13
Cybercrime: Fraud in a Digital World

Cryptocurrencies are an electronic money movement and payment system. While available since at least 2009, cryptocurrencies, led by huge increases in value, really broke into the eye of the public in 2017. The 2017 cryptocurrency movement was grounded in ICOs (Initial Coin Offerings). ICOs are a means of funding a business venture by issuing a cryptocurrency rather than traditional angel, venture, or some other form of investment capital.

In general, the investment process is as follows: the cryptocurrency is issued to the investor and the issuer collects cash for operations and investment. Such an approach to raising money allows the issuer to avoid regulations and the processes required to register investments. In 2017, ICOs went from being a relatively unknown fundraising method used in the blockchain community, to raising over $4 billion. Because investors hold currency rather than ownership shares, the issuer has little (legal) obligations to those receiving the cryptocurrency.1

Jordan Underhill, ACFE Research Specialist, J.D., CFE, likens some of the smaller cryptocurrency offerings to being similar to “penny stocks.” As such, they are subject to abuse via schemes similar to pump and dump. While the funded organization gets its cash flow, the holders of the cryptocurrency are left with little to no legal protection. According to Underhill, forensic accountants and fraud examiners need to have some sense of how cryptocurrencies and ICOs work. Underhill suggests that rather than the professional perceiving cryptocurrency as a new scheme, it is better understood as a new tool to perpetrate old schemes.

Over time, blockchain, the technology underlying Bitcoin and other cryptocurrencies, could potentially have many uses and may even help to prevent fraud by better tracking the flow of money. As such, antifraud and forensic accounting professionals should expect to encounter them during their career.2

The role of technology as it relates to fraud, financial crime, and other bad acts can seem a bit overwhelming. At the same time, technology offers additional tools such as big data, financial analytics, robotic process automation, and artificial intelligence that can facilitate efficient and effective prevention, detection, and deterrence. Further, it is important for FAFE professionals to understand current technology, cyber threats, and antifraud efforts in this complex and dynamic space.

In this chapter, we examine these topics across several modules. Those modules, along with the learning objectives, include the following:

  • Module 1 provides an overview of the digital environment, including the availability and trends to switch to a currency-less society. The objective for module 1 is for readers to understand and articulate the many threats in the digital environment; the goal is for readers to better prevent, deter, and detect bad acts in the digital world.
  • Module 2 dives deeper into the types of threats, including fraud, that participants, who embrace digital activities (such as social media, e- and m-commerce and other new technologies), may face. The goal of module 2 is for readers to be aware of, and alert for, potential threats encountered as digital citizens.
  • Module 3 examines cyberfraud. The learning outcomes for module 3 include the ability to identify major categories of cyberfraud and evaluate organizational and individual risks.
  • Module 4 considers complex fraud and financial crimes in cyberspace. Readers may recall from prior chapters that complex fraud often involves collusion and offenses in multiple jurisdictions. The objective of module 4 is for the reader to examine cyberfraud and other financial crimes, such as money laundering, in a complex and international context.
  • Module 5 reviews one of the primary means of reporting cyberfraud and other digitally based crimes. In some cases, local law enforcement may not have the requisite knowledge, skills and abilities, or the jurisdiction, to effectively and efficiently examine bad acts in a digital environment. In the United States, the Internet Crime Complaint Center (I3C), among other federal agencies, may be the best point of contact for information and reporting. The goal of module 5 is for readers to identify resources when facing cyber threats and incidents.

Module 1: The Digital Environment

Nick Tranto, Headquarters Excise Tax Policy Manager for the Internal Revenue Service (retired), describes three eras of fraudulent activity. He refers to the first era as the “Paleolithic Era.” In this era, fraudulent criminal activity centered on cash, laundering cash, and evading taxes. Organized criminal activities and creative fraud schemes also usually involved other illegal activities, such as alcohol, gambling, prostitution, guns, and drugs. These activities became large scale in the 1920s and 1930s due to prohibition of the distribution and sale of alcoholic beverages. Many were orchestrated by individuals ranging from small- time thugs to “the mob” and invoke images of Al Capone and Hollywood characters, such as those in The Godfather, Goodfellas, and The Untouchables. The primary problem was the need to handle large amounts of cash generated from the illicit and illegal activities, as well as bribes and kickbacks to keep elected officials and law enforcement from scrutinizing the activities too carefully. Some of the early and more creative money laundering schemes were developed during this time and a fundamental goal was to evade taxes.

The second major era started in the 1960s, and Tranto describes this period as the “Neolithic Era” of organized criminal operations and the sophisticated predator fraudster. At this point in time, bad actors discovered that “an accountant with a sharp pencil could steal more than twenty criminals armed with guns.” Many of the perpetrators were first-generation college graduates and sons of mobsters (SMOB). Tax evasion and money laundering continued to be the major focus of the organized criminal activities. The structure, however, included more traditional organizational forms, such as legitimate casino businesses, other cash-heavy businesses, and the interaction between legitimate and illegitimate business activities. The proceeds from these activities could be concealed and then made available for the perpetrators to use openly because of seemingly legitimate business fronts. This arrangement was, to some degree, a reaction by the bad actors to more sophisticated law enforcement investigation methods, improvements in the judicial system, and a greater intolerance by society for blatant deviant behavior. These changes put pressure on individuals with bad intentions to better conceal their illegal activities so they could fit into society as “upstanding citizens.”

Mr. Tranto describes the third period as the “Geek-olithic Era.” In the third era, cash generated from illegal activities is still a primary problem. But in the Geek-olithic era, smart individuals with questionable ethics became significant fraud perpetrators. The bad actors now include computer specialists, attorneys, MBAs, Wall Street professionals, and others who use tools and techniques, such as offshore bank accounts, Internet servers, jurisdictional barriers to enforcement, and technology to move and hide billions of dollars. Once money appears to be legitimate (laundered), it is then able to be moved and used, as if it came from legitimate sources. In addition, more creative fraud schemes were created, and the use of technology often became integral to the act, the concealment, and the conversion. In the Geek-olithic era, investigators need to use digital tools and techniques for data extraction and analysis to catch the crooks. The complexity of the schemes often demands the ability to connect seemingly disparate activities and financial transactions to businesses and organizations located around the world. Without technological resources, the investigator’s effectiveness can be greatly diminished. In short, because the bad actors have made computers integral to their crimes, investigators need to arm themselves with the same tools to level the playing field.

Assume, for example, that a drug dealer on a neighborhood street corner hands over drugs to a customer and the customer pays for the contraband by “zapping” money from his Internet-connected cell phone to the dealer’s cell phone. The police observe the transaction and approach the dealer. The dealer, perceiving the approach of the police, ejects a memory card from his phone and drops the useless cell phone in the closest sewer, tucking the tiny memory card into his pocket. By the time the police grab the suspect, all evidence is gone except for a tiny memory card that the police have confiscated but have no idea what it contains and cannot access it because of encryption. The Geek-olithic perpetrator—from the small-time but electronically savvy neighborhood to the well-organized, international Internet scammer—presents new and challenging problems for law enforcement and other investigators. In our tech-savvy world, data exists in many forms and places, but it requires a targeted approach and an embrace of technologically based investigative solutions.

Cybercrime, in the “Geek-olithic Era,” usually describes criminal activities in which a computer or network of computers is an integral part of the crime. Examples include spamming, theft of electronic intellectual property, unauthorized access (e.g., defeating access controls), malicious code (e.g., computer viruses), denial-of-service attacks, theft of service (e.g., telecom fraud), and computer-based investment and other financial frauds. Some cybercrime, such as the Nigerian cash transfer e-mails and other e-mail scams, are grounded in the gullibility (social engineering) of the victim. Other cybercrimes include hacking, “phishing,” identity theft, child pornography, online gambling, securities fraud, cyberstalking, theft of trade secrets, and industrial or economic espionage. Some cybercrimes, such as “information warfare,” have national security implications. Thus, cybercrime includes a blend of traditional crimes and newer derivations in which computers or networks are used to facilitate, conceal, and generate benefits to the perpetrator of the illicit activity.

As an example of the use of cyberspace to advance nefarious activities, according to Gangbangers Invade Cyberspace, by Steve Macko, ENN Editor, cyberspace is now

a place for gang members to exchange ideas on how to improve drug sales, what’s the best gun to use to shoot your business rivals and what are the best drugs to use in your spare time? … all of that and more can be found on the Glock3 website. This site is said to link members of street gangs from around the world, from ’Lil Shorty’s Click in London to the Gangster Disciples in Chicago to the West Side Crips in Phoenix. Experts say that the site provides a virtual “how-to” for wannabe street gang members.

Another way to describe cybercrime is criminal activity involving information technology infrastructure, including unauthorized asset destruction, file and software deletion, service attacks that result in deterioration, alteration, or suppression of computer data, and unauthorized use of devices. Personal computers, computer systems and digital devices that capture and process electronic data are powerful, small, inexpensive, and user-friendly. As computers and digital technology have advanced, electronic devices have proliferated in society, businesses, and in our everyday lives. Modern business, government, and other organizations, including criminal enterprises, depend on computer systems to support their operations.

Initially, transactions captured and processed by computer systems had hard copy supporting documentation. In the absence or destruction of computer storage where data was damaged, transactions could be reconstructed from physical forms and documents. In today’s environment, the computer is integrally embedded in most business and government processes and less hard copy backup exists. Computers have invaded almost every aspect of our lives, including tax return processing, electronic calendars and contact lists, cooking recipes, robotics, budgeting, automobile operations, weapons systems, law enforcement systems, and automated teller machines (ATM). More and more people around the globe rely on computers and digital devices in their everyday lives. As businesses, government agencies, and individuals become increasingly dependent on digital devices, so do those with criminal intentions. Individual criminals and criminal enterprises use computers to support their illegal operations for everything from facilitating the movement of cash around the world to real-time communications through e-mail, text messaging, and disposable cell phones. Cybercrime and computer and Internet frauds are increasing in frequency and size, and this trend is likely to continue. More computers, and thus criminals, are networked internationally, giving global access to cybercriminals.

The Role of Digital Devices in Cybercrime

Computer crime is an illegal offense that is committed where the computer or electronic data device is integral to the criminal act. In this context, “computer” has a broad definition and can mean personal computer, notebook, tablet, iPad, smartphone, or any other digital device that has software installed. Consider the Internet of Things (IoT): Even home appliances, HVAC controls, and other smart home devices have software and computer-like characteristics and can be operationalized for bad acts. The computer, no matter how it is defined, has several roles in high-tech crime, both as a tool and a target. According to Donn B. Parker, a cybercrime authority and author, the function of the computer in crime is fourfold, as an object, a subject, a tool, and a symbol.

