Fraud:Analyzing Perpetrators and Methods
Harold E. Davis and Robert L. Braun
economic growth carries with it the potential for corruption.
Evidence that this potential has become reality for many businesses
can be found in a 2003 survey by the Computer Security Institute,
which showed that 56% of businesses reported some form of
unauthorized use of their computer system. The same technology
that is driving greater productivity is also facilitating
large-scale fraud. The increasing number of technologically
skilled individuals accessing a company’s computer system
increases the system’s vulnerability to attack from
within and without.
federal laws have been used to prosecute many computer-related
crimes; however, these laws are difficult to apply to some
computer-related offenses. The most notable antifraud law
specifically addressing computer crime is the Computer Fraud
and Abuse Act (CFAA). The original focus of the CFAA, enacted
in 1984, was to provide a legal recourse against hackers
who accessed government and financial-industry electronic
data without authorization. Subsequent amendments up to
and including the 1996 amendment have, however, broadened
the CFAA’s scope to include computers “used
in interstate or foreign commerce or communication.”
Penalties provided in the CFAA include fines and imprisonment
up to a maximum of 20 years.
cases tried under the federal laws presents an opportunity
to learn about the perpetrators of computer fraud and their
methods of operation. Press releases regarding completed
and ongoing cases of computer fraud can be found at the
Department of Justice website (www.cybercrime.gov/cccases.html).
A total of 50 cases between 1999 and 2002 were analyzed.
Exhibit 1 presents information regarding the perpetrators
involved in the cases. The perpetrators are subdivided into
two main types: unauthorized users and authorized users.
Authorized users are those who, at the time of the fraud,
had been granted authorization to use the system for some
legitimate purpose. Unauthorized users are those who had
not received such authorization or had had such authorization
revoked but were still able to gain access.
1 shows, unauthorized users represented the largest
group. Approximately two-thirds were hackers that preyed
on weaknesses in security to gain unauthorized access and
commit fraud. The “former employees” category
refers to cases where the actual crime took place after
the employee was released from the company. Often, being
laid off or terminated from a company serves as the motivation
for computer crime. In general, former employees perpetrated
their fraudulent acts by entering the computer system with
authentication information (e.g., username and password)
that they had used as an employee, that was given to them
by a current employee, or that was used by a current employee
and also known by the perpetrator without the current employee’s
knowledge. A “logic bomb” is another tool used
by employees that realize that they are about to be fired.
Destructive computer code is inserted in the employer’s
software and lies dormant until some event or a period of
time passes. Once activated, the code is malicious, and
may delete software or data.
users made up more than one-quarter of all fraud perpetrators.
Employees formed the major portion of this group. In these
cases, employees either exceeded or abused their authorized
level of system access and committed some form of fraud.
Half of these employee-related cases involved the copying
of sensitive internal information about a customer or client
(e.g., credit card or other financial information).
classification. The article “Computer
Fraud—What Can Be Done About It?” (The CPA
Journal, May 1995) presented a taxonomy that identified
the following five types of computer fraud:
The alteration or copying of system input.
The theft of processing capabilities due to unauthorized
unauthorized duplication, deletion, modification, or installation
The unauthorized duplication, deletion, or modification
The theft or misuse of system output.
on the taxonomy presented above, all of the cases were analyzed
to see which type or types of computer fraud were perpetrated,
and which areas of the computer system may be more at risk
for fraudulent activity. Exhibit
2 shows the cases organized by fraud category.
fraud was the most common type of fraud, and copying or
modification of data was the most common subcomponent of
this category. Within this subcomponent, credit card numbers,
other financial information, and system access information
were the most common types of data that were copied. The
second most common type of fraud was software fraud; the
installation or modification of software was the most prevalent
subcomponent. It should be noted that this subcomponent
requires a relatively high level of technical expertise.
As a result, those with technical expertise (e.g., hackers
and systems administrators) formed the perpetrators in this
group, hackers being the most prevalent. Some of the effects
of the unauthorized modification or installation of software
included the copying of usernames and passwords, the deletion
of data or software, the storage and use of files by hackers,
and the activation of a virus that caused a system to become
inoperative for several days.
remaining types of computer fraud were theft of computer
time, input fraud, and output fraud. Theft of computer time
involved denial-of-service attacks and the unauthorized
use of processor resources in order to run hacker programs.
