a worm that

added over 1 million friends to the hacker’s site in less than a
day.

Learning Objective Four

Compare and contrast the approaches and techniques

that are used to commit computer fraud.

Preventing and Detecting Computer Fraud and Abuse

Table 5-6 on Page 174 provides a Summary of ways to Prevent and Detect
Computer Fraud.

- Make Fraud Less Likely To Occur

- Increase The Difficulty Of Committing Fraud

- Improve Detection Methods

- Reduce Fraud Losses

EMPLOYEE FRAUD SCHEMES

Cash

Cash is the focal point of most accounting entries. Cash, both on

deposit in banks and petty cash, can be misappropriated through many
different schemes. These schemes can be either on-book or off-book,
depending on where they occur. Generally, cash schemes are smaller than
other internal fraud schemes because companies have a tendency to have
comprehensive internal controls over cash and those internal controls

Page 19 of 23
are adhered to. Cash fraud schemes follow general basic patters,
including skimming, voids/underrings, swapping checks for cash,
alteration of cash receipts tapes, fictitious refunds and discounts,
journal entries and kiting.

Skimming

Skimming involves removing cash from the entity before the cash is
recorded in the accounting system. This is an off-book scheme; receipt
of the cash is never reported to the entity. A related type of scheme
is to ring up a sale for less than the actual sale amount. (The
difference between the actual sale and the amount on the cash register
tape can then be diverted.) This is of particular concern in retail
operations (for example, fast food restaurants) where much of the daily
sales are in cash, and not by check or credit card.

EXAMPLE

According to an investigation, fare revenues on the Chicago

Transit Authority’s (CTA) rail system allegedly were
misappropriated by agency employees. The statistics indicate that
the thefts are not confined to the one station that originally
was suspected and that the fare-skimming by transit workers might
have been reduced by news of the investigation. IN the four days
after reports of skimming surfaced, about $792,000 was turned in
by station agents system wide. In a similar Monday through Friday
period only $723,000 was turned in by station agents.

CTA officials estimated that a planned installation of a $38

million automated fare-collection system would eliminate $6.5
million annually in revenue “shrinkage,” mostly from employee
theft. At least 10 workers have been investigated, including nine
ticket agents and one supervisor or clerk. Early reports
indicated that agents pocketed money after recording “transfer”
or “monthly passes” as cash-paying customers passed through
turnstiles.

Voids/Under-Rings

There are three basic voids/under-ring schemes. The first is to record

a sale/cash receipt and then void the same sale, thereby removing the
cash from the register. The second, and more common variation, is to
purchase merchandise at unauthorized discounts. The third scheme, which
is a variation of the unauthorized discount, is to sell merchandise to
a friend or co-conspirator using the employee’s discount. The con-
conspirator then returns the merchandise for a full refund,
disregarding the original discount.

EXAMPLE

Roberta Fellerman, a former Ball State University employee, was

indicted on federal charges of stealing about $105,000 from the
school’s bookstore operations. Fellerman was charged with
stealing the money over a thirty-three month period.

The thefts allegedly were from proceeds of the sales of books to

students who took Ball State courses through an “off-campus”

Page 20 of 23
 program at many cities around Indiana. Fellerman was in charge of
the sale of the books from the book store.

Fellerman was accused of altering records and taking currency

from a cash drawer. She was also charged with income tax
violations for failing to report the stolen money on her federal
tax returns.

Swapping Checks for Cash

One common method where an employee can misappropriate cash is to

exchange his own check for cash in the cash register or cash drawer.
Periodically, a new check is written to replace the old check. This
process can be continued so that on any given day, there is a current
check for the cash removed. This is a form of unauthorized “borrowing”
from the company. Obviously, if it is the company policy that cash
drawers or registers are reconciled at the conclusion of each day and
turned over to a custodian, then this fraud scheme is less likely to be
committed. However, if personnel are allowed to keep their own cash
drawers and only remit the day’s receipts, then this method of
unauthorized borrowing will be more common.

EXAMPLE

Lisa Smith, a Garfield High School fiscal clerk at a central

treasurer function allegedly “borrowed” $2,400 by placing 23
personal checks in deposits which were made from various student
activities at decentralized locations. Ms. Smith placed a
personal check in each deposit as a method of keeping track of
the amount of money which had been “borrowed.” The transactions
were inappropriately delayed for up to 5 months.

Auditors detected the delayed transactions during an unannounced

cash count. On the day of the count, the fund custodian had only
a few hundred dollars in his bank account (confirmed by telephone
upon receipts of custodian’s authorization). When all 23 personal
checks were deposited in the district’s account, several were
returned as NSF. After payday, all NSF checks subsequently
cleared the bank. The custodian’s employment with the district
was terminated.