  • The Computer as an Object—Computers and network systems are themselves often objects or targets of crime, subject to physical sabotage, theft, or destruction of information.
  • The Computer as a Subject—Computers can be the direct subjects of crime when technologists use the computer to commit a crime. This category includes virus attacks, illegal access, etc.
  • The Computer as a Tool—Computers can be integral to the act, the concealment, and the conversion associated with a fraud or financial crime when the electronic device is used to commit a crime, whether embezzlement, theft of proprietary information, or hacking.
  • The Computer as a Symbol—Computers lend fraudsters an air of credibility and are often used to deceive victims into investment, pyramid, and other “traditional” fraud schemes that have been adapted to the digital environment.

Some common examples of computer crimes include:

  • Data alteration
  • Unauthorized access and entry to systems and information
  • Reading another’s e-mail without permission
  • Data destruction and sabotage
  • Internet consumer fraud
  • Sale of proprietary data
  • Desktop counterfeiting
  • Data extortion
  • Disclosure of confidential data
  • Identity theft
  • Electronic letter bombing
  • Software piracy
  • Voice mail fraud
  • Cellular telephone fraud

Computer Fraud versus Computer Crime

Two terms that are commonly used interchangeably are computer fraud (and financial crimes) and computer crime, yet substantial differences exist between them. First, computer-based fraud and financial crimes are any defalcation, fraud, or financial crime accomplished by tampering with computer programs, data files, operations, equipment, or media, and resulting in losses sustained by the organization whose computer system was compromised. One of the distinguishing characteristics of computer-based fraud is that access occurs with the intent to execute a fraudulent scheme or financial criminal act.

Historically, in the early 1980s, law enforcement agencies faced the dawn of the computer age with growing concern about the lack of criminal laws available to fight emerging computer crimes. Although wire and mail fraud provisions of the federal criminal code were capable of addressing some aspects of computer-related criminal activity, neither entirely addressed the new computer-based crimes. In response, Congress included provisions in the Comprehensive Crime Control Act of 1984 to address unauthorized access and use of computers and computer networks.3 The Act made it a felony to access classified information in a computer without authorization and a misdemeanor to access financial records or credit histories stored in a financial institution or to trespass into a government computer. The 1984 Act was updated and improved in 1986 when Congress enacted the Computer Fraud and Abuse Act (CFAA). In the CFAA, Congress limited federal jurisdiction to cases with a compelling federal interest—that is, where computers of the federal government or certain financial institutions were involved, or where the crime itself is interstate in nature. Some of the other provisions included those:

  • To penalize the theft of property via computer that occurs as a part of a scheme to defraud;
  • To penalize those who intentionally alter, damage, or destroy data belonging to others; and
  • To criminalize the trafficking of passwords and similar electronic access items.

These Acts have been regularly updated into the 2000s to ensure that the statutes continue to respond to current trends and techniques of computer-based criminal acts and give law enforcement the tools necessary to fight computer-based crimes, fraud, and financial crimes.4 Computer-based fraud statutes and laws have established two very important principles:

  1. Most statutes explicitly define computer-based terminology that is to be used in a legal context when enforcing the statute. These statutes allow the prosecutor to avoid having to explain to the jury technical “computer jargon” and its inexact fit with common law enforcement terminology.
  2. Most statutes create the illegal offense grounded in the proof of access associated with a particular intent to commit an illegal act. Thus, success in carrying out the act (e.g., stealing property (money) through a fraud act) does not have to be proven. For example, tracing cash flows (proceeds) can be difficult without paper records and unauthorized (illegal) computer access may be the only provable event.

In short, most jurisdictions have defined computer fraud as an “attempt crime.” By viewing the computer as a protected asset, the protection is independent of the actual loss to the owner as a result of the intrusion.

In contrast to computer fraud, computer crime is defined as an act where the computer hardware, software, or data is altered, destroyed, manipulated, or compromised due to acts that are not intended. Generally, computer crime differs from computer fraud in at least three major ways:

  1. Employees who, as a part of their assigned duties and responsibilities, have access to the computer systems are deemed to have authorized access. As a result, those with authorized access cannot fall under statutes that address computer fraud (outlawing unauthorized access), even if their actions subsequent to access are judged illegal. Individuals with some authorized access but who exceeded that authorization can be prosecuted under computer-based fraud statutes. Thus, “without authorization” generally refers to intrusions by outsiders or those with no access, but some courts have also applied the term to intrusions by insiders who access computers other than the computer they are authorized to use, intrusions by insiders acting as agents for outsiders, and intrusions by insiders who violate clearly defined access policies.
  2. The manipulation, alteration, or destruction of data (including computer software) is considered independent of computer-based fraudulent schemes.
  3. Because data are intangible, the destruction or compromising of the integrity of computer data does not fall under vandalism statutes.

As a result of the preceding discussion, computer-based fraud and financial crimes are technically not “computer crimes” but often involve the use of computers as a means to break the law. In some cases, traditionally illegal acts can yield more ill-gotten gains by utilizing the speed, power, and global access of computers, other digital devices, and their users. A more apt term may be computer-assisted crimes. In such cases where traditional frauds and financial crimes are facilitated through the incorporation of electronic devices, existing criminal laws can be applied to the acts. The main benefit of the computer fraud and computer crime statutes, however, is derived when proving traditional crimes is difficult because the evidence of such acts have been destroyed electronically. In such cases, computer fraud and computer crime laws are invaluable as an alternative method of prosecution.

Losses or Other Damages Related to Computer Crimes

The most common types of losses associated with computer crimes are economic. Economic losses may include:

  • Cost to respond to the damage caused by the perpetrator
  • Damaged equipment
  • Restoration of data or programs
  • Wages of employees for remediation
  • Lost sales and incremental profit
  • Lost productivity
  • Harm to reputation or goodwill
  • Other reasonable costs associated with the act

Nevertheless, the economic losses generally do not include costs associated with assisting law enforcement. Of the various losses, the most common definition of economic loss is any reasonable cost to any victim, including the cost of responding to the illegal act, conducting a damage assessment, and restoring data, programs, systems, or information to its original condition and any revenue and incremental profits lost, incremental costs incurred, or other consequential damages incurred.

Costs to make a system better or more secure than it was prior to the intrusion may not qualify as “reasonable” in many cases. In general, the cost of installing completely new security measures “unrelated to preventing further damage resulting from [the offender’s] conduct” should not be included in the loss total. Thus, the types of losses considered by the courts “have generally been limited to those costs necessary to assess the damage caused to the plaintiff’s computer system or to restore the system.” Losses also include, for example, lost advertising revenue or lost sales and profits due to an electronic interference and the payroll of company employees who are unable to work due to a computer shutdown. Fraud and forensic accounting professionals need to think critically and creatively about what types of harm in a particular situation meet this standard, and work with victims to measure and document the losses. At least one court has held that damage to a company’s reputation and goodwill as a consequence of an intrusion might properly be considered a loss for purposes of alleging harm.

In addition, federal statutes also address four cases of “special losses”:

  1. An actual or potential effect on medical care
  2. Physical injury to a person
  3. Threat to public health or safety
  4. Damage to a computer related to the administration of justice, national defense, or national security.

The first special loss is related to the “modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment or care of one or more individuals.”5 This provision provides strong protection to the computer networks of hospitals, clinics, and other medical facilities because of the importance of those systems and the sensitive data that they contain. This type of special harm does not require the victim to show any financial loss. The evidence only has to show that at least one patient’s medical care was at least potentially affected as a consequence of the intrusion.

The second special loss occurs when the damage to a computer causes “physical injury to any person.”6 Computer networks control many vital systems in our society. Examples include traffic signals, air traffic control, and 911 emergency telephone services. The disruption of these computers could directly result in physical injury. Generally, so long as there is a reasonable connection between the damaged computer and the physical injury, the perpetrator can be held accountable for those physical injuries that result from their illegal actions associated with computer access or other computer crime.

The third special loss includes threats to public health or safety, a concept that closely aligns to physical harm discussed above. The key word is “threat” to public health or safety. In these cases, the prosecution is not required to demonstrate actual physical harm, only the threat to a person or persons. This aspect of loss addresses a wider array of government-type services such as electricity transmission, gas distribution, water purification, nuclear power, and transportation systems. Damage to the computers that operate and control these systems and associated safety mechanisms can create a threat to the safety of many persons. Such statutes have broad implications for perpetrators who disrupt services to the general public.

The final special loss category addresses computer compromises that affect “a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security.”7 The “administration of justice” aspect includes courthouse computers and systems operated by federal, state, and local law enforcement, prosecutors, and probation officers. Similarly, computers used “in furtherance of national defense or national security” are generally operated by the armed services and the Department of Defense. Normally, the statute is broad enough so that computers owned and operated by a defense contractor, for example, could arguably involve national security implications.

International Aspects of Computer Crime

With the explosive growth of computer, digital, and mobile use around the globe and more people gaining access to and using the World Wide Web, technologically based frauds and financial crimes are increasingly likely to have international dimensions. In most cases, the legal environment for digitally based crimes is different in every country. Consequently, identifying, locating, and extraditing suspects from another country poses additional challenges. Finally, due to differing privacy rights of individuals in the various jurisdictions of the world, securing electronic evidence of digitally based frauds, financial crimes, and other criminal acts is very difficult. Essentially, jurisdictional complexities arise at every step in the process: prevention, deterrence, detection, and investigation. In the United States, the Department of Justice and the Federal Bureau of Investigation work with foreign governments through many channels to address global threats related to computer-based crimes. The FBI’s approach reflects the increase in cybercrime worldwide, as well as the networking of local criminals with those located around the globe. In 2016, complaints to the FBI’s Internet Crime Complaint Center increased by less than 5% to 298,728; however, losses associated with those crimes totaled more than $1.33 billion compared to $198.4 million in 2006.

Perhaps more importantly, criminals are following principles outlined in Freidman’s book, The World Is Flat. Increasingly, cybercriminals are extremely well-organized and have access to every corner of the globe. Members of cyber fraud networks share profits and carry out crimes utilizing the various specialties of the participants. For example, one member of a criminal consortium may send out millions of spam e-mails. The e-mail responses may be handled by another member, or even another criminal organization that specializes in electronically harvesting and exploiting credit card numbers. The proceeds from the crime may then be laundered by a third individual or organization that then distributes the “profits” according to previously outlined agreements. The perpetrators may never meet, physically see one another, or even speak on the phone. Despite the physical distance between them, the groups are highly organized and effective. In response to threats to U.S. citizens within its borders and territories, the FBI has agents in sixty countries investigating cybercrimes.

