LEARNING OBJECTIVES
After studying this chapter, you should be able to:
| 13-1 | List the three sources of external fraud threats |
| 13-2 | Explain why organizations are vulnerable to external fraud |
| 13-3 | Discuss the types of fraud threats posed by customers |
| 13-4 | Identify two types of check fraud schemes |
| 13-5 | Define the term “paperhanger” |
| 13-6 | Be familiar with the methods identified in this chapter for preventing and detecting check fraud |
| 13-7 | Define credit card fraud and identify two types of credit card fraud schemes |
| 13-8 | Be familiar with the methods identified in this chapter for preventing and detecting credit card fraud |
| 13-9 | Be able to discuss the various types of collusion that happen between contractors |
| 13-10 | Be able to discuss the type of fraud that typically happens in the performance phase of a contract |
| 13-11 | Define product substitution and list some common product substitution schemes |
| 13-12 | Be familiar with the methods identified in this chapter for preventing and detecting vendor fraud |
| 13-13 | Explain how unrelated third parties can commit fraud against a company |
| 13-14 | Discuss why organizations are targeted by corporate spies |
| 13-15 | Name some of the types of information and departments targeted by corporate spies |
| 13-16 | Describe some of the methods by which a company can mitigate the risk of computer hacking |
| 13-17 | Describe some of the precautions a company should take to protect its physical and intellectual property |
CASE STUDY: A COMPUTER HACKER TURNED INFORMANT . . . TURNED HACKER
He was a Secret Service informant by day. By night, he and his crew of unscrupulous computer geniuses hacked into roughly 180 million payment card accounts from the customer databases of some of the largest corporations in America. Over several years Albert Gonzalez amassed $2.8 million using these stolen credit and debit card numbers. Meanwhile the government was paying him a salary of $75,000 per year to work undercover.
Gonzalez started learning about computers at a young age, buying his first PC at age 12 and hacking into NASA at age 14. Despite the negative connotation to the term, some hackers have benevolent motives. Known as “white hat” hackers, they are driven by finding security vulnerabilities at companies and bringing them to the company's attention so they can be rectified. Gonzalez, however, was a “black hat” hacker—a hacker whose motives are simply malice and personal gain. Black hats aim to “stick it” to authority. By the time he dropped out of college during his freshman year, Gonzalez knew how to hack into corporate computer systems and figure out the logins and passwords of managers and executives. Once he had access to these systems, he would find a plethora of valuable information.
Gonzalez first ran into trouble with the law when a plain-clothes NYPD detective caught him in the act of “cashing out” at an ATM. He had programmed blank debit cards with stolen card numbers and withdrew as much cash as he could from each account. He was arrested but later recruited by the Secret Service to be an undercover informant. He was attractive to the Service thanks not only to his advanced knowledge of sophisticated hacking operations, but also his ability to patiently explain his expertise in online credit card fraud.
Eager to embrace advancements in Internet accessibility, many large corporations adopted Wi-Fi in the early 2000s as soon as it was available, with little hesitation or precaution. However, most people failed to consider that a wireless network puts a company at serious risk for hacking. Gonzalez soon became adept at exploring the vulnerability of corporate wireless networks. Employing a practice known as “war driving,” he and his black hat accomplices would sit in cars in the parking lots of various large retail chains equipped with laptops and high-powered radio antennae. It wasn't long before they were able to access the company's Wi-Fi network and get access to corporate servers.
With one large corporation, TJX (the parent company of Marshall's and TJ Maxx), the hackers discovered a server that housed old credit card transactions from stores. At first this seemed like a goldmine, until Gonzalez realized that most of the card numbers were expired. He instructed his accomplices to develop a program to locate, capture, and store recent transactions. Once this data reached a specified size, the program was designed to close, encrypt, and compress the data and send it to Gonzalez's computer. By the end of 2006, the hackers had gleaned the payment data from over 40 million customer accounts.
Using similar methods, Gonzalez and his crew hacked into various other retailers, including OfficeMax, Boston Market, and Barnes & Noble. For larger jobs, the group rented hotel rooms near the targeted stores and set up a large radio antenna. In many cases, the data was unprotected and unencrypted. It was available to anyone who had access to the network.
Why were these networks, housing large volumes of confidential data, left so exposed? For one, computer security was a relatively new concept in the early 2000s. Companies were used to relying on physical security, such as locked doors and security guards, to protect their assets. Furthermore, security is expensive and it doesn't bring in revenue. In a relatively short amount of time, however, companies started housing vast quantities of data far more quickly than they were coming to understand the vulnerabilities of a wireless network and how to protect it. So there was a period of time when many large companies were susceptible to dramatic, costly attacks perpetrated by computer hackers who were ahead of the curve.
Gonzalez used an array of tactics to cash in from this heist. His simplest approach was to have his co-conspirators cash out at ATMs across the United States. After obtaining the cash, the thieves would ship it in boxes to New York where Gonzalez's friend would pick it up and then wire it to Miami.
He also assembled an international consortium to assist him in getting the most out of the stolen data. He had an accomplice in the Ukraine who would sell sets of card numbers to buyers across the globe and split the proceeds with Gonzalez. To effectively launder the money he obtained, Gonzalez set up e-gold and WebMoney accounts and established shell companies in Europe. He also rented computer servers in Latvia, the Netherlands, and other countries to store the card data and the software he was using for the breaches. This way, he was able to mitigate the risk of the U.S. authorities locating his goldmine. After all, Gonzalez worked for the Secret Service and was well aware of their investigation techniques. If anyone knew how to hide data from the agency, it was him.
After four years of work, Gonzalez grew tired of working for the Secret Service. He showed up late to the office and didn't put much effort into the job. The Service started talking about laying him off. Meanwhile, he was getting bored with his usual hacking tactics and wanted to try something other than war driving. He decided to explore a different type of hacking: SQL injection.