Alteration of cash Receipts documentation

A lack of segregation of duties can create an opportunity for an

employee to misappropriate company funds. For example, if the same
person is responsible for both collecting and depositing the cash
receipts, then this person has the opportunity to remove funds from the
business for his own personal use and conceal such theft through the
deposits. This is often the case in smaller organizations where there
are few personnel to divide the daily operations. A variation of this
scheme is to mutilate or destroy the cash receipts documentation so
that any attempt to reconcile the cash deposited with the cash receipts
is thwarted.

EXAMPLE

Page 21 of 23
 An elected county treasurer allegedly stole $62,400 over a three
year period from property tax receipts. Every other day, after
cash receipt transactions were batched and posted to the
subsidiary accounting records, the treasurer altered the total
cash receipts and the actual deposit. Therefore, the control
account and the deposit were equal but that total did not match
the total postings to the individual tax payers’ accounts. In
each of the three years, the difference between the control
account receivable and the summation of the individuals in the
subsidiary accounts was written off. These were unsupported
accounting adjustments.

Evidence was obtained by reconstructing the three years’ cash

receipts and matching the differences between the total cash
receipts, control account and the individual (subsidiary)
accounts with the unsupported accounting adjustments.

Fictitious Refunds and Discounts

Fictitious refunds occur when an employee enters a transaction as if a

refund were given; however, no merchandise is returned, or no discount
is approved with substantiates the refund or discount. The employee
misappropriates funds equal to the fictitious refund or discount. This
scheme is most prevalent in the retail/merchandise industry; however,
it can occur in any operation in which a refund or discount is given.

EXAMPLE

Dora Malfrici, a former New York University student financial aid

official, was charged along with her husband Salvatore with
stealing $4.1 million. This was allegedly done by falsifying more
than a thousand tuition refund checks. The loss was described as
on of the largest embezzlements ever uncovered at a U.S.
university. The money was allegedly taken from the Tuition
Assistance Program, operated by the New York State Higher
Education Services Corporation to provide expenses money to needy
students. However, NYU officials assert that the funds came from
a University account, not from State money.

Malfrici’s job was to assure that students entitled to funds from

the Corporation received their checks. According to the U.S.
Attorney, she arranged for checks to be made out to hundreds of
legitimate NYU students who were not entitled to receive any
funds. These students were kept unaware of this because the
checks were deposited into bank accounts in Manhattan and New
Jersey that allegedly were controlled by the Malfricis. These
checks were made over to Elizabeth Pappa before being deposited
into accounts in that name. Some other checks were made payable
directly to Pappa. The FBI was unable to locate Elizabeth Pappa
and believes that such a person never existed. Reportedly the
Malfricis spend $785,000 of the funds in question on expensive
jewelry and $85,000 of the money on Florida real estate.

Kiting

Kiting is the process whereby cash is recorded in more than one bank
account, but in reality, the cash is either nonexistent or is in

Page 22 of 23
transit. Kiting schemes can be perpetrated using one bank and more than
one account or between several banks and several different accounts.

Although banks generally have a daily repot that indicates potential

kiting schemes, experience has shown that they are somewhat hesitant to
report the scheme until the balance in their customers’ accounts is
zero.

There is one important element to check kiting schemes: all kiting

schemes require banks to pay on unfunded deposits. This is not to say
that all payments on unfunded deposits are kiting schemes, but rather,
that all kiting schemes require payments be made on unfunded deposits.
In other words, if a bank allows its customers to withdraw funds on
deposits that the bank has not yet collected the cash, then kiting
schemes are possible. In today’s environment where customers use wire
transfers, kiting schemes can be perpetrated very quickly and in very
large numbers.

EXAMPLE

Ronald W.P. Sylvia, 59, and his son-in-law, Philip L. Grandone,

33, both of Dartmouth, admitted to participating in a check-
kiting scheme that bilked the Bank of Boston out of $907,000.
Grandone, owner of two pharmacies in the New Bedford area, had
cash-flow problems when Sylvia, operator of two auto sales and
leasing businesses, offered to write a check to cover some of his
son-in-law’s operating expenses. Grandone repaid that $50,000
loan within a few days, but borrowed again and again “in every-
increasing amounts” to bring fresh infusions of cash into his
faltering pharmacy businesses. An exchange of checks between
Grandone and Sylvia eventually occurred literally daily until
Sylvia’s bank caught on to the float scheme and froze Sylvia’s
account.
Cut off from Sylvia’s supply of cash, Grandone’s account with the
Bank of Boston was left overdrawn by $907,000. Grandone was
ordered to make restitution to the Bank of Boston.

Page 23 of 23