On November 23, 2001, in Budapest, Hungary, the United States, and twenty-nine other countries signed the Council of Europe Cybercrime Convention. The Cybercrime Convention is the first multilateral instrument designed to begin to address the problems posed by the spread of criminal activity on dispersed computer networks around the globe. The Convention requires the parties to establish laws against cybercrime, to ensure that law enforcement officials have procedural authority to examine and prosecute cybercrime offenses, and to provide international cooperation to other signatories in the their fight against computer-based criminals. On August 3, 2006, the United States Senate voted to ratify the Cybercrime Convention and on September 22, 2006, the President signed the United States instrument of ratification for the Council of Europe Convention on Cybercrime.

Digital Currency and Money Movement

Now that wholesale payments have been caught in the full tide of the electronic revolution, traditional commercial banks will face stronger competition from non-banks and from ‘dis-intermediation’ as lenders and borrowers can deal more easily directly with each other without needing a financial intermediary. Central Banker’s tasks, in attempting to define, measure, monitor, control and supervise their own countries’ changing forms of money and monetary instruments, will become much more complex as the old boundaries between national and regional monetary domains will be broken down by new forms of competitive currencies.8

As an example of this trend, according to Zlati Meyer of USA Today, more restaurants are no longer accepting cash as a form of payment.9 The author cites Tender Greens, with twenty-eight restaurants on the East and West coasts, as one of a growing number of eateries that are only accepting credit and debit cards and contactless payment systems, like Apple Pay. Meyer noted a 2016 Federal Reserve study that stated that the number of noncash payments—including credit and debit cards—totaled 144 billion in 2015, having grown 5.3% annually between 2012 and 2015. Other examples according to the article:

  • Sweetgreen, another salad chain on the coasts adopted a no-cash policy.
  • Some independent restaurants have adopted the same policy.
  • Two national chains are exploring a no cash policy.
  • In January 2018, Starbucks made one of its shops in its hometown of Seattle cashless.
  • Shake Shack, the gourmet hamburger chain, began testing cashless kiosks at its Astor Place restaurant in New York City in October 2017.

Where does value lie? In the electronic world of the 2000s, value is often stored on computer servers of service providers and financial institutions. The server does not have to exist in the jurisdiction of activity or where the account holder resides. Transfers of money from one party to another take place anywhere in digital space. As a result, digital financial activity and account balance examination can become more complicated—evidence, search and seizure, forfeiture, and asset sharing. Related to these trends, anti-money laundering efforts also become more challenging. For example, peer-to-peer transfers that avoid central banks and the international banking system make transfers among bad actors more anonymous or, at least, harder to identify. Even for those individuals operating in the regulated monetary systems, how do you enforce “know your customer” (KYC) requirements when a customer completes all his or her account application documents digitally, and the customer is never seen in person?

Another interesting trend is nonbanks offering banking services. Consider Walmart Canada Bank. While in the United States, customers are used to seeing banking services offered in most Walmart stores; Walmart also has its own MasterCard with reward points. In Canada, Walmart is a bank!

According to Bloomberg, Walmart Canada Bank provides low-cost financial services while providing its vendors access to low-cost loans.10 Further, Walmart Financial offers insurance, product protection for purchases, and Western Union Money Transfers.11 Even for those not residing in Canada, Walmart has teamed up with Green Dot to create a reloadable prepaid card. Walmart’s check cashing service can be used to load payroll, government, or other checks directly to customer’s Green Dot card, providing immediate access to those funds without carrying any currency.

Walmart is not alone in its effort to expand from traditional retail to banking. In the United Kingdom, Tesco PLC, a retailer with almost 7,000 locations around the world, owns Tesco Bank, a 1997 50/50 joint venture that in 2008, became fully owned by Tesco PLC. This is consistent with the Glyn Davies’ notion of disintermediation—reducing the use of intermediaries between producers and consumers—by investing directly in the securities market rather than through a bank, as noted in the introduction to this chapter. The disintermediation of financial services is grounded, at least to some degree, by basic cost–benefit considerations. According to a 2013 McKinsey & Company report titled “McKinsey on Payments,” almost 30% of the productivity gap between the Russian and the North American banking systems can be attributed to the low percentage of electronic payments in Russia.

Of interest to forensic accountants and fraud examiners, cash is associated with the prevalence of an “informal” or “shadow” economy; one that is not taxed nor monitored by governments. According to the McKinsey report, the shadow economy represents about 12% of GDP in developed countries like those in North America; in less developed countries, the shadow economy accounts for 32% of GPD. Certain countries are estimated to have a much larger shadow economy, namely Nigeria 63%, Russia 42%, Tunisia 41%, and Brazil 38%. Further, the drag on the economy from cash-based payments may exceed 1% of GDP, while electronic transfers cost less than 1%.

Consider some of the many ways that cash moves:

  • Prepaid value cards, like the Walmart Green Dot Money Card
  • Internet-based digital currencies, like Bitcoin
  • Mobile phones

Digital (“crypto”) currencies include Bitcoin, Litecoin, Ethereum, Zcash, Dash, Ripple, and Monero. According to Investopedia, “Bitcoin continues to lead the pack of cryptocurrencies, in terms of market capitalization, user base, and popularity. Nevertheless, virtual currencies, such as Ethereum and Ripple, which are used more for enterprise solutions, are becoming popular; while some altcoins are endorsed for superior or advanced features, vis-à-vis Bitcoins. Going by current trends, cryptocurrencies are here to stay, but how many of them will emerge leaders amid the growing competition within the space will only be revealed with time.”12 In an interesting turn of events, a federal judge ruled in March 2018 that virtual currencies like Bitcoin can be regulated as commodities by the U.S. Commodity Futures Trading Commission.13 Further, some proponents of digital currencies believe they should have the anonymity feature, as seen in the case of physical cash. This is ironic, because one reason for encouraging the use of digital money is that it will help to keep track of one’s income and expenses and trace illegitimate activity.

So how do digital currencies work? Most are grounded in “blockchain” technology. Blockchain is the world’s leading software platform for digital assets, offering what the technology sector believes is a better financial system. Jonathan Hassell states that “Blockchain is a shared distributed ledger technology in which each transaction is digitally signed to ensure its authenticity and integrity … Blockchain technology backs up Bitcoin and other cryptocurrencies to this day, but there’s been a recent groundswell of interest from a variety of industries in making distributed ledger technology work, especially in business.”

Hassell provides a primer on how blockchain works: “Each transaction is digitally signed to ensure its authenticity and that no one tampers with it, so the ledger itself and the existing transactions within it are assumed to be of high integrity. The real magic comes, however, from these digital ledger entries being distributed among a deployment or infrastructure. These additional nodes and layers in the infrastructure serve the purpose of providing a consensus about the state of a transaction at any given second; they all have copies of the existing authenticated ledger distributed amongst them. When a new transaction or an edit to an existing transaction comes in to a blockchain, generally a majority of the nodes within a blockchain implementation must execute algorithms to evaluate and verify the history of the individual blockchain block that is proposed. If a majority of the nodes come to a consensus that the history and signature is valid, the new block of transactions is accepted into the ledger and a new block is added to the chain of transactions. If a majority does not concede to the addition or modification of the ledger entry, it is denied and not added to the chain. This distributed consensus model is what allows blockchain to run as a distributed ledger without the need for some central, unifying authority saying what transactions are valid and (perhaps more importantly) which ones are not.”14

There are more than seven billion cell phones in the world—more cell phones than people.15 At the same time, only 62% of persons have a bank account and an estimated two billion persons are unbanked.16 As such, it makes sense that mobile financial and payment systems are gaining traction. According to Popular Science, “Most of us leave the house carrying three essentials: keys, wallet, and smartphone. But over the past few years, more and more people are combining the latter two objects. No, we’re not talking about phone cases that also hold cash. Your smartphone can store your financial details and use them to make secure, instant payments in the store. It may feel vaguely futuristic, but you can check out with a wave of your mobile—as long as the place you’re shopping has the necessary hardware.” Leading mobile payment systems include Apple Pay, Android Pay, Samsung Pay, Square Cash, PayPal, and Venmo.17 However, the list of mobile payment providers is extensive including:

  • Mpesa
  • MTN Mobile money
  • Airtel money
  • MobiCash
  • Mobipay
  • Ooredoo Mobile Money
  • Rtel Mobile Money
  • GCash
  • TrueMoney
  • Softcard
  • Zoompass
  • Tigo Pesa
  • Buyster
  • Turkcell
  • Western Union
  • MoneyGram Mobile
  • Visa Checkout
  • Masterpass digital Wallet
  • Mastercard Mobile Payment
  • Discovery Money Messenger
  • MoneyGram
  • Padiant
  • Beamit
  • Dwolla
  • Wikipay
  • Google Pay
  • Square
  • Moneybox
  • Utiba
  • Sybase
  • Comviva

Over time, forensic accountants and fraud examiners are going to see transactions that have fewer intermediaries and are hard to identify and track. Further, getting legal access to transactions via warrant or subpoena may become more complicated. At the same time, technologies like blockchain may serve to follow the money more easily, lowering levels of anonymity, once the transactions are identified.

Module 2: Frauds and Other Threats in the Digital World

Using Technology to Fight Back. According to a recent article in ITAUDITSECURITY, auditing may incorporate Robotics Process Automation (RPA).18 An RPA is analogous to a virtual robot and can be programmed to log into multiple systems, navigate programs, enter commands, add, update, and download data, and perform most other functions a person can do. According to the article, some of the benefits include the following:

  • Implementation doesn’t require any changes to current processes and programs. Rather, the software is “trained” (programmed) to emulate human computer activities.
  • The RPA will work twenty-four hours per day and at speeds that are much faster than humans.
  • To scale up doesn’t require training additional staff.
  • Accuracy is much better than humans.
  • Properly designed, RPA provides an almost perfect audit trail.

RPA does come, however, with certain risks. When a programming error occurs, those mistakes are made at much faster rates than humans. Because of such speeds, a critical error can lead to catastrophic outcomes. While RPAs can be designed with no changes to current processes and programs, many adopters reengineer those processes and programs as part of automation and implementation; this activity creates new control risks and may inadvertently eliminate critical controls. RPA access is extensive and such access should be approved, managed, and monitored closely.