SQL (pronounced “sequel”) stands for Structured Query Language. It is a programming language that enables commercial websites to interact with the appropriate company databases. The problem, however, is that these interactions make company databases vulnerable to hackers. On websites that process consumer transactions, like Amazon.com, the site sends commands in SQL based on the actions of the visitor. These commands then travel to a database that likely exists in close proximity to other databases with more sensitive information—like customer credit and debit card data.
Gonzalez experimented with SQL on the website of discount clothing store Forever 21. After looking at their shopping cart software, he found weaknesses and within ten minutes gained access into the store's network. From there they figured out how to become domain administrators and eventually acquired a plethora of sensitive data.
Always up for a new challenge, Gonzalez put aside SQL injection and figured out how to breach the point-of-sale terminals at stores. These terminals are the machines on checkout counters through which the customer swipes their payment card. You've used them at gas stations, grocery stores, and retail stores. You can find them pretty much anywhere you buy anything.
Stealing data from point-of-sale terminals provided a significant advantage to Gonzalez and his crew: not only could they instantly obtain unexpired credit card numbers as soon as a card was swiped, they also didn't have to spend time sifting through company databases to find valuable information. The hackers could simply go straight to the servers that processed the cards coming from the terminals, and every time a card was swiped it would be logged into their files. By acquiring the schematics and software manuals of the terminals, Gonzalez was unstoppable. His syndicate stole data from major companies like JCPenney, OfficeMax, Hannaford Brothers grocery chain, and Dave & Buster's.
After many months of these schemes, the stores finally started catching on. A credit card company alerted TJX that many of the cards used at their stores appeared to have been stolen. The company examined its servers and made a horrifying discovery: for about a year and half, cards for approximately half to substantially all of the transactions at North American stores were stolen. Several months later, attorneys for Dave & Buster's called the Secret Service to notify them their point-of-sale system had been breached. Eventually all of the fraud schemes unraveled and Gonzalez was caught.
In 2009, Gonzalez accepted a plea bargain and pleaded guilty to all 19 charges against him. The court ordered him to undergo a psychological evaluation. According to the report, Gonzalez identified with his computer. He finds it difficult, if not impossible, to conceptualize human growth, development, and evolution, other than in the language of building a machine.
The prosecutor told the court that Gonzalez had committed the worst computer crimes ever prosecuted. At his sentencing, the defendant remained stoic. He is currently serving a 20-year sentence at a federal prison in Michigan. He is scheduled to be released in 2025.
Companies have become more serious and educated with regard to digital security. That being said, no company is immune to threats from outsiders. Talented cybercriminals like Gonzalez continue to seek out penetrable networks and are constantly improving their techniques. As long as companies continue to accumulate valuable data, that data is at risk.
OVERVIEW
Up to this point, the focus in this book has been on internal fraud schemes, otherwise known as occupational fraud. As previously noted, Occupational fraud can be defined as: “the use of one's occupation for personal enrichment through the deliberate misuse or misapplication of the organization's resources or assets.” Simply stated, this type of fraud occurs when an employee, manager, or executive commits fraud against his employer. It makes sense to emphasize this type of fraud; after all, employees pose the greatest threat to an organization.
However, a study of the principles of fraud examination would be incomplete without some discussion of external fraud threats. External fraud refers to unauthorized activity, theft, or fraud carried out by a third party outside the institution that is the subject of the fraudulent behavior. In other words, it is fraud committed against an organization by someone who is not employed by the organization. No matter how ethical your employees might be, or how strong your system of internal controls is, every organization is vulnerable to threats posed by outsiders.
External fraud is a threat to any company for one simple reason: it is impossible to conduct business without interacting with outsiders. All organizations conduct transactions and communications with customers, vendors, contractors, consultants, and others who have the ability to influence decisions made at the company, access to proprietary information, or can otherwise exert power.
Even more troubling are external parties that have no relationship with the targeted organization; they are simply out to steal from any vulnerable source they can find. As you saw in the Albert Gonzalez case study, organized crime groups carry out sophisticated and systematic attacks to acquire large sums of money, data, or both. It is imperative that management, especially of organizations in possession of large amounts of customer payment data, proprietary data, or other sensitive information, take every precaution possible to protect their entities from theft.
THREATS FROM CUSTOMERS
To generate revenue, a company needs customers. The exposure these customers have to a company's assets, however, depends greatly on the industry and the nature of the business. There is at least one unique customer fraud scheme for every type of company in existence. For instance, insurance companies need to beware of policy holders submitting fraudulent claims. Banks need to watch out for loan seekers exaggerating their creditworthiness.
In this chapter, we will focus on external fraud threats that are more universally applicable. Common threats from customers include check fraud and credit card fraud.
Check Fraud
Check tampering was thoroughly covered in Chapter 5. However, other forms of check fraud are worth mentioning here since they pose a serious external fraud threat to any organization that regularly accepts checks as payment from customers. Common check fraud schemes include counterfeit checks and e-commerce check scams.
Counterfeit Checks Simple check printing software is used widely by the public and can be easily obtained in office supply stores. Counterfeit checks are not always easy to spot; a counterfeiter will go to great lengths to make his check appear legitimate. Furthermore, small businesses and retail operations are ideal targets for check counterfeiters. Many employees lack the time or expertise to conduct the appropriate examinations on a check to determine whether it is fraudulent or not. When the customer presents the merchant with a check, the merchant typically processes the transaction as usual and allows the fraudster to abscond with the stolen merchandise. The store will not find out the check is counterfeit until it attempts to deposit it at the bank, and by then it might be far too late to catch the crook.
