ACCOUNTING

INFORMATION SYSTEMS II
Chapter 4: Fraud and Computer
Attacks
PART 1
Fraud
Learning Objectives
• Explain the threats faced by modern information
systems.
• Define fraud and the auditor’s responsibility to detect
fraud.
• Discuss why fraud occurs
• Define computer fraud.
• Explain how to prevent computer fraud
 Threats
1. Natural and Political disasters
- fire, floods, earthquakes, tornadoes, war, terrorist attack
2. Software errors and equipment malfunctions
- OS crash, undetected data transmission errors
3. Unintentional acts
- Human careless mistake, system not compatible
4. Intentional acts
- sabotage, corruption
Fraud
• Any means a person uses to gain an unfair
advantage over another person.
• Fraud is white-collar crime
• Example:
- Corruption: bribery
- Investment fraud: promote investment that
promise fantastic profits
Auditor’s Responsibility to Detect Fraud
1. Understand fraud
2. Discuss the risks of material fraudulent
misstatements
3. Obtain information
4. Identify, assess, and respond to risks
5. Evaluate the results of their audit tests
6. Document and Communicate findings
7. Incorporate a technology focus
Conditions for Fraud (Fraud Triangle)
These three conditions must be present for fraud to occur:
1. Pressure 2. Opportunity to:
• Employee • Commit
• Financial • Conceal
• Lifestyle • Convert to personal gain
• Emotional
• Financial Statement 3. Rationalize
• Financial • Justify behavior
• Attitude that rules don’t apply
• Management
• Lack personal integrity
• Industry conditions
 Fraud Triangle

Copyright © 2018 Pearson Education, Ltd. Chapter 5: Computer Fraud Slide 1 - 8

Computer Fraud
• If a computer is used to commit fraud it is called
computer fraud.
• Examples:
- modify, copy, destruct the software
- Theft/assets covered by altering computer records
- Obtaining information illegally by using computer
Preventing and Detecting Fraud
1. Make Fraud Less Likely to Occur
Organizational Systems
• Create a culture of integrity • Develop security policies to
• Adopt structure that guide and design specific
minimizes fraud, create control procedures
governance (e.g., Board of • Implement change
Directors) management controls and
• Assign authority for project development
business objectives and acquisition controls
hold them accountable for
achieving those objectives,
effective supervision and
monitoring of employees
• Communicate policies
Preventing and Detecting Fraud
2. Make It Difficulty to Commit
Organizational
• Develop strong internal
controls
• Segregate accounting
functions
• Use properly designed
forms
• Require independent
checks and reconciliations
of data
Systems
• Restrict access
• System authentication
• Implement computer
controls over input,
processing, storage and
output of data
• Use encryption
• Fix software bugs and
update systems regularly
• Destroy hard drives when
disposing of computers
Preventing and Detecting Fraud
3. Improve Detection
Organizational Systems
• Assess fraud risk • Audit trail of
• External and internal transactions through
audits the system
• Fraud hotline • Install fraud detection
software
• Monitor system
activities (user and
error logs, intrusion
detection)
Preventing and Detecting Fraud
4. Reduce Fraud Losses
Organizational Systems
• Insurance • Store backup copies of
• Business continuity and program and data files
disaster recovery plan in secure, off-site
location
• Monitor system activity
 PART 2
Computer Attacks
Learning Objectives
• Explain how criminal attacks information system.
• Explain how social engineering techniques are used to
gain physical or logical access to computer resources.
• Describe the different types of malware used to harm
computers.
How Criminals Attack Information System
1. Conduct reconnaissance
2. Attempt social engineering
3. Scan and map the target
4. Research
5. Execute the attack
6. Cover tracks
Types of Attacks
1. Hacking
• Unauthorized access, modification, or use of an electronic
device or some element of a computer system
2. Brute Force Attack
• Trial and error method to guess user ID and password
3. Spamming
• Simultaneously sending messages to many people at the
same time and be the source of virus / spyware program
4. Spoofing
• The perpetrator of the fraud wants you to think that they are
someone else that you’d trust
 Social Engineering Techniques
• Identity theft
• Assuming someone else’s identity
• Pretexting
• Using a scenario to trick victims
to divulge information or to gain
access
• Posing
• Creating a fake business to get
sensitive information
• Phishing
• Sending an e-mail asking the
victim to respond to a link that
appears legitimate that requests
sensitive data
• Pharming
• Redirects Web site to a spoofed
Web site
• URL hijacking
• Takes advantage of typographical
errors entered in for Web sites
and user gets invalid or wrong
Web site
• Scavenging
• Searching trash for confidential
information
• Shoulder surfing
• Snooping (either close behind the
person) or using technology to
snoop and get confidential
information
• Skimming
• Double swiping credit card
• Eavesdropping
Why People Fall Victim
• Compassion
• Desire to help others
• Greed
• Want a good deal or something for free
• Sex appeal
• More cooperative with those that are flirtatious or good looking
• Sloth
• Lazy habits
• Trust
• Will cooperate if trust is gained
• Urgency
• Cooperation occurs when there is a sense of immediate need
• Vanity
• More cooperation when appeal to popular and succesful
Minimize the Threat of Social
Engineering
• Never let people follow you into restricted areas
• Never log in for someone else on a computer
• Never give sensitive information over the phone or
through e-mail
• Never share passwords or user IDs
• Be cautious of someone you don’t know who is
trying to gain access through you
 Malware
• Spyware • Trap door
• Secretly monitors and collects • Set of instructions that allow the
information user to bypass normal system
• Can hijack browser, search requests controls
• Adware • Packet sniffer
• Ransomware • Captures data as it travels over
• Locks you out of all your programs the Internet
and data using encryption • Virus
• Keylogger • A section of self-replicating code
• Software that records user that attaches to a program or file
keystrokes requiring a human to do
• Trojan Horse something so it can replicate
itself
• Malicious computer instructions in
an authorized and properly • Worm
functioning program • Stand alone self replicating
program
 Defence Strategy
Defense strategy Descriptions
Encryption characteristics include:
• Passwords, messages, files, and other data can be transmitted in
scrambled form and unscrambled by computer systems for authorized
Encryption
users only.
• Encryption involves using special mathematical algorithms, or keys, to
transform digital data into a scrambled code before they are
transmitted, and to decode the data when they are received.
• Authentication is a critical part of a security system. It is part of the
process referred to as Identification and authentication (I&A).
• Identification process starts when a user ID or Logon name is typed
Authentication
into a sign on screen.
• Authentication methods are based on one or more of three factors:
password or PIN, smart card or an identification device and
fingerprints or retinal pattern.
 Defence Strategy cont.
Defense strategy Descriptions
• Firewall computers and software is another important method for
Firewalls
control and security on the Internet and other networks.
• A network firewall can be a communications processor, typically a
router, or a dedicated server, along with firewall software.
• Internet and other online e-mail systems are one of the favourite
avenues of attack by hackers for spreading computer viruses or
E-Mail Monitoring
breaking into networked computers.
• Example: list the quota for the email storage and imposed firewall
when an user want to sign up n before logout an email account
Virus Defences • Antivirus software scan’s the computer’s memory, disks and all email.
(Antivirus • It uses a virus definition file that is updated regularly
Software)
THE END