Input fraud activities included creating false documents
and using keylogging software to record the input keyed
into a system. Output fraud was the least common type of
fraud found in the cases reviewed. Sending unauthorized
e-mails with intentionally false information was the method
most used in the prosecuted output cases.
results. Exhibit 3 presents other information
related to the cases. The average age of a perpetrator was
29; the average time between the initial perpetration of
the fraud and the time the perpetrator was charged with
a crime was 14 months. Second, the vast majority of the
cases involved a guilty plea (81%) rather than a guilty
verdict as the result of a trial. This may reflect the increased
efforts and expertise of the FBI and the Computer Crime
and Intellectual Property Section of the Department of Justice
in combating these activities. Third, the average prison
time was 23 months. Additionally, some of the punishment
given at sentencing included a 36-month supervised release
following the prison sentence or, to a lesser extent, some
type of home confinement that lasted between three and 24
months. Only a few cases involved a probationary period
in lieu of prison time. The range of fines associated with
sentencing was wide, from $4,000 to $7.9 million. The average
fine imposed was $401,000; the median fine was $46,000.
Many sentences also included a restriction on computer use,
effectively increasing the financial penalty by restricting
Changes in Federal Legislation
USA Patriot Act in 2001 amended the CFAA to provide a broader
scope for prosecutors in the process of fraud litigation.
While this amendment became law in October 2001, the effects
of the amendment in actual court cases will take time to
attributable to the act include the following:
A broader definition of the term loss to include “any
reasonable cost to any victim, including the cost of responding
to an offense, conducting a damage assessment, and restoring
the data, program, system, or information to its condition
prior to the offense, and any revenue lost, cost incurred,
or other consequential damages incurred because of the
interruption of service.”
The inclusion of failed attempts to damage a computer
by means of the transmission of a computer program, code,
command, or other information as computer fraud.
The inclusion of activity from “a computer located
outside of the United States that is used in a manner
that affects interstate or foreign commerce or communications
of the United States.”
potential solutions start with improving the control environment.
The control environment is the tone of the organization;
it influences the attitude of its people toward controls
and risk. The control environment affects computer security
in a myriad of ways. For example, proper assignment of authority
and responsibility can reduce the opportunity and ability
to rationalize fraud. Corporate attitude toward personnel
management issues can have a direct effect on the control
activities over hiring and firing of employees—activities
closely associated with computer system vulnerability. Perhaps
the most important control environment factor is the attitude
toward integrity and ethics throughout the organization.
An organization that communicates and supports its commitment
to integrity will create an environment hostile to fraud.
way organizations can create an environment hostile to computer
fraud is to prosecute fraud perpetrators. Prosecution, however,
may not be the first choice for many businesses. Common
reasons why organizations do not take legal action include
a fear of bad publicity, high legal costs, and the desire
for a timelier resolution than can be provided through the
courts. Even so, businesses must weigh the costs and benefits
of prosecution, specifically, the deterrent effect of prosecuting
perpetrators and the impact on the control environment.
users. Under the umbrella of the control environment,
more-specific control procedures can and should be put in
place to combat the particular types of fraud identified
above. For threats arising from unauthorized users, quality
access controls over software and hardware are paramount.
A key consideration in developing such controls is to grant
access to system resources only to those who need it to
fulfill their job responsibilities. Another key is to prohibit
access by unauthorized individuals through effective authentication
policies, firewalls, and antivirus software. Additionally,
general awareness of system vulnerability and reporting
of concerns should be the responsibility of all employees.
One or more specific employees, however, should have the
responsibility to continuously monitor security flaws in
software or hardware and take appropriate action.
over hiring and firing practices can also help prevent unauthorized
access by former employees. Improvements in hiring practices
can be a cost-effective means of preventing losses attributable
to former employees and reducing the need for involuntary
termination. While background checks are valuable for all
new hires, they are crucial for employees with access to
sensitive information and information technology resources.
Furthermore, as employees are promoted to new levels of
responsibility, additional background checks should be considered.
In the event that termination is necessary, companies should
immediately delete all the access information of the affected
employee, consider requiring that coworkers of the terminated
employee change access information, and make efforts to
inform all current employees of the termination. Additionally,
companies should consider evaluating prior to their departure
the activities of employees that have positions that require
technical computer expertise and a high level of system
access (e.g., systems administrators, software developers).
In a few of the analyzed cases, these types of employees
inserted or modified the system so that files would be deleted
after their departure. Companies or government agencies
that hire consultants should ensure that the consulting
firm has similar controls over hiring and firing their employees
with system access privileges. The consultant’s control
procedures should include the immediate deletion of access
information to the client’s system and the notification
to the client and other employees that the person is no
longer associated with the firm.
users. Better control over authorized access
can be achieved through enhanced system access monitoring.
Most software packages allow monitoring of access to sensitive
files. It can track when a file was accessed, who accessed
it, and what type of activity was performed. Abnormal access
patterns may be indicative of fraudulent behavior (e.g.,
an employee on vacation who accesses a file). Additionally,
this information could be a valuable source of evidence
if fraud occurred and the company decides to prosecute the
E. Davis, DBA, CPA, is an assistant professor and
Robert L. Braun, PhD, CIA, is an associate
professor of accounting, both at Southeastern Louisiana University.