Paperhangers are experts in check fraud. A paperhanger scouts out potential target establishments and observes their security methods. Any store that scrutinizes check writers' identification is clearly not a good target for a paperhanger. However, they will observe and select the least experienced or most lackadaisical of store employees to whom to pass the check. The paperhanger will then ask the clerk for cash back from the transaction and make the check out for an amount greater than the price of the purchase. In some cases, the checks being written are counterfeit; however, in other cases the checks are purposefully being written on a closed account.
E-Commerce Check Scams There are several variations of e-commerce check scams, but each type usually begins with the victim offering something for sale on the Internet. Usually, the item being offered is a big-ticket item that requires a down payment.
After seeing the item for sale, the fraudster contracts with the victim to buy the item. To supply a down payment, the fraudster sends the victim a counterfeit check. Usually, the check is delivered by a highly recognized carrier, such as FedEx, to increase the victim's perception that the deal is legitimate. Once the victim receives the check, he deposits it, but before the check clears, the fraudster requests a refund and backs out of the deal, offering the victim a portion of the funds for his trouble. In response, the victim forwards part of the money back to the fraudster, but later learns that his bank has reversed the deposit amount because the check was no good.
Preventing and Detecting Check Fraud Although the United States significantly outranks all other countries when it comes to personal check use and acceptance, check usage is in significant decline across the globe. Regardless, check fraud remains a serious concern in the marketplace and vendors who accept checks from customers must be aware of the red flags of a fraudulent check.
The best solution for financial institutions and merchants is to educate employees to recognize forged and fraudulent checks and the schemes behind them. Merchants and financial institutions should have a strict check acceptance policy with which all employees are familiar. When accepting checks, employees should always ask for identification and make sure it is valid. Many check passers mollify store personnel by showing them a small laminated rectangular document with a picture. After looking at several hundred of these, most employees tend not to scrutinize them. Check passers count on this. It is important for employees to examine each piece of identification closely every time they are presented with one.
When conducting transactions online, merchants should be wary of customers who pay with checks and should consider adopting a no-check policy. There are many secure person-to-person payment methods, such as Paypal, and it is not unusual for a vendor to exclusively accept this type of payment.
Credit Card Fraud
Credit card fraud is the misuse of a credit card to make purchases without authorization or counterfeiting a credit card. The vast majority of people in the United States have at least one credit card. According to the Census Bureau, there were an estimated 160 million cardholders 2012. As the industry continues to expand and offer credit to more consumers, the related fraud risk will also grow. Credit card fraud is successful because the chances of being caught are small and prosecution is not ensured.
There are many different types of credit card schemes, including unauthorized use of a lost or stolen card, stolen card numbers, and counterfeit cards.
Unauthorized Use of a Lost or Stolen Card Thieves have many strategies for procuring the credit cards of innocent victims. Once they obtain the card, they attempt to purchase as much merchandise as possible before the theft is detected and the card is declined. Fraudulent activity normally occurs within hours of the loss or theft, before most victims have called to report the loss. Victims often aren't even aware that their credit cards are being fraudulently used until they receive their monthly statement or a call from their card provider.
Stolen Card Numbers Many credit card thieves obtain stolen credit card information via the Internet, much like Albert Gonzalez did in the case study. The thieves who steal this information find credit cards or lists of credit card holders and the corresponding numbers to their accounts. They then make the numbers available to a larger group, which uses the information to obtain goods and services in the cardholder's name. Wrongfully obtained information might be posted on websites that originate in foreign countries. The international nature of the fraud makes it difficult to deter or punish.
Counterfeit Cards Another type of credit card fraud involves illegal counterfeiting of the cards. Known as “white plastic” cards, counterfeit credit cards are made using the appropriate sized plastic with embossed account numbers and names. This scheme works in conjunction with a corrupt and collusive merchant or a merchant's employee. Other counterfeit cards are manufactured from scratch using high-speed printing facilities and are used in association with organized crime groups.
The actual counterfeiting process has been immeasurably eased by technology that allows for more accurate duplication. Duplicating legitimate cards is still an intricate operation, however. Magnetic strips, numbers, holograms, and logos must all appear authentic.
Personal computers, embossers, tipping foil, and laminators are common tools in the reproduction process. The most difficult component of a legitimate credit card to reproduce is the hologram. True holograms use a “lenticular refraction” process; counterfeits generally only have reflected materials, such as a foil with an image stamped on it. These decals are attached to the surface of the card rather than fixed into the plastic, as is the case with legitimate cards. Some holograms do not change colors, as legitimate ones do, when viewed from various angles.
Preventing and Detecting Credit Card Fraud The best way to prevent and detect credit card fraud is to educate employees responsible for processing customer payments about the risks and red flags of credit card fraud. You are probably aware that most store clerks and cashiers do not check credit card signatures or request identification from customers. However, closely comparing identification to the credit card presented might prevent unauthorized use by a fraudster. A policy that all customers who pay with a credit card are required to present identification is a strong deterrent for fraud.
Merchants should be alert for the following customer behaviors that might be red flags of a customer using a credit card he is not authorized to use:
- A customer purchases a large item, such as a television, and insists on taking it at the time, even when delivery is included in the price.
- A customer becomes argumentative with the sales representative while waiting for the transaction to be completed or appears to be very rushed.
- A customer charges several expensive items on a newly valid card.
- A customer pulls the card directly out of his pocket rather than his wallet.
- A customer claims to have forgotten or lost his identification when asked for it by the cashier.
THREATS FROM VENDORS
It is inefficient and impractical to expect a company to do everything for themselves. Most organizations rely on vendors to supply the goods and services needed to develop and produce other products or to facilitate business operations. It typically makes good business sense to use contracted vendors and suppliers when they can provide the necessary goods or services at a cheaper price, of better quality, or with more specialized expertise than the purchasing organization has available internally.