As with all technology implementations, successful RPA requires compliance with standards and policies and decentralized RPA installations need to be carefully implemented. Controls over displaced worker access need to be eliminated in a timely manner, and while RPA changes access and authority, it needs to be carefully managed. RPA holds tremendous opportunity for internal and external auditors and will likely be part of technological innovation in the future of the profession. As such, it’s something that forensic accountants and fraud examiners need to understand and embrace. Further, RPA might assist antifraud professionals in their efforts to minimize risk, identify issues, and assist in examination and remediation efforts.

Insider Threats

One of the greatest threats to information systems, in terms of digital crime, comes from employees inside an organization. It is not uncommon for operators, media librarians, hardware technicians, and other staff members to find themselves in positions of high levels of access privilege in relation to the key functions and assets of their organizations. A consequence of this situation is the probability that such individuals have the opportunity to commit fraud—one of the three elements of the fraud triangle. When combined with pressure, such as a nonsharable financial need, and the ability to rationalize their actions, such opportunity can be costly for an organization. As such, computer operations should have, at a minimum and where appropriate, an effective separation of duties. Even separation of duties, however, will not prevent all electronically based frauds and crimes perpetrated from within. To address the possibility of collusive frauds, detection controls need to support and supplement prevention controls. In addition, an environment where deterrence is also emphasized (e.g., high ethical standards, an organizational commitment to prosecute fraudsters) also helps to minimize the risk of collusive fraud.

A further complication is the tendency on the part of management to tolerate less stringent supervisory controls over information system personnel. The premise is that the work is not only highly technical and specialized, but difficult to understand and control. As an example, systems software support is often entrusted to a single programmer who generates the version of the operating system in use, establishes password or other control lists, and determines the logging and accounting features to be used. In addition, such personnel are often permitted, and sometimes encouraged, to perform these duties during nonprime shift periods, when demands on computer time are light. As a result, many of the most critical software development and maintenance functions are performed in an unsupervised environment. It is also clear that operators, software librarians, and information system technicians often enjoy a degree of freedom quite different from that which would be considered normal in a more traditional employment area.

Insiders are typically aware of the “holes” in the system of internal controls in the digital environment and often exploit weaknesses “just to see if they can get away with it.” The most prevalent method of committing computer fraud is alteration or falsification of input transactions (and/or documents), including:

  • Alteration of input
  • Alteration of output
  • Data file manipulation
  • Communications systems disruptions
  • Operating systems modifications
  • Computer operations policy violations

The characteristics of the insider computer fraudster are very similar to those of the traditional fraudster: intelligent, hard-working, minimal absences (the appearance of dedication), bored with “the routine,” confident, and egotistical. Computer fraudsters often demonstrate greater loyalty to technology than to their employer. This technology loyalty can create an attitude that any behavior is acceptable if it is in the name of technology.

The following are indicators of insider computer fraud that suggest increased risk and require additional scrutiny:

  • Access privileges beyond those required to perform assigned job functions
  • Exception reports not reviewed and resolved
  • Access logs not reviewed
  • Production programs run at unusual hours
  • Lack of separation of duties in the data center

Digital Device Hacking

Although the term “hacker” was originally used to describe a computer enthusiast, the term has now grown to mean someone seeking unauthorized access to computer systems and the information contained therein. Hackers can include employees, individuals operating alone, hacker gangs, and entrepreneurial hackers who seek financial reward for their illegal acts. Motives vary according to the targeted system, information desired, and the perpetrator. While hacking was once commonly thought of as a precocious teenager’s hobby, it has changed dramatically in the last twenty years to encompass a large and diverse group.

Hacking entails breaking into computer systems by determining the vulnerabilities of the hardware and software components. Then the hacker uses technology to systematically “guess” the authorized user’s access codes.

Hackers generally use various “rogue” software applications to penetrate a system. Sometimes they surreptitiously incorporate unsuspecting digital device owners into their schemes by installing programs that are downloaded via an e-mail or by visiting a website. These programs operate in the background of the infected digital device and can disable security settings and capture information that is then sent back to the hacker.

The most direct way of gaining access to a digital device is to use someone else’s user identification and password, or generate (without authorization) a system-acceptable user name and password. The user name and password combination is designed to keep digital devices safe from unauthorized use. Without inputting this security information, the device won’t operate. Most users choose passwords that follow predictable patterns. Digital device users often choose user names and passwords that are familiar and easy to remember. For example, a deep-sea fisherman might choose the word “marlin” as a password, or the man’s secretary, who received a mug about “soaring with the eagles and working with turkeys” from her boss last Christmas, might use “turkey” as her password.

If the hacker knows or can develop a profile about a target, his or her ability to crack a user name/password combination may be enhanced. Information about the target’s family, children’s names and birthdays, parents’ names, maiden names, anniversaries, and similar data are often used as passwords. User names are often some derivation or abbreviation of a person’s name or e-mail address. A simple lesson here: real-word passwords, even in variation, are not secure. The safest passwords are more than eight characters and combine letters, numbers, and nonalphanumeric characters, such as punctuation.

Social Engineering

Another means of gaining access to information or a digital system involves simple deception. The hacker uses some known information, his or her alleged authority, and verbal skills to deceive victims into disclosing information they ought not to divulge, or to commit acts that facilitate the hacker’s scheme. The victim believes that sharing the information or following the bad guy’s instructions is the “right thing” to do. Social engineers have been known to pose as an employee or someone hired by the organization. Based on their alleged purpose and authority, the hacker easily deceives real employees into revealing private, trusted, and confidential information.

The hacker may assume a number of different disguises to accomplish this deception. He or she may pose as a new or temporary worker and ask information systems employees for a password so that he or she can begin work. They may pose as someone in a position of authority and intimidate employees into revealing confidential information. Sometimes overt deception is not required. In large corporations, hackers can take advantage of the anonymity among employees. By donning office attire, they can blend into the crowd and peruse the premises, perhaps gaining a password written down at an employee’s desk in the process.

To improve his or her chances of compelling the victim to assist the perpetrator, he or she may retrieve documents from the company dumpster, such as internal telephone directories and correspondence. Such knowledge provides an illusion of being on the inside, being on the team, being one of the good guys, who plans to make life better for the victim, other employees, and the organization.

Hacker Manipulations

Hackers may use a variety of methods to invade digital systems including those described below.

  • Trojan Horse Virus. A Trojan horse is the covert placement of instructions in a program that causes the digital device to perform unauthorized functions but usually still allows the program to perform its normal functions. This method is one of the most commonly used techniques in electronic-based frauds and sabotage.
  • Trap Doors. When developing large programs, programmers insert instructions for additional code and intermediate output capabilities. The design of operating systems attempts to prevent this from happening. Therefore, programmers insert instructions that allow them to circumvent these controls. When located, hackers take advantage of these trap doors.
  • Salami Techniques. Salami techniques involve the execution of unauthorized programs used to steal small amounts of assets from a large number of transactions without noticeably reducing the whole. For example, in a banking system, the amount of interest to be credited to an account is typically rounded off. A fraudster might set up the system so that the rounded-off portion of the number is credited to a special account owned by the perpetrator.
  • Logic Bombs. A logic bomb is a software program executed at a specific time period or when a specific event occurs. For example, a programmer can write a program to instruct the computer to delete all personnel and payroll files if his access (user name) were ever to be removed from the file.
  • Data Diddling. Data diddling is the changing of data before or during entry into the storage system.

Examples include forging or counterfeiting documents used for data entry and replacing valid disks and tapes with modified replacements.

  • Scavenging and Dumpster Diving. Scavenging is obtaining information left around a computer system, in the computer room trashcans, etc. Dumpster diving refers to gleaning sensitive information from an organization’s trash receptacles and dumpsters. Such techniques can be used to obtain user names and passwords to gain access to digital systems.
  • Data Leakage. Data leakage is the removing of information by smuggling it out of an organization as part of a printed document, disguising, or hiding the information and removing it from the facility.
  • Piggybacking/Impersonation. Piggybacking and impersonation are frequently used to gain access to restricted areas. Examples include following someone with a badge reader in through a door, using an authorized user’s identification and password to gain digital device access, and tapping into the terminal link of a user to cause the device to believe that both terminals are the same person.
  • Simulation and Modeling. Simulation and modeling is a manipulation technique using the digital device as a tool or instrument to plan or control a criminal act.
  • Wire Tapping. Wire tapping into a digital device’s communications links is another technique used by hackers. This method enables perpetrators to read the information being transmitted between devices.

Properly designed and implemented encryption techniques can be used to minimize the risk that any intercepted data can be used for nefarious purposes.

Network Weaving. This technique, also known as “looping,” involves using numerous networks in an attempt to avoid detection. For example, a hacker might dial into Company A’s PBX system to obtain an outside line that can be used to dial into Company B’s network. If Company B can track the origin of the hacker’s call, it will lead them to Company A, not to the hacker. Hackers have been known to “loop” through fifteen or twenty different networks before arriving at their final destination.

Altering Password Generation. Some user names and passwords are generated by a digital system’s “randomizer” function. For example, some Internet-based retailers (ISPs) give first-time users a randomly generated password (and sometimes a random user name as well), which allows the person online access. Subsequent to the first visit, the user may change the log on information to his or her preference. By learning how a system’s randomizer works, the hacker can imitate the generation of user names, passwords, or even alter how the system operates.

Buffer Overflow Exploits. Buffer overflow exploits are a significant problem in digital security.

In application programs, buffer storage areas temporarily hold data. These buffers have a fixed size. A hacker can execute a data “overflow” program and then initiate a data overload; he or she overflows a program and then siphons off data generated by the system that cannot be stored in the buffer storage. The buffer overflow program may execute any number of tasks, from sending captured passwords to Russia, to altering system files, installing backdoors, etc., depending on what instructions the attacker sent to the buffer.

  • Privilege Escalation Exploits. Privilege escalation exploits grant administrator or root-level access to users who are not authorized such access.
  • Backdoors. Backdoors allow attackers to remotely access systems at any point in the future, where computer operators do not know such access exists.
  • HTTP Exploits. HTTP exploits involve using Web server applications to perform malicious activities.

These attacks are very common and are growing in popularity because firewalls typically block most traffic from the Internet to keep it away from corporate servers. HTTP traffic used for Web browsing, however, is almost always allowed to pass through firewalls unhindered.

