Fraud Works in Mysterious Ways — What To Look for, & What To Do if You Find It
Fraud Prevention
Universal Advisor , 2004 Issue No. 1

While rapid advances in information technology have increased efficiency in the business world, they have simultaneously provided new avenues for fraud. Never before have individuals so effortlessly been able to perpetrate a fraud and reach so many people, systems, and locations. Increasingly, electronic data and the network on which it travels are the cornerstones of our businesses, but few managers have a complete understanding of these technologies and their subsequent potentials for fraud. When fraudulent activity comes to light, many executives find their organizations ill-prepared. However, by understanding the conditions under which fraud occurs and implementing a few safeguards against internal and external fraud, organizations can significantly decrease their target potential.

The Fraud Triangle

Generally speaking, research has identified three conditions, known as the fraud triangle, that typically exist when fraud occurs:

• Pressure — In general, individuals have an incentive, or pressure, that leads them to commit fraud. The pressure may be financial, personal, or work-related in nature.
• Opportunity — Opportunity for fraud exists when employees reach a position of trust, internal controls are weak, or supervision is lacking. Good controls are a limiting factor, but persons in positions of high stature and trust can often sidestep controls.
• Rationalization — Integrity is possibly the most important factor that determines whether a person will commit fraud. Personal ethics preclude most, but not all, people from committing fraud.

Opportunities for fraud have increased significantly with the advent of new technologies and will continue to do so until management takes appropriate measures to (1) prevent computer fraud from occurring and (2) detect and discipline the perpetrators when it does.

Internal Fraud

Most computer crime is committed from within, as opportunistic, would-be criminals prey on the lack of monitoring that exists in corporate computer systems. And our wired world only makes it easier for internal fraud to occur. From the “salami slice,” where fraudsters manipulate accounting data to siphon off small amounts of money that equal significant losses over time, to organizations zipping proprietary company information down the telephone lines to competitors, companies must be alert to the danger signs that indicate they may be victims of cyber crime.

Red flags of computer fraud and abuse include:

• Low employee morale, which may trigger abuse
• Reliance on computer enthusiasts or hobbyists to oversee computer systems
• Home-based access to company systems
• Use of simple, easy-to-guess passwords
• Infrequent changing of passwords
• Heightened after-hours or weekend activity on company systems

If fraudulent activity is suspected, computer forensics may be necessary. It’s imperative to preserve the electronic evidence before confronting the employee because, for the contents of a computer disk to stand up as evidence in court, it must be impossible for the defense to claim that files have been tampered with. The simple act of turning on a computer can alter vital information about the information stored on it; as a result, proper steps must be taken to secure the evidence prior to confronting the employee, and appropriate security measures must be implemented after the fact to prevent the suspect from re-entering the system to alter records.

One answer is a non-invasive technique known as imaging, whereby forensic computer experts duplicate hard disks, CDs, diskettes and tapes. Imaging is the accepted method for capturing computer evidence and has proven admissible in courts of law.

External Fraud

In today’s fast-paced technology environment, would be hackers abound. Corporate e-mail, company Web sites, and even critical business applications are targets. While some externally generated attacks are merely nuisances, recent incidents have proven crippling to businesses.

As difficult as it is to prevent hacking, it’s harder still to find the perpetrator after the fact. For this reason, good security practices such as changing passwords frequently, firewalls, regular software updates, and security reviews are essential. In addition, expert advice and security measures are crucial to guard against criminals or industrial spies who might try to break into a company network from the outside.

Best Practices

The following steps will help minimize the risk of falling victim to computer fraud:

• Implement a systematic approach to common-sense IT protection, starting with a professional security review that can either be overt (taking a critical, analytical look to identify where weaknesses exist) or covert (if there are existing suspicions of misuse).
• Remain alert to any red flags that surface — even seemingly small policy violations or staff with too much control. Examining small warning signs now is easier and less costly than investigating a larger problem later.
• Monitor, review, and update internal controls and security procedures on a regular basis.
• Employ trained IT professionals. Computer enthusiasts or hobbyists are not adequate substitutes.
• Never attempt to investigate suspected computer crime without the involvement of expert assistance.

The Best Defense

Advances in technology are changing the way small and medium-size companies operate. A well-thought out system of internal controls and security measures designed to prevent abuses, coupled with proactive detection and punishment of actual incidents, are a company’s best line of defense against computer fraud in our wired world.