In a vendor-customer relationship, a contract is usually executed to serve as the formal, documented agreement between the two parties. Unfortunately, simply having a contract in place does not ensure that a vendor will invoice the customer at the agreed-upon rates, deliver the correct quantity or quality of materials, or perform the necessary activities required by procedure or law. The pressures, opportunities, and rationalizations that can be catalysts for employee fraud also apply to vendors and suppliers, meaning these organizations cannot always be relied upon to police themselves.
Vendor fraud is a serious threat to businesses. Several vendors typically compete to win a particular contract, and, for some of those vendors, one contract might make or break their business. However, getting involved with a shady vendor can have dire consequences for the procuring entity.
While corruption was addressed in great detail in Chapter 10, that chapter focused on schemes that involve the purchasing department of the procuring entity. In this chapter we will closely examine the dishonest vendors themselves.
How Prevalent Is Vendor Fraud?
In the ACFE's 2012 Report to the Nations on Occupational Fraud and Abuse, corruption and billing schemes—the two types of schemes that most typically involve manipulation of vendor transactions—were two of the top three fraud scheme types in all regions of the world. Billing and corruption schemes also account for some of the highest median fraud losses, with billing schemes resulting in a median loss of $100,000 and corruption causing a median loss of $250,000.
Collusion among Contractors
In contrast to Chapter 10, this discussion focuses on schemes perpetrated by vendors without the knowledge or cooperation of anyone within the victim company. When submitting a request for proposals, there is always the threat of vendors in the same market colluding to defeat competition or to inflate the prices of goods and services artificially. The most common forms of collusion between competitors involve complementary bids, bid rotation, and phantom bids.
Complementary Bids Complementary bidding, also known as protective or shadow bidding, occurs when competitors submit token bids that are too high to be accepted (or, if competitive in price, then on special terms that will not be acceptable). Such bids are not intended to secure the buyer's acceptance, but are merely designed to give the appearance of genuine competition in the bidding process.
Bid Rotation Bid rotation, also known as bid pooling, occurs when two or more contractors conspire to alternate the business between them on a rotating basis. Instead of engaging in competitive contracting by submitting confidential bids, contractors perpetrating these schemes exchange information on contract solicitations to guarantee that each contractor will win a share of the purchasing entity's business.
For example, imagine three vendors: Stewart, Chesapeake, and Billiton. They are up for three separate jobs, and they agree that Stewart's bid will be the lowest on the first contract, Chesapeake's bid will be the lowest on the second, and Billiton's bid will be the lowest on the third. Although none of the vendors get all three jobs, they are each ensured at least one. Furthermore, because they colluded to perpetrate this scheme, they can conspire to raise their bid prices.
Phantom Bids (Bids from Shell Companies) Corrupt contractors often conceal their collusion by submitting phantom bids from shell companies (i.e., companies that have no physical presence and generate little independent economic value). In these schemes, a corrupt contractor submits its own bid along with bids from fictitious vendors to create the appearance that there is competition for the contract.
Contract Performance Schemes
As discussed in Chapter 10, the procurement process consists of four stages: the presolicitation phase, the solicitation phase, the evaluation and award phase, and the performance phase. After a vendor is awarded a contract, the performance phase begins. In this phase, the contracting parties fulfill their respective duties through the performance of their contractual obligations. Activities that occur during contract performance include contract modifications (i.e., change orders); review of completed portions and release of payment; and assessment of deliverables for compliance with the contract terms, including quality control.
In general, there are two basic schemes perpetrated during the performance phase: product substitution and cost mischarging.
Product Substitution In general, product substitution fraud, also known as nonconforming goods or services fraud, refers to attempts by contractors to increase their profits by delivering goods or services to the procuring entity that do not conform to the contract specifications. In these schemes, the contractor delivers the nonconforming items but bills for the more expensive items.
A contractor that knowingly delivers goods or services that do not meet contract specifications might be guilty of fraud if it falsely represents that it has complied with the contract or deliberately conceals its failure to do so. So while an unintentional failure to meet contract specifications is not fraud, it might constitute a breach of contract.
To commit these schemes, a supplier or contractor can substitute products or materials of lesser quality than specified in the contract; use a lower quality staff than specified in the contract; use counterfeit, defective, or used parts; or implement any other deliberate departures from contract requirements to increase profits or comply with contract time schedules.
Substitution is particularly attractive in contracts calling for expensive, high-grade materials that can be replaced by similar appearing, much less expensive products. The substitutions often involve component parts that are not easily detected. Moreover, the potential for a product substitution case is greatest where the procuring entity relies on contractor integrity to ensure that it gets what it has paid for.
For example, imagine that Bixler Corporation has commissioned the construction of a new office building. Bixler had a large budget to work with and wanted this building to have an impressive entrance for clients. When selecting the finishes for the building, Bixler chose the highest quality marble available for the floor of the entryway. The contractor underhandedly ordered and installed cultured marble, an alternative material that looks like marble but is much less expensive. The contractor charged Bixler for the expensive marble they had chosen, which cost about twice as much as the cultured marble, and pocketed the difference.
Some examples of common product substitution schemes include:
- Delivery of inferior/substandard material
- Delivery of materials that have not been tested
- Falsification of test results
- Delivery of used, surplus, or reworked parts
- Delivery of counterfeit products
- Submission of false certifications (certifications are statements that parts or materials are new, domestically manufactured, and meet the contract specifications concerning quality and quantity, or that the company is minority owned)
Cost Mischarging Cost mischarging occurs when a contractor charges the procuring entity for costs that are not allowable, not reasonable, or that cannot be allocated to the contract directly or indirectly. Contractors can mischarge for either materials or labor. Labor mischarging is more common because labor is not supported by external documentation or physical evidence to provide independent verification that it was indeed performed. The only way to ensure that labor costs are charged to the correct account is to actually observe the work of each employee and then review the accounting records to verify the employee's cost is charged to the proper contract.