  • Anti-Hacker Measures. Because hackers require remote access (e.g., dial-in capability), the best prevention strategy is to eliminate as many remote access options as possible. Given the popularity of the Internet and the productivity gains from allowing customers, vendors, and suppliers direct access to company servers, however, the trend is to install more, not fewer, remote access capabilities.

Adequate hacker detection programs contain three primary components:

  • Almost all communication systems maintain log files that record all successful and unsuccessful system access attempts. Log files should be printed and regularly reviewed by the data security officer. Special reports related to unsuccessful access attempts should also be created. Controls should be instituted that prevent hackers from altering log files. Otherwise a hacker can complete their work and then alter the log file so that evidence of their unauthorized access and activities are erased.
  • The data security function should have sufficient resources and staff to administer passwords, maintain security software, review system activity reports, and follow up on potential security violations.
  • Periodic reviews of telecommunications security should be performed by internal or external auditors or other professionals.

Viruses

Viruses are hidden software programs that use computer resources or other computer activities in such a way as to shut down the system or slow it down significantly. Viruses typically use the infected device’s resources to replicate itself and spread the infection to other software systems on a network or through the Internet via e-mail, text messages, or other electronic medium. Viruses range from those that are relatively harmless (displaying a message or greeting) to those that shut down entire networks for extended periods, ruin data, or destroy the ability of the digital device to function properly.

A virus attacks software. Many digital viruses can replicate themselves on other computers. This replication ability can affect large networks. In recent years, viruses have cost millions of dollars in staff and machine hours to remove these viruses and restore normal operations.

Viruses have also garnered significant media attention in recent years. The fear of being infected with a virus has even resulted in virus “scares” that are nothing more than hoaxes. Although it is fortunate when the threat is not real, these phony warnings cause harm of their own. They slow down transmission of information and have been known to cause overloads of organizational e-mail networks. Some of these fraudulent warnings urge recipients to “forward this to everyone you know.” Before forwarding a questionable warning, it is wise to consult a few of the authorities that track viruses.

Types of Viruses

  • Macro Virus. A macro is a software instruction that automatically carries out program commands. Many common applications (e.g., word processing, spreadsheet, and slide presentation applications) make use of macros. Macro viruses are macros that self-execute and replicate. If a user accesses a document containing a viral macro and unwittingly executes this macro virus by a command as simple as “open,” it can then copy itself into that application’s startup files. The digital device is now infected—a copy of the macro virus resides on the machine.

    Any document on that device that uses the same application can then become infected. If the infected device is on a network, the infection may spread to other machines on the network. Moreover, if a copy of an infected file is passed to anyone else (e.g., by e-mail or disk), the virus can spread to that recipient’s device as well; from there, the recipient’s device will be used as a staging point for the virus to replicate itself on that device’s network, and so on, and so on. This process of infection will end only when the virus is noticed and all viral macros are eradicated.

    Macro viruses are the most common type of viruses. Macro viruses can be written with very little specialist knowledge, and these viruses can spread to any platform on which the application is running. However, the main reason for their success is that documents are exchanged far more frequently than executable files or physical storage devices such as disks, a direct result of e-mail’s popularity and Web use. The ease of use and convenience of “stick” or “thumb” drives may cause such media to be used more regularly in the future.

    The “I Love You” (also known as LoveLetter) virus is an example of a macro virus. LoveLetter is a Win32-based email worm. It overwrites certain files on hard drives and then sends itself out to everyone in the email address book. LoveLetter arrives as an email attachment named LOVE-LETTER- FOR-YOU.TXT.VBS, though new variants have different names including Very Funny.vbs, virus_warn- ing.jpg.vbs, and protect.vbs. The subject of the message containing the infected attachment varies as well. Opening the attachment infects your machine. This attachment will most likely come from someone you know. As a rule of thumb, do not open any attachment unless you are certain that it is virus free. If you’re unsure, ask for the sender to confirm that the attachment was intended for you.

  • Boot Sector Viruses. The boot sector is the first logical sector of a hard disk or floppy disk. A large majority of viruses have been boot sector viruses. These viruses use system BIOS, replace the boot sector, or move the boot sector to another location. It then writes a copy of its own program code, which will run every time the system is booted or when programs are run. A boot sector cannot infect a computer if it is introduced after the machine is running the operating system. An example of a boot sector virus is Parity Boot. This virus’s payload displays the message Parity Check and freezes the operating system, rendering the computer useless. This virus message is taken from an actual error message that is displayed to users when a device’s memory is faulty. As a result, a user whose device is infected with the Parity Boot virus is led to believe that the machine has a memory fault rather than a disruptive virus infection.
  • Parasitic Viruses. Parasitic viruses attach themselves to programs, also known as executable files. When a user launches a program that has a parasitic virus, the virus is surreptitiously launched first. To cloak its presence from the user, the virus then triggers the original program to open. The parasitic virus, because the operating system understands it to be part of the program, is given the same rights as the program to which the virus is attached. These rights allow the virus to replicate, install itself into memory, or release its payload. In the absence of antivirus software, only the payload might raise the normal user’s suspicions. A famous parasitic virus called Jerusalem has a payload of slowing down the system and eventually deleting every program the user launches.
  • TSRAM Viruses. Terminate and Stay Resident (TSR) viruses usually hide in memory and cause system crashes, depending on their memory location. The TSR takes control of the operating system by passing its request to DOS each time DOS is executed. The virus Cascade B is a TSR virus that sometimes causes the system to crash. It also causes characters to fall down the screen.
  • Application Software Viruses. These types of viruses copy their virus code to a program file and modify the program so the virus code gets executed first. It does this by writing over the existing code or attaching itself to the program file. The more sophisticated types replicate themselves with a “.COM” extension each time the user accesses an executable program file. The virus Vienna is a type of application virus. Vienna increases infected files by 648 bytes and destroys the system by making it reboot when running certain programs.
  • Multi-Partite Viruses. Multi-partite viruses share some of the characteristics of boot sector viruses and file viruses, which increases their ability to spread. They can infect .COM and .EXE files and the boot sector of the device’s hard drive. On a device booted up with infected storage, a typical multi-partite virus will first reside in memory and then infect the boot sector of the hard drive. From there the virus can infect a device’s entire environment. This type of virus accounts for a large number of infections.

    The Tequila virus is a type of multi-partite virus. Tequila is a memory resident master boot sector (partition table) and .EXE file infector. It uses a complex encryption method and garbling to avoid detection. When a program infected with Tequila is executed, the virus will modify the hard disk master boot sector, if it is not already infected. The virus also copies itself to the last six sectors of the system hard disk. When the workstation is later rebooted from the system hard disk, Tequila will become memory resident. Once Tequila is memory resident, it infects .EXE files when they are executed.

  • Polymorphic Viruses. Polymorphic viruses create varied (though fully functional) copies of themselves as a way to avoid detection from antivirus software. Some polymorphic viruses use different encryption schemes and require different decryption routines. Thus, the same virus may look completely different on different systems or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart antivirus software. One of the most advanced polymorphic viruses uses a mutation engine and random number generators to change the virus code and its decryption routine. The Spanska.4250 is a type of polymorphic virus. This virus infects program files (files with .EXE and .COM extensions).
  • Stealth Viruses. The stealth viruses are the more sophisticated viruses. They constantly change their patterns in an effort to blend into the system like a chameleon. They attempt to avoid detection by bypassing DOS interrupt calls when they are installed, and remove their code from the infected files before the file is accessed by the requesting program.

    The 4096 virus is an example of a stealth virus. It increases the file size by 4096 bytes and decreases the memory by approximately 6 kb. The message “FRODO LIVES” might appear in the middle of the screen. If the infected file is run on September 21, it causes the system to crash.

  • Mutation Engine Viruses. This “modern day” virus uses a special language-driven algorithm generator that enables it to create an infinite variety of original encryption algorithms. It avoids the checksum detection method like the stealth viruses by not changing the infected file size. Each time they replicate, they produce a new and different code. The Pogue virus is a type of mutation virus. It only infects .COM files less than 61,439 bytes. If activated on May 1 or before 9 a.m. on any other day, it will make a variety of musical sounds. It contains the strings “TNX2DAV” (Thanks to Dark Avenger) and “Pogue Mahone” in its code.
  • Network Viruses. It was just a matter of time before network-specific viruses were developed to attack the increased number of Local Area Networks (LANs) and other types of networks coming online. These viruses generally are developed to attack the file servers. The boot sector and partition table viruses infect the boot operation of the file server. This virus does not spread from the workstation to the file server. If you are using NetWare, however, it can cause the software to lose the location of its partition table on the file server if the file server is booted with infected boot code. Viruses that infect programs seem to be limited to infecting files on the server. Because the files are continuously being accessed by workstations, this type of virus is difficult to contain.

    At least two NetWare-specific viruses have been discovered in Europe. One is the GP1 (Get Password 1) virus. It was allegedly created to penetrate Novell security features and then spread throughout the network. The second was CZ2986 virus, developed in Czechoslovakia. This virus places itself in memory and intercepts NetWare function calls when the workstations log into the server. After it collects fifteen user name/password combinations, it saves them in an infected file and uses them to gain access to the network.

  • Worms. A worm is a self-replicating program that resides as a file on a system, executes an autonomous process, and deliberately moves from system to system. It looks for other nodes on the networks, copies itself to them, and causes the self-copy to execute on other nodes. These programs find network utilities showing node names, monitor network traffic, randomly select network identification codes as well as other mischief.

    An example of a worm is the SQL Slammer, which raced across the globe and wreaked havoc on the Internet in January 2003. This worm doubled the number of devices it infected every 8.5 seconds in the first minute of its appearance. The worm, which exploited a flaw in Microsoft Corporation’s SQL Server database software, caused damage by rapidly replicating itself and clogging the pipelines of the global data network. The worm did not erase or cause damage to desktop computers, but was designed to replicate itself so quickly and so effectively that no other traffic could get through networks.

