Course

: Z0257 Accounting Information

System And Internal Control (2/2)
Effective Period : September 2015

Computer Fraud
Session 5

Acknowledgement

These slides have been adapted from:

Romney B. Marshall and Steibart J. Paul. (2012).
Accounting Information System. 12th edition. Pearson
Education. London. ISBN:9780273754374.

Chapter 5 and Chapter 6

Learning Objectives
Explain the threats faced by modern information
systems.
Define fraud and describe the process one follows to
perpetuate a fraud.
Discuss who perpetrates fraud and why it occurs,
including:
the pressures, opportunities, and rationalizations that
are present in most frauds.
Define computer fraud and discuss the different
computer fraud classifications.
Explain how to prevent and detect computer fraud and
abuse.
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-3

Learning Objectives
Compare and contrast computer attack
and abuse tactics.
Explain how social engineering
techniques are used to gain physical or
logical access to computer resources.
Describe the different types of malware
used to harm computers.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-4

Common Threats to AIS

Natural Disasters and Terrorist Threats
Software Errors and/or Equipment Malfunction
Unintentional Acts (Human Error)
Intentional Acts (Computer Crimes)

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-5

What Is Fraud?
Gaining an unfair advantage over another person

A false statement, representation, or disclosure

A material fact that induces a person to act

An intent to deceive

A justifiable reliance on the fraudulent fact in which a

person takes action

An injury or loss suffered by the victim

Individuals who commit fraud are referred to as whitecollar criminals.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-6

Forms of Fraud
Misappropriation of assets

Theft of a companies assets.

Largest factors for theft of assets:

Absence of internal control system

Failure to enforce internal control system

Fraudulent financial reporting

intentional or reckless conduct, whether by act or

omission, that results in materially misleading financial
statements (The Treadway Commission).

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-7

Reasons for Fraudulent Financial

Statements
1.

Deceive investors or creditors

2.

Increase a companys stock price

3.

Meet cash flow needs

4.

Hide company losses or other problems

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-8

Treadway Commission Actions to Reduce

Fraud
1.

Establish environment which supports the integrity of

the financial reporting process.

2.

Identification of factors that lead to fraud.

3.

Assess the risk of fraud within the company.

4.

Design and implement internal controls to provide

assurance that fraud is being prevented.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-9

SAS #99
Auditors responsibility to detect fraud

Understand fraud

Discuss risks of material fraudulent statements

Among members of audit team

Obtain information
Look for fraud risk factors

Identify, assess, and respond to risk

Evaluate the results of audit tests

Determine impact of fraud on financial statements

Document and communicate findings

See Chapter 3

Incorporate a technological focus

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-10

The Fraud Triangle

Pressure

Three conditions that are

present when Fraud occurs.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-11

Pressure
Motivation or incentive to
commit fraud
Types:

1.Employee
Financial
Emotional
Lifestyle

2.Financial
Industry conditions
Management
characteristics

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-12

Opportunity

Condition or situation that

allows a person or
organization to:

1.Commit the
fraud
2.Conceal the
fraud
Lapping
Kiting

3.Convert the
theft or
misrepresentatio
n to personal
gain
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-13

Rationalizations

Justification of illegal behavior

1.Justification
I am not being
dishonest.

2.Attitude
I dont need to
be honest.

3.Lack of personal
integrity
Theft is valued
higher than
honesty or
integrity.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-14

Computer Fraud
Any illegal act in which knowledge of computer
technology is necessary for:

Perpetration

Investigation

Prosecution

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-15

Rise of Computer Fraud

1.

Definition is not agreed on

2.

Many go undetected

3.

High percentage is not reported

4.

Lack of network security

5.

Step-by-step guides are easily available

6.

Law enforcement is overburdened

7.

Difficulty calculating loss

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-16

Computer Fraud Classifications

Input Fraud

Processor Fraud

Modifying software, illegal copying of software, using software in an

unauthorized manner, creating software to undergo unauthorized
activities

Data Fraud

Unauthorized system use

Computer Instructions Fraud

Alteration or falsifying input

Illegally using, copying, browsing, searching, or harming company

data

Output Fraud

Stealing, copying, or misusing computer printouts or displayed

information

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-17

Computer Attacks and Abuse

Hacking

Unauthorized access, modification, or use of a computer

system or other electronic device

Social Engineering

Techniques, usually psychological tricks, to gain access to

sensitive data or information

Used to gain access to secure systems or locations

Malware

Any software which can be used to do harm

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-18

Types of Computer Attacks

BotnetRobot Network

Network of hijacked computers

Hijacked computers carry out processes without users
knowledge
Zombiehijacked computer