Preventing and Detecting Vendor Fraud
Vendor audits are an effective way to prevent and detect fraud in the procurement process. The first response to the suggestion of vendor audits is often that they are unnecessary because contracts are in place to safeguard the organization in the event of fraud. Consequently, at the very least, it is imperative that vendors undergo a thorough vetting process initially followed up by continuous monitoring after the contract has been awarded and work has begun. Doing so will help improve controls, identify fraud, and save the company money.
First and foremost, procurement personnel should strive to ensure the integrity of their contractors. Beware of contractors with a history of fraudulent conduct, a reputation for dishonesty, or involvement in prior complaints or legal actions. Some other red flags of unscrupulous vendors include:
- The contractor's address, telephone number, or bank account information matches that of an employee or relative.
- The contractor's address is incomplete (e.g., it is only a PO box, or it gives no telephone number).
- The same contractor is repeatedly awarded competitive contracts based on bids only slightly lower in price than the next.
- There appears to be an excessive amount of change orders made by the contractor.
THREATS FROM UNRELATED THIRD PARTIES
So far we have discussed threats from customers and threats from vendors. While both groups are considered external parties, they constitute individuals that an organization chooses to conduct business with—they are either sought out by the organization or welcomed to it with the expectation that both parties will engage in a mutually beneficial commercial transaction. Since a company has some ability to choose its vendors and customers, they can exercise caution by electing to conduct business with seemingly ethical and trustworthy people.
Unfortunately, we have very little control over the unrelated third parties that might target our companies in an effort to steal assets. While we can't completely eliminate this threat, there are several measures a company can make to mitigate control weaknesses and strengthen its resilience to outside parties.
In this section we will focus on two types of threats posed by unrelated third parties: computer fraud and corporate espionage.
Computer Fraud
It goes without saying that computers are an essential part of any modern organization's operations. Virtually every business function that takes place—such as accounting, purchasing, communication, and data management—requires the use of a computer. And much of the data transmitted when performing these functions is highly confidential. Advancements in computer and Internet technology are a good example of the proverbial double-edged sword. For one, rapidly changing technology allows us to do more than ever before, and do it better and faster and more accurately. However, with every new process or program or function available comes a new opportunity for fraud. When there is a new way to commit crimes, criminals will figure it out.
Since so many people across the globe rely on computers in their everyday life, criminals have found this is an efficient and effective way to commit fraud. Computer crimes and frauds are increasing and will no doubt continue to increase as more computers are networked internationally, thus giving global access to cyber thieves.
Key findings from the 2010/2011 Computer Crime and Security Survey, conducted by the Computer Security Institute (CSI), include1
- Malware infection is one of the most commonly seen attacks.
- Almost half of the respondents experienced at least one security incident.
- In general, respondents did not believe that the activities of insiders accounted for much of their losses from cybercrime.
Unlike traditional fraud cases, computer fraud cases can be difficult for the fraud examiner because they:
- Lack a traditional paper audit trail
- Require an understanding of the technology used to commit the crime
- Usually require an understanding of the technology of the victim computer
- Typically require the use of one or more specialists to assist the fraud examiner, even when the fraud examiner is computer literate
Computer Hacking Computer hacking is the use of technology to gain unauthorized access to sensitive information on a computer system. As you'll recall in the Albert Gonzalez case study, sophisticated computer hackers have the ability to do a significant amount of damage.
The desire to gain unauthorized access to computer systems can be prompted by several motives, from simple curiosity—as exemplified by white hat hackers—to computer sabotage or espionage. Intentional and unjustified access by a person not authorized by the owners or operators of a system might often constitute criminal behavior. Unauthorized access creates the opportunity to cause additional unintended damage to data, system crashes, or impediments to legitimate system users. Often, however, the motivation is for profit.
Hackers use various ways to gain access to a company's records. Unauthorized access can be accomplished from a remote location using one of several means. The perpetrator might be able to take advantage of lax security measures to gain access or might find loopholes in existing security measures or system procedures. Frequently, attackers impersonate legitimate system users; this is especially common in systems where users employ common passwords or maintenance passwords found in the system itself.
Moreover, some hackers use custom software applications to penetrate a system, while other hackers might use the help of unsuspecting users by installing programs downloaded via email or by visiting a website. These programs operate in the background of the infected computer and can disable security settings and capture information that is sent back to them.
Methods Used to Gain Unauthorized Access Some common methods for gaining unauthorized access include:
- Password cracking—Password cracking is an automated process by which an attacker attempts to guess the most likely passwords of a system user. A password cracker will typically try to exploit users who employ personal, easy-to-figure-out passwords, such as their name, their children's or spouse's name, their nickname, the name of a pet, and so forth. This type of information is frequently obtained by issuing fake surveys, fake prizes, or some other type of social engineering scheme.
- Social Engineering—In a social engineering scheme, the attacker deceives victims into disclosing personal information or convinces them to commit acts that facilitate the attacker's intended scheme. Often, the attacker will trick one of the target company's employees into revealing information. The hacker might assume a number of different guises to accomplish this deception. He might pose as a new or temporary worker and ask information system employees for a password so that he can begin work. Alternatively, he might pose as someone in a position of authority and intimidate employees into revealing confidential information.
- Phishing—Often, fraudsters hijack business names to execute phishing attacks. Phishing scams occur when a fraudster dupes victims into providing sensitive information by falsely claiming to be from an actual business, bank, vendor, or other entity with which the target does business. Phishers typically use emails to direct Internet users to websites that look like legitimate e-commerce sites, such as online banks, retailers, or government agencies. Phishers actually control these sites and use them to steal sensitive information, such as bank account details and passwords.