Virus Carriers and Indicators

Viruses can infect a device’s systems from many sources. Some of the more common virus carriers are:

  • Unknown or unchecked application software
  • Software or media brought in by employees
  • Programs downloaded from modem bulletin boards
  • Unsolicited emails
  • Vendors and suppliers with infected software
  • Uncontrolled and shared program applications
  • Demonstration software
  • Freeware and Shareware
  • Social media links

The following are some of the indicators that a device might be infected:

  • A sudden and sometimes dramatic decrease of free space on your media
  • The system suddenly and for no apparent reason slows down its response time to commands
  • An increase in the size of some files
  • A change in the length of executable files, a change in their content, or a change in their file date/time stamp
  • An unexpected number of disk accesses, especially to particular file(s)
  • An operating system and/or other program that suddenly begins behaving in unpredictable ways. Sometimes disk files that should be there cannot be accessed or are erased with no warning
  • Unusual messages and graphics
  • An inability to boot the system
  • An inability to access files
  • Unexplained and repeated maintenance repairs
  • System or data files disappear or become fragmented
  • Unexplained changes in memory
  • Unexplained changes in program sizes
  • Display messages that indicate that a virus has been encountered. Note that until the source of the virus has been identified and removed from the system, antiviral systems might continually inform the operator that a virus is being encountered and removed

Hardware, Software, and Data Security

Effective computer security ensures the availability of accurate and timely data provided at a cost, including security that meets traditional cost–benefit considerations. Such a position suggests that all threats are not eliminated, but that threats are managed in such a way that the hardware, software, and data have reasonable protection given the threats and costs associated with addressing those threats. In general, technology security includes protecting data and programs from unauthorized or accidental alteration or destruction. Furthermore, the data must be protected so as to maintain confidentiality, integrity, and availability. Hardware, software, and data must be secure from physical threats such as water, storm, and fire damage. Information technology departments must also have the ability to restore data center operations in the event that a disaster causes complete destruction.

The most effective components of internal security are education, reporting facilities, and vigorous disciplinary action against offenders, including prosecution of illegal acts. An enterprise-wide employee awareness program should be combined with formal training in the area of information security. For employees to fulfill their security responsibilities, they should know what information needs to be kept confidential, how to recognize threats to security, and how to use backups and other aids for their computers and other digital devices.

Passwords are the predominant form of authenticating valid users, though dual and secondary authentication through e-mail and mobile devices is becoming more common. Effective password administration is essential for maintaining security. Passwords should be of sufficient length (usually a minimum of eight characters) and a combination of letters, numbers, and other characters such as punctuation marks to avoid vulnerability to guessing. Group passwords and sharing of passwords should be prohibited to maintain individual accountability. Passwords of all terminated employees should be revoked immediately. Security administration often coordinates the notification of terminated employees with the personnel function. Employees who have changed job functions or transferred should have their old password canceled and a new one issued, if appropriate.

Securing a computer network by means of logical controls is a difficult but necessary requirement for ensuring the safety of an operating system from attacks by outsiders. Logical controls include management security policies, user authentication systems, data access controls, network firewalls, security awareness training, encryption algorithms, penetration testing, intrusion detection software, and incident response plans.

Network security also can be provided by a combination of design, hardware devices, and software. Data encryption is carried out by a combination of hardware and software. Encrypted data is scrambled by a formula using a unique key and can only be unscrambled with the same formula and key at the receiving end. The decision to use encryption should be made in light of the risks and after a cost–benefit analysis. Drawbacks to encryption are the cost of the hardware and software, the cost of the administration, and the inherent delays incurred by the extra steps required for processing.

Digital signatures are becoming more common, in part because Congress and many states have passed legislation to legitimize the electronic “signing” of documents. On October 1, 2000, the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) became effective. This federal statute basically provides a mechanism whereby any document that is required to be signed can be signed “electronically.” The E-SIGN Act does not require a party to use or accept electronic signatures, electronic contracts, or electronic records, but rather seeks to facilitate the use of electronic signatures and documents by upholding their legality regardless of the type or method of execution selected by the parties. The E-SIGN Act is also technology-neutral and does not require a specific type or method that businesses and consumers must use or accept to conduct electronic transactions. The Act regulates any transactions involving interstate or foreign commerce. Many states, however, have enacted their own digital signature laws, which regulate purely intrastate transactions. Additionally, many state and federal agencies, including the Internal Revenue Service and the Securities and Exchange Commission, are encouraging the use of electronic filing and digital signatures as a means to speed up the collection and processing of information. Biological access verification, also known as biometrics, is now available. This verification technique includes fingerprints, palm prints, voice prints, signatures, retina scans, and facial recognition.

Profiling software authenticates users by monitoring their statistical characteristics, such as typing speed and keystroke touch. Smartcard access devices are similar to an ATM card; like ATM cards, they are susceptible to loss and forgery.

Protecting the network from external threats requires some additional considerations. The less an external perpetrator knows about the technology environment (e.g., type of hardware and software packages used), the harder it is to obtain fraudulent access. Part of the security policy should address how much and what kind of information regarding the technology of an organization should be made public.

Organizations should set appropriate safeguards when providing access to third parties. There is pressure to establish connectivity by marketing, purchasing, research, and other branches. Connectivity should be granted only after it has been established that the benefits outweigh the risks and costs.

Computer and digital device users should take measures to protect against viruses. Some precautions include the following:

  • Do not use a thumb drive to boot your system
  • If you must boot your system from a thumb drive, make sure it is properly labeled and continuously protected
  • Do not install Shareware or other untested programs on your systems, but if you do, do not put them in the root directory
  • In a network environment, do not place untested programs on the server
  • If you are sharing information on external storage devices, ensure they only contain information and no executable files
  • Use current antivirus software to detect potential viruses
  • Backup all programs and files
  • Write virus-free warranties and indemnities into your purchase orders and contracts
  • Always write-protect your systems and program disks
  • Teach device users about viruses so that they can recognize them
  • Always use caution when opening email attachments and social media links

Antivirus Software

There are several techniques that may be used by antivirus software to help detect computer viruses and other malware. In some cases, more than one method may be used.

  • Traditional Scanners. This is the most commonly used method. These programs work by looking for known viruses by checking for recognizable patterns and specific “strings” or virus “signatures.” Its usefulness is limited in that it can only identify known viruses.
  • Heuristic Scanners. These scanners inspect executable files for code using algorithms to identify operations that would indicate an unknown virus. They might also examine macros to detect virus-like behavior.
  • Behavior Blocking Scanners. These applications run continuously, looking for behavior that might indicate virus activity (e.g., instructions to format a hard drive). Unlike the traditional signature-based approach, this method can detect new and previously unknown viruses. Nevertheless, it is not foolproof and has a tendency to give false positives.
  • Change Detection Scanners. Change detection scanners generate a database of characteristics for executable files and check for changes to these files that might signify a virus attack.

The effectiveness of antivirus software has decreased over the years, primarily because of the intent of the virus authors. Years ago, it was much more immediately apparent when a device had been infected. Today’s viruses are often well hidden and used to steal information without the user’s knowledge.

Investigating Virus Infections

Virus infections can be examined by taking the following action:

  • Isolate the system and all media
  • Run antivirus software
  • Document findings
  • Interview the system custodian and all users, and determine
    • Symptoms
    • Damage
    • Prior clean-up conducted
    • Access controls in place and working
    • System malfunction
    • Personal media used
    • Unauthorized media used
    • Virus identification
  • Follow the audit trail of the infection
  • Determine the source of the virus—person, system, and media
  • Make users aware of protection policies and procedures
  • Ensure countermeasures are in place and working
  • Track the costs/damages related to virus problems

Module 3: Cyber Fraud

A booming segment of computer fraud and cyber fraud has become a growing concern to the law enforcement community. This type of fraud has proliferated and will continue to grow because of the ripe conditions that exist on the World Wide Web for fraudulent activities. The Internet is still a developing technology for much of international business and has not been subjected to much litigation or policing. Laws that currently apply to the Internet are difficult to enforce, because the Internet crosses international borders. The lack of a common set of international laws and the difficulty related to jurisdiction in enforcing existing laws give cyber fraudsters a better-than-average chance of avoiding capture and punishment.

The Internet has also risen to become a major means of conducting business globally. As of May 2015, there were over 3.2 billion users, or approximately 45% of the world’s population, on the Internet. In the United States alone, more than 81% of the population was online, which equated to approximately 284 million users.

For consumers to retain confidence in Internet transactions, the perception that the Internet is a safe way to shop and do business must be fostered. Consumer awareness of cyber fraud must be raised without causing a loss of consumer confidence. This difficult endeavor may require an unprecedented effort by the private sector in conjunction with law enforcement.

According to the National Consumers League’s Internet Fraud Watch, the top ten Internet schemes in 2017 were as follows:

Internet Scheme

  1. Internet: General merchandise
  2. Fake check scams
  3. Prize/Sweepstakes/Free gifts
  4. Recovery/Refund Companies
  5. Advance Fee Loans/Credit Arrangers
  6. Phishing/Spoofing
  7. Computers: Equipment/Software
  8. Scholarships and Grants
  9. Friendship and Sweetheart Swindles
  10. Charitable Solicitations

“More people are online and more people are getting scammed,” according to Susan Grant, Director of the Internet Fraud Watch (IFW). “Consumers need to remember that con artists are everywhere, even in cyberspace.” Grant says the safest way of paying for goods and services online is with a credit card: if there are problems with billing, the charges can be disputed. Businesses that ask for cash or money orders should be avoided, according to Internet Fraud Watch. “Requesting cash is a clear sign of fraud,” says Grant. For those businesses that are not equipped to take credit card payments, IFW recommends escrow services.

According to the 2017 Identity Fraud Survey conducted by Javelin Strategy and Research, identity fraud in the United States increased by 16% in 2016 from 5.3% to 6.15% of consumers. Some of the key findings of the survey were as follows:

  • Card-not-present fraud increased by 40% while the frequency of point-of-sale frauds was unchanged.
  • Account takeover fraud losses, that hit a low in 2014, rose 61%, while the number of incidents rose 31%.
  • New account fraud continues to be a major problem where most victims discover the fraud through a credit report or when contacted by a debt collector.
  • Offline consumers, those defined as having little online presence, are exposed less but victimized longer, almost forty days.
  • Social networkers, who tend to share lots of personal data online but complete relatively few online commerce transactions, have a 46% higher risk of account takeover fraud.
  • E-commerce shoppers have the highest prevalence of existing card fraud but typically catch it within one week of the first incident.
  • Digitally connected consumers who (a) have social media presence, (b) tend to shop online, and (c) adopt new technologies have a 30% higher risk of fraud.

Electronic Commerce (E-Commerce)

E-commerce is generally thought to describe retailing, marketing, advertising, and interpersonal communications taking place on the Internet. Such electronic activity generally includes authentication for participant identification and some form of “electronic signature” to ensure that participants initiating transactions cannot deny that the transaction occurred. Efforts to secure e-commerce transactions are described below.