Denial-of-Service (DoS) Attack

Constant stream of requests made to a Web-server

(usually via a Botnet) that overwhelms and shuts down
service

Spoofing

Making an electronic communication look as if it comes

from a trusted official source to lure the recipient into
providing information

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-19

Types of Spoofing

E-mail
E-mail sender appears as if
it comes from a different
source
Caller-ID
Incorrect number is
displayed

IP address
Forged IP address to conceal
identity of sender of data
over the Internet or to
impersonate another
computer system

Address Resolution Protocol

(ARP)
Allows a computer on a LAN
to intercept traffic meant for
any other computer on the
LAN

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

SMS
Incorrect number or name
appears, similar to caller-ID
but for text messaging

Web page
Phishing (see below)

DNS
Intercepting a request for a
Web service and sending
the request to a false
service

6-20

Hacking Attacks
Cross-Site Scripting (XSS)

Unwanted code is sent via dynamic Web pages disguised

as user input.

Buffer Overflow

Data is sent that exceeds computer capacity causing

program instructions to be lost and replaced with attacker
instructions.

SQL Injection (Insertion)

Malicious code is inserted in the place of query to a

database system.

Man-in-the-Middle

Hacker places themselves between client and host.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-21

Additional Hacking Attacks

Password Cracking

War Dialing

Attacks on phone systems to obtain free phone service.

Data Diddling

Computer automatically dials phone numbers looking for

modems.

Phreaking

Penetrating system security to steal passwords

Making changes to data before, during, or after it is entered

into a system.

Data Leakage

Unauthorized copying of company data.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-22

Hacking Embezzlement
Schemes

Salami Technique

Economic Espionage

Internet, cell phones, or other communication technologies to

support deliberate, repeated, and hostile behavior that
torments, threatens, harasses, humiliates, embarrasses, or
otherwise harms another person.

Internet Terrorism

Theft of information, trade secrets, and intellectual property.

Cyber-Bullying

Taking small amounts from many different accounts.

Act of disrupting electronic commerce and harming

computers and communications.

Internet Misinformation

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-23

Hacking for Fraud

Internet Misinformation

Using the Internet to spread false or misleading

information

Internet Auction

Using an Internet auction site to defraud another person

Unfairly drive up bidding

Seller delivers inferior merchandise or fails to deliver at

all

Buyer fails to make payment

Internet Pump-and-Dump

Using the Internet to pump up the price of a stock and

then selling it

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-24

Social Engineering Techniques

Identity Theft
Assuming someone elses identity

Pretexting
Inventing a scenario that will lull
someone into divulging sensitive
information

Typesquatting
Typographical errors when
entering a Web site name cause
an invalid site to be accessed

Tabnapping
Changing an already open
browser tab

Posing
Using a fake business to acquire
sensitive information

Scavenging
Looking for sensitive information
in items thrown away

Phishing
Posing as a legitimate company
asking for verification type
information: passwords, accounts,
usernames

Shoulder Surfing
Snooping over someones
shoulder for sensitive
information

Pharming
Redirecting Web site traffic to a
spoofed Web site.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-25

More Social Engineering

Lebanese Loping

Capturing ATM pin and card numbers

Skimming

Double-swiping a credit card

Chipping

Planting a device to read credit card information in a

credit card reader

Eavesdropping

Listening to private communications

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-26

Type of Malware

Spyware

Key logging

Secretly monitors and collects personal information about users and

sends it to someone else
Adware
Pops banner ads on a monitor, collects information about the
users Web-surfing, and spending habits, and forward it to the
adware creator

Records computer activity, such as a users keystrokes, e-mails sent

and received, Web sites visited, and chat session participation

Trojan Horse

Malicious computer instructions in an authorized and otherwise

properly functioning program
Time bombs/logic bombs
Idle until triggered by a specified date or time, by a change in the
system, by a message sent to the system, or by an event that
does not occur

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-27

More Malware

Trap Door/Back Door

Packet Sniffers

A way into a system that bypasses normal authorization and

authentication controls
Capture data from information packets as they travel over
networks
Rootkit
Used to hide the presence of trap doors, sniffers, and key
loggers; conceal software that originates a denial-ofservice or an e-mail spam attack; and access user names
and log-in information

Superzapping

Unauthorized use of special system programs to bypass

regular system controls and perform illegal acts, all without
leaving an audit trail

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

6-28

Thank You

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

5-29