- Wire Tapping—Wire tapping into a computer's communication links is another technique used by hackers. This method enables perpetrators to read the information being transmitted between computers or between computers and terminals.
Data Manipulation and Destruction Data manipulation refers to the use or manipulation of a computer to perpetrate a crime, and data destruction involves the unauthorized modification, suppression, or erasure of computer data or computer functions, with the intent to alter or hinder the normal functions of the targeted system.
Malware is commonly used to perpetrate data manipulation and destruction schemes. Malware is an umbrella term for any kind of malicious software, including viruses, worms, Trojans, spyware, and botnets. Malware will use popular communication tools to spread, using worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware will also seek to exploit existing vulnerabilities on systems, making its entry quiet and easy.
Preventing and Detecting Computer Fraud The more proprietary information and customer data a company's system houses, the more important cyber security is to that organization. Fraudsters know which companies are worth their time and effort when it comes to computer hacking. As with all types of fraud, it is difficult to keep up with fraudsters' methods of perpetrating their schemes. It seems that any time there is a new breakthrough in cyber security, it isn't long before a fraudster manages to figure out a way to get around it.
At the very least, it is essential for organizations to establish formal security policies. These policies should include training for all employees, customers, vendors, contractors, and consultants who access the network. The level of access granted to any of these parties must be specific to their function. For instance, an external auditor has no reason to have access to a client's customer payment data.
Firewalls are also an essential weapon in the cyber security arsenal. Firewalls are software programs that block unauthorized or unverified access to a computer system. Firewalls are designed to control the interface between a network and the Internet. This technology surveys incoming and outgoing transmissions between the network and the Internet, stopping any questionable transmission attempt to access a sensitive area. While firewalls are not foolproof, they do provide a layer of protection against Internet attacks or breaches of security.
To supplement firewalls, IT departments should implement an intrusion detection system. Intrusion detection systems are designed to detect malicious activity coming across the network or on a host. They act much like a motion sensor would, detecting individuals who might have bypassed perimeter security. Intrusion detection systems can react in a number of ways, including reconfiguration of the organization's firewall to block messages from the intruder. Most systems will log the attack to a centralized management for future review by systems administrators. It might also set off an alarm or send an email to the administrator to notify him of the attack.
As illustrated in the Albert Gonzalez case study, wireless networks leave companies extremely vulnerable to security leaks. Fortunately, people have become better educated with regard to these risks and are not as careless as they used to be. If a company has a wireless network that is used to transmit sensitive information, it is imperative that it uses encryption technology to make it more difficult for an attacker to read the content. Encryption refers to procedures used to convert information using an algorithm (called a cipher) that makes the information unreadable. Encrypting transmissions from wireless devices to the computer network might prevent an intruder from gaining access through spoofing (impersonating one of the organization's computers to gain access to the network). Moreover, if an organization offers wireless or remote access, its server software should terminate any connection after:
- A reasonable number of unsuccessful attempts to enter an invalid password (usually considered to be three)
- A terminal has been connected for a period of time with no activity. This is called timing-out. Some companies require the data security officer to issue a new password before the user can sign on again.
Although it seems obvious, all organizations must to require their employees to use passwords. Furthermore, these passwords should be changed regularly and contain a variety of letters, numbers, and symbols for maximum effectiveness. Passwords are not impervious to human error or misuse. The downside of using passwords to prevent unauthorized access is that they can be bypassed, guessed, lost, written down, or given away. Moreover, Trojan horses are often used to steal password files or other personal information. Employees should be warned about possible calls from fraudsters attempting to deceive them into giving out their passwords by impersonating individuals who would need access to that type of information.
Finally, security software is an invaluable way to mitigate the risk of computer fraud. Organizations should implement up-to-date security software packages and implement them to the highest level possible. Most major software companies release updates and patches to their software regularly.
CORPORATE ESPIONAGE
There is no question that corporate espionage is a serious threat. Companies all over the world are under surveillance by competitors and corporate spies. Espionage may be defined as intelligence activity directed toward the acquisition of information through clandestine means and proscribed by the laws of the country against which it is committed. It does not cover legitimate intelligence collection and analysis using legal means. Corporate espionage is most commonly committed by two types of spies: competitor organizations and foreign governments.
Espionage can be further subdivided into industrial espionage and economic espionage. Industrial espionage refers to the clandestine collection of information by companies and individuals, such as information brokers, about competitors. Economic espionage refers to state-sponsored or -sanctioned collection, which is often associated with a nation's foreign intelligence service.
Why Do Companies Resort to Corporate Espionage?
If so much valuable information is publicly available, why do people pay for industrial and corporate spies? Why do they bother with illegal methods? Why do companies not stick to standard research to learn what they need about their competitors, and why do they use intelligence agents and analysts instead of routine researchers? The answer to these questions is twofold.
First, even if the intelligence gatherer adheres strictly to using only open sources, mere facts do not constitute intelligence or knowledge. Collecting raw data brings one only to the threshold of the process. Data must then undergo analysis to be turned into a useful product. Analysis involves summarizing, comparing, and explaining the data. The craft of intelligence lies in the provider's ability to distill mountains of facts from diverse sources into a concise product that is actionable by its consumer.
The term actionable means the product must have the depth, character, and quality on which an executive may base sound decisions. Merely knowing what one's competitors are up to is not good enough. High-quality intelligence identifies the actions a member of an organization should take to seize an opportunity or to diminish or eliminate the organization's competition. It is good to know what the problem is, but far better to know how the problem can be solved. Even though open sources are available to the general public, organizations still use intelligence professionals' skills to create actionable intelligence from the mass of public information.