  • Encryption. From an e-commerce security perspective, the solutions offered by conventional and public key encryption technologies are usually adequate to ensure that e-commerce transactions are as secure as the value of transactions requires. The vast majority of transmissions over the Internet and the World Wide Web, however, are not encrypted. If there is no need to hide the contents of a message or communication, there is little need to expend resources on the encryption of such traffic and the decryption at the other end. Encryption can be an expensive solution, whether in terms of actual monetary cost or the cost in increased computational load on the user’s machines. The needs of the organization to keep confidential transmissions secret should be weighed against the effort and cost of encryption.
  • Smart Cards. A smart card is a credit card-sized plastic card embedded with an integrated circuit chip that makes it “smart.” This marriage between a convenient plastic card and a microprocessor allows an immense amount of information to be stored, accessed, and processed either online or offline. Smart cards can store several hundred times more data than a conventional card with a magnetic stripe. The information stored in the chip is transferred through an electronic module that interconnects with a terminal or a card reader. A contactless smart card has an antenna coil that communicates with a receiving antenna to transfer information. Depending on the type of embedded chip, smart cards can be either memory cards or processor cards.
  • Memory Cards. Any plastic card is made “smart” by including an IC chip. But the chip may simply be a memory storage device. Memory cards can hold information thousands of times greater in amount than a magnetic stripe card. Nevertheless, their functions are limited to basic applications.
  • Processor Cards. Smart cards with a full-fledged microprocessor on board can function as a processor device that offers multiple functions such as encryption, advanced security mechanisms, local data processing, complex calculation, and other interactive processes. Most stored-value cards integrated with identification, security, and information purposes are processor cards. Only processor cards are truly smart enough to offer the flexibility and multifunctionality desired in e-commerce.

Typical Internet Schemes

Earlier in the decade, the media often cautioned about the dangers of sending credit card numbers through the Internet. For good reason, many businesses and individuals had apprehensions concerning Internet commerce; the Internet is an impersonal form of communication. While much has been done to create and maintain trust, some precautions are appropriate before purchasing online items. As a result, conducting financial transactions on the Internet is usually as safe as making an order from a legitimate company for legitimate products and service via the telephone. Nevertheless, the careless and unsuspecting can become victims. In addition, scams and schemes similar to conventional frauds have found new and lucrative homes on the Internet, while new scams, such as modem hijacking, are an entirely new breed.

Old Frauds Adapted for Digital Devices and the Internet

Just about every traditional scam can be facilitated or perpetrated with the use of a digital device or over the Internet. Clever, technologically savvy fraudsters can be quick to take old fraud schemes and adapt them to a digital environment. Computer users and those who rely on digital devices, such as smartphones, iPads, notebooks, personal digital assistances, MP3 players, iPods, and other digital devices with memory and processing capacity can be used in fraud acts and the related concealment and conversion.

  • Get Rich Quick. Entering the phrase “get-rich-quick” in an Internet search results in sites with names like $50,000 First Ten Months, Secrets of the Millionaires, and Best Business Resource Center. These types of sites hawk everything from home businesses to investment opportunities. The common denominator in these schemes is that “wannabe entrepreneurs” who throw their money away on such schemes find themselves with worthless materials and information. As with all get-rich-quick schemes, victims are pulled in by their desire to make easy money.
  • Pyramid Schemes. The tried and true pyramid has a high-tech home on the Internet. Consistent with most pyramid schemes, the initial participants of the scheme are rewarded handsomely, while later participants are bilked out of their investment money. Pyramid schemes are also referred to as franchise fraud or chain referral schemes. Generally, the alleged opportunity is a marketing or investment fraud in which an individual is offered a distributorship or franchise to market a particular product. The real profit is earned not by the sale of the product, but by the sale of new distributorships. Emphasis on selling franchises rather than the product eventually leads to a point where the supply of potential investors is exhausted and the pyramid collapses.
  • Foreign Trusts. Schemers in this fraud cater to those who desire a “tax-less” life. For a fee, the company purports to be able to create a foreign trust to which taxpayers can transfer their assets. Since the trust is not within the taxpayer’s country, the logic goes, the assets are not subject to taxation. Naturally, the logic is faulty. First, if the taxpayer derives use from the funds in the trust, according to law, those funds are considered taxable income. Thus, consumers who fall for this scam subject themselves to prosecution for tax evasion. That is, of course, only if the trust is set up at all. Some of the operators of this scheme simply take the victim’s money and disappear. Some, who have fallen for this pitch, find that they have transferred assets to a trust of which they are not the beneficiaries; their assets legally belong to another entity and getting them transferred back to their control is virtually impossible.
  • Prime Bank Note. International fraud artists have invented an investment scheme that offers extremely high yields in a relatively short period of time. In this scheme, they purport to have access to “bank guarantees,” which they can buy at a discount and sell at a premium. By reselling the “bank guarantees” several times, they claim to be able to produce exceptional returns on investment. For example, if $10 million worth of “bank guarantees” can be sold at a 2% profit on ten separate occasions, or “traunches,” the seller would receive a 20% profit. Such a scheme is often referred to as a “roll program.” To make their schemes more enticing, con artists often refer to the “guarantees” as being issued by the world’s “Prime Banks.” Other official sounding terms are also used such as “Prime Bank Notes” and “Prime Bank Debentures.” Legal documents associated with such schemes often require the victim to enter into nondisclosure and noncircumvention agreements, offer returns on investment in “a year and a day,” and claim to use forms required by the International Chamber of Commerce (ICC). In fact, the ICC has issued a warning to all potential investors that no such investments exist. The purpose of these frauds is generally to encourage the victim to send money to a foreign bank where it is eventually transferred to an offshore account that is in the control of the fraudster.
  • Chain Letters. This fraud has once again become popular due to the Internet’s email capabilities. The letter sent to unsuspecting targets generally forewarns of the grave dangers that await the target should he or she not reply to the letter. The letter asks for a small cash donation in exchange for the target’s piece of mind that no bad tidings will be spread, providing examples of some of the unfortunates who did not heed the letter. The money should be sent to a P.O. box, the email often instructs.
  • Investment and Securities Fraud. Numerous websites offer investment or securities advice. Many of these sites are reputable but some are not. A fraudulent website will claim to have superior information or information sources about the value of a given stock, suggesting that something unexpected will soon happen to that company. When the unknowing stock investor takes the advice of the supposedly knowledgeable investment advisor, the “advisor” manipulates the stock price to his advantage.
  • “Ponzi” Scheme. A Ponzi scheme is essentially an investment fraud where the operator promises high financial returns or dividends that are not available through traditional investments. Instead of investing victims’ funds, the operator pays “dividends” to initial investors using the amounts “invested” by subsequent victims. The scheme generally falls apart when the operator flees with all of the proceeds, or when a sufficient number of new investors cannot be found to allow the continued payment of “dividends.”

New Threats for Digital Devices and Internet Users

  • Modem Hijacking. While Internet users are online, their computer Internet connections are secretly disconnected from their ISP and reconnected to the Internet, only this time through an expensive international line. Once activated, hijacking software continues the disconnection and reconnection process.
  • Spamming. Spamming involves sending e-mail to subscribers whose names appear on electronic versions of the phone list and posting ads to the plethora of discussion and chat groups using the Internet. These postings are often disguised to look like tips from individual citizens who are supposedly engaged in a lawful enterprise when in fact they are part of an Internet boiler room.
  • Counterfeit Check Scams. This scam has several variations but usually starts with the victim offering something for sale on the Internet. Usually it is a big ticket item. Somehow the fraudster has obtained a legitimate check from a person or company, scanned it, and altered it to support the scheme. The fraudster then contracts with the victim to buy the item but must supply a down payment first. The check is delivered by a highly recognized international carrier such as FedEx, further adding to the false impression that this is a legitimate deal. The victim deposits the check, but before it clears, the fraudster requests a refund and backs out of the deal offering to let the victim keep a portion of the funds for his trouble. The victim forwards part of the money back. The victim later learns that his bank has reversed the deposit amount because the check was bad. In a derivation of this scheme, the fraudster overpays for a purchase and requests a refund; by the time the original check bounces, the fraudster is long gone.
  • Phishing. “Phishing” is a scheme that involves tricking businesses or individuals into providing passwords, account numbers, or other sensitive data by claiming to be from an actual company the victim does business with. A solicitation for information appears to come from a legitimate business and can occur over the phone (e.g., a call from the victim’s “bank” saying their account has been compromised and requesting PIN numbers, account numbers, or passwords), or via e-mail (which is the most common technique). An individual receives an e-mail that appears to come from eBay, PayPal, or a financial institution. The e-mail states that the customer must immediately log into his account in order to update his information. The link directs the individual to a fake site that captures his identifying information such as Social Security and PIN numbers, mother’s maiden name, and financial account numbers. Phishing occurs mostly by email. Internet users should never respond to these e-mails. Legitimate banks, government agencies, and retailers do not email you for your password or other identifying information.
  • Spear Phishing. Spear phishing is a targeted attack generally focused on a corporate entity. The ruse is meant to fool the corporate employee into believing that the phishing email originated not from a bank or financial institution but from their own IT or HR department. The goal is to obtain employees’ user names and passwords to access the corporate network.
  • Pharming. Pharming is an attack in which a user is fooled into entering sensitive data (such as a password or credit card number) into a malicious website that impersonates a legitimate website. It is different from phishing in that the attacker does not have to rely on having the user click on a link in the email to direct him or her to the fake website. Pharming actually exploits vulnerabilities in the DNS server software that allow hackers to acquire the domain name for a site and redirect the website traffic from a legitimate site to a false one. So even though a user may type the correct website address, the pharming program sends the user to an illegitimate site that looks like the real thing. Unknowingly, the user is then providing passwords and information directly to the hacker.
  • Internet Auction Fraud. According to the Internet Crime Complaint Center (IC3), Internet auction fraud was by far the most reported offense, comprising 44.9% of referred complaints. Nondelivered merchandise and/or payment accounted for 19.0% of complaints. Check fraud made up 4.9% of complaints. Credit/debit card fraud, computer fraud, confidence fraud, and financial institutions fraud round out the top seven categories of complaints referred to law enforcement.

