Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Fraud Examination, 4E Chapter 17: Fraud in E-Commerce
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives Understand e-commerce fraud risk. Take measures to prevent fraud in e-commerce. Detect e-business fraud.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. E-commerce Fraud Risk Pressures to Commit E-commerce Fraud Dramatic growth, which has created tremendous cash flow needs. Merger or acquisition activity, which creates pressures to “improve the reported financial results.” Borrowing or issuing stock, additional pressures to “cook the books.”
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. E-commerce Fraud Risk New products, which require intensive and expensive marketing and for which an existing market does not yet exist. Unproven or flawed business models, with tremendous cash flow pressures.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. E-commerce Fraud Risk Opportunities to Commit E-commerce Fraud New and innovative technologies for which security developments often lag transaction developments. Complex information systems that make installing controls difficult. The transfer of large amounts of information, a factor that poses theft and identity risks such as illegal monitoring and unauthorized access.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. E-commerce Fraud Risk Removal of personal contact, which allows for easier impersonation or falsified identity. Lack of “brick-and-mortar” and other physical facilities that facilitate falsifying Web sites and business transactions. Inability to distinguish large and/or established companies from new and/or smaller companies, making it easy to deceive customers by falsifying identity and/or business descriptions.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. E-commerce Fraud Risk Electronic transfer of funds, allowing large frauds to be committed more easily. Compromised privacy, which results in easier theft by using stolen or falsified information.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. E-commerce Fraud Risk Rationalization to Commit E-commerce Fraud The perceived distance that decreases the personal contact between customer and supplier. Transactions between anonymous or unknown buyers and sellers—you can’t see who you are hurting. New economy thinking contends that traditional methods of accounting no longer apply.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. E-commerce Fraud Risk Risks Inside an Organization Data theft Social engineering Sniffing Wartrapping Vandalism Employee laptops
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. E-commerce Fraud Risk Risks Outside an Organization Computer viruses Spyware Phishing Spoofing Falsified identity Database query (SQL) injections Bust-out and Web visits
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce In e-business settings, reducing pressures and eliminating rationalizations has thus far proved difficult. Security Through Obscurity Keeping security holes, encryption algorithms, and processes secret in an effort to confuse attackers. Experience shows that obscurity only heightens the challenge to a hacker!
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce One of the best ways to prevent fraud in an e-business settings is to focus on reducing opportunities, usually through the implementation of appropriate internal controls. Internal controls involve five different elements: (1) The control environment (2) Risk assessment (3) Control activities or procedures (4) Information and communication (5) Monitoring
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce The following are the most important components of the control environment: Integrity and Ethical Values Board of Directors and Audit Committee Participation Management’s Philosophy and Operating Style Human Resources Policies and Practices
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce Risk Assessment Identifies the risks of doing business with e-business partners Focuses on the control environment of business partners Identifies the risks involved in electronic exchange or information and money Intrusion detection
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce Control Activities Adequate separation of duties Proper authorization of transactions and activities Adequate documents and records Physical control over assets and records Independent checks on performance
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce Adequate Separation of Duties Make sure individuals who authorize transactions are different from those who actually execute them. Doing so prevents the most common fraud in purchasing: kickbacks and bribery.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce Proper Authorization of Transactions and Activities Passwords Firewalls Digital signatures and certificates Biometrics
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce Adequate Documents and Records Electronic Documents: sales invoices, purchase orders, subsidiary records, sales journals, employee time cards, checks, etc. In e-commerce, additional controls must be put in place. Encryption
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce Physical Control over Assets and Records Three categories of controls protect: IT equipment Programs Data Files Physical controls are used to protect computer facilities.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce Independent Checks on Performance Organizations should always conduct checks on their e-business partners (Dun & Bradstreet reviews, full-fledged investigations)
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Preventing Fraud in E-commerce Understand the management or business partners and what motivates them. Three items : Backgrounds Motivations Decision-making influence-must be examined.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Detecting E-commerce Fraud Data-driven Fraud Detection Endeavor to understand the business or operations of the organization Identify what frauds can occur in the operation Determine the symptoms that the most likely frauds would generate Use databases and information systems to search for those symptoms
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Detecting E-commerce Fraud Analyze the results Investigate the symptoms to determine if they are being caused by actual fraud or by other factors
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Detecting E-commerce Fraud Technical Knowledge and Experience It is extremely important for fraud investigators who specialize in e-commerce to understand the tools and methods that perpetrators use.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Detecting E-commerce Fraud Web-servers clients and servers Intrusion programs (nmap, Airsnort, Wireshark, etc.) Unix Perl, Python, Ruby and Bash scripting languages