The second reason organizations use intelligence professionals is that, while there is a wealth of valuable information available in the public domain, there remains needed information that is proprietary. This last segment often becomes critical to competitive survival, and organizations or individuals are sometimes willing to sidestep the law to obtain it. Intelligence professionals know the “tricks of the trade” for gathering sensitive proprietary information that can give their clients a competitive edge.
Favorite Targets of Corporate Espionage
Some of the favorite targets of intelligence gatherers include research and development, marketing, manufacturing and production, and human resources.
Research and Development You might think that research and development (R&D) would be an incredibly difficult area of a company to penetrate, but accessing R&D information is surprisingly quite easy. R&D personnel are always in the flow of information. The open exchange of information is part of the nature of their job. They participate in conferences, attend trade shows, and work with academic institutions; however, in these capacities, they leave themselves open for intelligence spies to eavesdrop on conversations and ask questions. Researchers who publish their findings in industry journals might inadvertently include details of a project they are working on. This is particularly true in the case of academic professionals who might be hired by a company to perform research or conduct a study.
Marketing Competitors pay close attention to each other's marketing strategies. Having advanced knowledge of a competitor's marketing plan is valuable knowledge. Being careless with vital information such as test marketing results, promotional strategies, and planned introduction dates can be disastrous to a company.
Manufacturing and Production Production managers are often good sources of information. A manufacturing facility must be very carefully guarded to avoid competitors gaining access. For instance, someone who is applying to work at a manufacturing plant might want to see the operations first. However, that person might also be a spy. Furthermore, anyone answering the phone on the plant floor can unwittingly provide valuable information to a call from a shrewd competitor.
Human Resources Intelligence professionals might be on the lookout for help wanted ads, job postings, and job announcements. Of greater concern, however, is that a spy might use this information to arrange a job interview to get information about the firm and what the job will entail. Although the listed departments are some of the favored targets of information thieves, other personnel in an organization can provide a wealth of useful information. For instance, salespeople are usually talkative and can be an excellent source of information on pricing, product innovations, and market programs. In addition, purchasing agents are helpful in divulging suppliers, information about what is selling, and the costs of raw materials and services.
How Spies Obtain Information
In addition to the computer hacking methods discussed previously, information thieves use a wide variety of ingenious methods to gain access to a target's information. A few of these methods include:
- Posing as an employee or contract laborer
- Surveillance
- Sorting through discarded trash
Posing as an Employee or Contract Laborer Penetrating a company can be very simple. As indicated earlier, one common technique is to obtain work as a security officer or a member of the janitorial crew for the victim organization. Even if the hiring company does a background check on all potential employees, any good spy attempting to execute this scheme will not have a criminal record.
Individuals with high-level technical skills and high security privileges generally have to be recruited from within a targeted organization. However, in some intelligence campaigns, a spy will plant a person with advanced technical credentials in a targeted company in a professional capacity. That person gains access to the target's proprietary information and funnels it out to the spy. A person who penetrates a company in this manner is known as a “sleeper,” an infiltrator who works on a long-term basis with an acceptable cover.
Surveillance A classic espionage technique, visual surveillance is an obvious tool in the spy's arsenal. Surveillance is either moving or fixed. In moving surveillance, a spy must be flexible and imaginative. For example, he might place a reflective sticker on the subject's car in order to spot it at night. A technically savvy spy could place bugging equipment or a GPS tracking device in the subject's car as well. If a subject goes into a bar or restaurant, a spy will follow and order a drink at the bar so he can leave and follow the subject as soon as he exits.
Fixed surveillance, in contrast to moving, is conducted by a spy who establishes a stationary base camp at which he can surreptitiously watch the subject. While fixed surveillance has many advantages over moving, it has one distinct weakness: the spy's base might be spotted by the target, by authorities, or by bystanders. Savvy spies will effectively camouflage their bases so that he can blend in seamlessly.
Sorting through Discarded Trash To obtain items with sensitive information (e.g., credit card receipts, bank statements, or other sensitive records that bear an individual's name, address, or telephone number), identity thieves might search through an organization's trash receptacles and dumpsters. The dumpsters outside of companies are known for housing large amounts of confidential data, such as research and development information, and must be kept secure.
Preventing and Detecting Corporate Espionage
Although it is impossible to completely eliminate the threat of corporate espionage, there are necessary steps organizations must take to protect themselves as much as possible. Fraudsters and spies know the signs that indicate poor information security procedures and are eager to take advantage of companies who leave themselves vulnerable.
Protecting Physical Data Companies that do not have a system in place for protecting and disposing of confidential information leave themselves wide open to attack by corporate spies.
Since we have already covered cyber security procedures, here we will discuss some ways to safeguard manual systems and physical property. Attacks on manual systems include dumpster diving, entering the building pretending to be a part of the cleaning staff and rifling through employees' desk drawers, and outright theft or burglary. Preventative measures to protect physical property, documents, and assets include:
- Placing sensitive documents in locked filing cabinets.
- Using a shredder for discarded sensitive material and ensuring outdoor waste receptacles are locked and impenetrable to dumpster divers.
- Sending and receiving mail at a secure site, such as a post office drop box or locked mailbox.
- Guarding the physical premises by employing security officers, installing an alarm system, or implementing video surveillance equipment.
Preventing Espionage As noted, theft of physical material is not the only threat that companies face from corporate spies. Many spies are simply interested in what they hear and observe at the target organization. While security officers cannot turn their organizations into impenetrable fortresses, they can implement specific countermeasures to protect the organization from spies:
- Materials bearing proprietary data should not be stored in areas visible to the public. If no other option exists, the organization should only use unlettered, color-coded containers as opposed to labeling a particular file drawer “Confidential.” This will make it more difficult for spies to tell where sensitive information can be found.
- Security should establish a procedure for tracking and locking up sensitive data.
- Cleaning personnel should be properly bonded and identified, and their access to the facility should be controlled.
- Vendors should have verified credentials and must be escorted by a company representative during their visit.
- There should be someone who sits at the entrance of the premises responsible for vetting any visitors. All guests to the building should be preapproved, registered, and able to identify the employee they are visiting by first and last name.
- Employees should be instructed as to what information they may disclose over the telephone.
- Employees should sign nondisclosure agreements. In addition, the legal department should be consulted about integrating vendor and supplier nondisclosure agreements into standard contracts.
SUMMARY
External fraud refers to unauthorized activity, theft, or fraud carried out by a third party outside the institution that is the subject of the fraudulent behavior. Every organization is vulnerable to this type of fraud. Victims of external fraud schemes are targeted by people who are not employed by the organization, but who might be trusted customers or contractors. Often, however, the external fraudster is completely unrelated to the company and simply wants to take advantage of its security weaknesses.
External fraud is a threat to any company for one simple reason: it is impossible to conduct business without interacting with outsiders. All organizations conduct transactions and communications with customers, vendors, contractors, consultants, and others who have the ability to influence decisions made at the company, access to proprietary information, or can otherwise exert power. Regardless of how strong an ethics program an organization has, or how effective its corporate governance mechanisms are, every organization is vulnerable to threats posed by outsiders.
An organization can mitigate the risk of exposure to external fraud threats by having strong controls in place, ensuring its physical and data security are up-to-date, and training its employees on procedures for safekeeping confidential information.
ESSENTIAL TERMS
Occupational fraud The use of one's occupation for personal enrichment through the deliberate misuse or misapplication of the organization's resources or assets.
External fraud Unauthorized activity, theft, or fraud carried out by a third party outside the institution that is the subject of the fraudulent behavior.
Paperhanger An expert in check fraud.
Credit card fraud The misuse of a credit card to make purchases without authorization, or conducting a transaction using a counterfeit credit card.
Computer hacking The use of technology to gain unauthorized access to sensitive information on a computer system.
Password cracking An automated process by which an attacker attempts to guess the most likely passwords of a system user.
Social engineering The attacker deceives victims into disclosing personal information or convinces them to commit acts that facilitate the attacker's intended scheme.
Phishing A scam that occurs when a fraudster dupes victims into providing sensitive information by falsely claiming to be from an actual business, bank, vendor, or other entity with which the target does business. Phishers typically use emails to direct Internet users to websites that look like legitimate e-commerce sites, such as online banks, retailers, or government agencies. Phishers actually control these sites and use them to steal sensitive information, such as bank account details and passwords.
Data manipulation The use or manipulation of a computer to perpetrate a crime.
Data destruction The unauthorized modification, suppression, or erasure of computer data or computer functions, with the intent to alter or hinder the normal functions of the targeted system.
Malware Any kind of malicious software, including viruses, worms, Trojans, spyware, and botnets.
Firewall A software program that blocks unauthorized or unverified access to a computer system.
Intrusion detection system A security method designed to detect malicious activity coming across the network or on a host.
Espionage Intelligence activity directed toward the acquisition of information through clandestine means and proscribed by the laws of the country against which it is committed.
REVIEW QUESTIONS
13-1 (Learning objective 13-1) What are the three types of external parties that present a serious fraud threat to organizations?
13-2 (Learning objective 13-3) Customers can pose many different fraud threats to the organizations they patronize. What are some of the fraud threats posed by customers?
13-3 (Learning objective 13-5) Describe the type of organization that a paperhanger would likely target.
13-4 (Learning objective 13-7) What is credit card fraud? Briefly describe the three types of credit card fraud presented in the chapter.
13-5 (Learning objective 13-8) List some of the red flags of a customer using an unauthorized credit card.
13-6 (Learning objective 13-9) What are some ways vendors might collude to commit fraud against clients?
13-7 (Learning objective 13-10) What types of schemes do vendors often perpetrate during the performance phase of a contract?
13-8 (Learning objective 13-11) List some common product substitution schemes.
13-9 (Learning objective 13-12) Why should an organization conduct a vendor audit?
13-10 (Learning objective 13-13) Identify two major fraud threats posed by unrelated third parties.
13-11 (Learning objective 13-13) Why are computer fraud cases often more difficult to examine than traditional fraud cases?
13-12 (Learning objective 13-13) How do computer hackers gain unauthorized access to a target company's network? Describe some of the methods they might use.
13-13 (Learning objective 13-15) Which departments of a company are popular targets of corporate spies?
DISCUSSION ISSUES
13-1 (Learning objectives 13-6 and 13-8) Companies accept a variety of forms of payment from customers, and sometimes these payment methods are illegitimate. When a customer uses an illegitimate form of payment, it might never receive the cash it is due. What types of policies, procedures, and controls could a company put in place to mitigate the risk of payment fraud by its customers?
13-2 (Learning objective 13-12) What are some analytical tests that can be performed to detect fraudulent activity by vendors, and what are some ways to prevent vendor fraud from occurring in the first place?
13-3 (Learning objective 13-16) Computer security controls are an integral part of any modern organization's defense system. What are some processes, systems, and controls companies should have in place with regard to their IT structure to mitigate the risk of penetration by unrelated third parties?
13-4 (Learning objective 13-14) Why do companies resort to corporate espionage to get information about their competitors when there is a wealth of information available in the public domain?
13-5 (Learning objective 13-17) What are some countermeasures a company can implement to protect its premises and assets from espionage?
ENDNOTES
1. Computer Security Institute, 2010/2011 Computer Crime and Security Survey, http://gocsi.com/survey.