Combating Internet Fraud

Conducting business on the Internet is generally a safe proposition for legitimate persons doing business with legitimate product and service providers. Nevertheless, safety precautions are prudent:

  1. Confidential information of any type (e.g., credit card numbers, Social Security numbers, etc.) should be encrypted. Most simplistically, encryption scrambles an outgoing electronic transmission and the recipient’s system provides inverse decryption, which restores the transmission to its original state. Encryption hardware and software utilize complex mathematical formulas. Encryption is used to prevent people who intercept data from harvesting valuable and confidential information.
  2. The Internet is anonymous, with user names and passwords being the only identifiers. Internet websites set up for commerce install customer validation protocols. The validation is usually a user name or customer code combined with a password that becomes the customer’s identity for transaction authorization. A downside to this type of protocol is that most users develop such a large number of user names and passwords that most are written down and kept in easily accessible places such as a desk drawer or under the keyboard. In such cases, the benefits of the validation process have been eliminated.
  3. Financial information, customer data, and other valuable databases should be stored in places other than a Web server. Internet websites can be hacked, and volumes of personal and financial data are often primary targets. Financial and other valuable information should be maintained on an internal system with processing interaction restrictions in place. The process protection should have additional safeguards to minimize the risk that a hacker who penetrates a website can harvest vast amounts of financial and customer information from internal systems.
  4. Firewalls are software programs that attempt to prevent unauthorized access to an Internet site or e-mail transmission. Firewalls are designed to control interactions between network servers and the Internet. This technology monitors Internet traffic, inbound and outbound, with a goal of preventing questionable transmissions from accessing sensitive information databases. Firewalls do not offer “silver bullet” protection but they provide a layer of protection against Internet attacks or other types of security breaches.

Module 4: Complex Frauds and Financial Crimes in Cyberspace

Artificial Intelligence (AI)—Possible Contributions to Forensic Accounting, Antifraud, and Compliance Efforts

This chapter examines the role of technology, especially digital devices in bad acts. Over time, it’s also possible for technology to help organizations minimize risk, deter bad acts, detect invasions more quickly, and facilitate more effective and efficient examinations and other remediation. One of those technologies is AI—artificial intelligence. According to a 2017 ICAEW report,19 “Accountants have embraced waves of automation over many years to improve the efficiency and effectiveness of their work. But to date, technology has not been able to replace the need for expert knowledge and decision making. Indeed, previous generations of ‘intelligent’ systems have generally demonstrated the continuing power of human expertise and the limits of machines.” While AI has been a vision since the 1950s, “in the coming decades, intelligent systems will take over more and more decision-making tasks from humans.”

“While accountants have been using technology for many years to improve what they do and deliver more value to businesses, this is an opportunity to reimagine and radically improve the quality of business and investment decisions.” Artificial intelligence (AI) systems can be very powerful, are improving quickly, and can be extremely accurate, replacing and, in some cases, far superseding human efforts. As noted earlier with RPA, AI has downside risks as well, so it needs to be managed and monitored closely.

Human decision making is challenged by at least three major biases: availability and recency effects, confirmation bias, and anchoring conclusions to prior belief. Machine learning, a notion dear to AI systems, is that the system bases decisions grounded in the data. Perhaps more importantly, AI and machine learning have the ability to sort through complex data and ambiguous situations. By continuously examining outcomes compared to the underlying data that influence that outcome, AI systems continuously “learn” and improve decision making. While just becoming available to forensic accounting, fraud examination, and compliance issues, the future is likely to be interesting. Stay tuned!

In the late twentieth century, the emergence of transnational criminal organizations introduced a significant challenge for law enforcement worldwide. The challenges arose from many sources, including the anonymity of technology, the speed of information and money movement worldwide, jurisdictional issues, the challenges of effective and efficient law enforcement communication, as well as others. Complex criminal organizational structure offers the ability to utilize a large labor force, synchronize the labor force, and carry out large-scale criminal operations with multiple criminal enterprises. Such structures are also amenable to cyberspace. Essentially, organized cybercriminal organizations blend combinations of the tools and techniques discussed above with traditional fraud schemes and financial crimes in a large-scale, organized fashion. The organized cybercriminal is interested in operating in cyberspace the way traditional organized criminals, drug traffickers, and terrorists operate in the physical world. Large-scale, business-like applications of fraud and financial schemes in cyberspace yield large sums of cash to those who control the organized cybercriminal organization.

Organized cybercriminal enterprises profit from exploiting computer vulnerabilities. Hackers, who previously wreaked havoc for the fun of it or as a means of making political statements, are now organized, professional, and cash flow oriented, and some are associated with traditional organized crime groups. Cybercriminals include skilled programmers who design and operationalize sophisticated phishing attacks and other techniques to harvest consumer personal, financial, and log in information. As an example, cybercriminals have used “malware” to steal millions of credit and debit card numbers, Social Security numbers, and financial account user IDs and passwords; once this data is harvested, it can be used to commit identity theft and online fraud. Another example of potential damage by hackers occurs when distribution systems are compromised and freight deliveries are redirected to criminal-controlled warehouses. Organized cybercriminals have management structure, functional responsibility, and a support labor force that enables them to traffic in stolen information using many of the same business practices employed by corporate America.

Organized cybercriminal enterprises have created “botnets,” collections of tens of thousands of computers to launch Distributed Denial of Service (DDoS) attacks on enterprise websites, DNS servers, email systems, and VoIP services. Botnets can be used to extort companies, especially those dependent on e-commerce. Even if a legitimate business does not become a blackmail victim, it’s possible that if left unprotected, many of its own computers can become part of a botnet. Cybercriminals use the botnets to distribute spam, child pornography, and malware in mass quantity to accomplish their nefarious goals.

In a 2005 article called Shadowcrew: Web Mobs, Deborah Gage, the author, described the activities of Andrew Mantovani, David Appleyard, Brandon Monchamp, and more than a dozen other members of the Shadowcrew. The group auctions off stolen and counterfeit credit and identification cards, and according to Gage, business was booming. Shadowcrew has more than 4,000 members, and according to the U.S. Secret Service, ran a worldwide marketplace in which 1.5 million credit card numbers, 18 million email accounts, and scores of identification documents (e.g., passports, driver’s licenses, student IDs, etc.) were offered to the highest bidder.

According to the article, many of the credit card numbers sold on the site were subsequently used by Shadowcrew’s customers, who had no intention of paying for what they bought. The result was more than $4 million in losses suffered by card issuers and banks, says the Secret Service, which is charged by the U.S. government to investigate counterfeiting, credit card fraud, and some computer crimes.

Gage goes on to state that Shadowcrew is a Web mob: a highly organized group of criminals. Unlike the American Mafia or the Russian syndicates, however, these Web mobs work solely in the online world. Members know each other only by computer aliases, interact with each other through the Internet, and commit their crimes in the darkness of cyberspace. The electronic marketplaces they establish to trade their illicit wares can be set up and later disbanded with little more than keystrokes. “They basically can pop up anytime and anywhere,” says Secret Service Special Agent Larry Johnson. The Secret Service says they operate under names such as Carderplanet, Stealthdivision, and Darkprofits.

These cybermobs are designed to foster more crime and criminals on the Web. Much like La Cosa Nostra, members of Web mobs don’t have to break into a bank to rob it. Instead, they provide a framework and services for criminals to trade in their chosen stock—stolen credit cards and identity documents. And their efforts, including the “commerce” sites where they trade in stolen merchandise, will only accelerate what is already a thriving trade in numbers that are regarded on the Web as currency.

Several attributes of the Internet make it an attractive operational location for criminal enterprises. First, individuals and businesses have come to realize that information is power. Likewise, criminals have determined that they can profit by stealing and selling information. Others can then exploit the value of that private information for their own profit.

Second, cyberspace gives the criminal a worldwide reach. In the old days, organized crime might be restricted to a few city blocks, a city, a geographical region, etc. With the World Wide Web, criminals can be located anywhere and can exploit victims located anywhere in the world, provided that they are using the Internet and demonstrate the vulnerabilities exploited by these criminal groups. Thus, criminals with the proper skill set may be located in the former Soviet Union, Eastern Europe, South America, or other distant countries, and target victims through fraudulent or illegal Internet commerce in relatively wealthy countries in Europe, Canada, and the United States with little fear of retaliation by law enforcement.

Third, the World Wide Web is relatively anonymous. Persons online have no face; their existence is only a user name and password that may have no logical, physical, or legal connection to the digital identity. In addition, a cybercriminal can create any number of identities on the Web, none of which may be tied together or tied to the person’s real identity. Members of organized crime groups communicate using their various digital identities. They are also computer savvy enough to know to encrypt their digital transmissions and transactions, and often float their communications through networks of servers and anonymous “re-mailers” that conceal the IP address of their computers. They can also route traffic through proxy servers, making it almost impossible to trace electronic transmission to their source.

Fourth, beyond the difficulty of catching cybercriminals is successfully prosecuting them. Determining the proper jurisdiction is often a difficult task. Once jurisdictional issues are resolved, applying traditional laws to online activity presents further challenges. More problematic is the location of many cybercriminals. Many of these individuals locate in countries that do not cooperate with law enforcement officials in nations seeking extradition; the choice of locale by the cybercriminal is deliberate. Organized crime groups operating in places such as countries formerly part of the Soviet Union, Eastern Europe, South America, and Russia are virtually immune from prosecution.

Money Laundering in Cyberspace

Gains from criminal activity can be readily laundered through money transfers using a series of Internet bank accounts, wagering on Internet gaming sites, artificial purchases on auction sites, and the traditional organized crime practice of using legitimate businesses to hide illegal transactions. Since the beginning of criminal enterprise, the bad guys have used banks as a means to launder money gained through illegal activities. However, the creation of Internet banking makes following the money more difficult than ever.

The following example illustrates the practice of money laundering in cyberspace.

Alexandra is the head of an international identity theft operation, specializing in the mass sale of stolen Social Security numbers, with matching names and dates of birth. Having the big three pieces of identifying data makes her a triple threat.

Alexandra is known around the underworld as a ruthless and vicious operator and yet, she has a problem: she has tons of currency, the profits from her illegal activities that she cannot spend without attracting the attention of law enforcement. More problematic is that if the identity theft ring is busted and prosecuted, without some sort of money laundering operation, the funds can be tied directly to her. She has the ability to pay her employees, contractors, suppliers, and vendors through the organization’s bank accounts, but not herself.

Alexandra needs to get this currency from her organization’s offshore bank account into the legitimate U.S. economy so that she can safely draw on these ill-gotten gains without attracting attention. Alexandra is a true patriot—she has even gone so far as to faithfully and completely pay her U.S. income taxes. Maybe she’s not such a patriot—if she is ever caught, she can avoid being prosecuted for tax evasion.

To gain anonymity, Alexandra uses her money to buy e-currency, a relatively anonymous and unregulated currency she then moves in varying amounts, small and large, across a series of e-currency accounts and ultimately transfers the money into her own bank.20 From there she loans money to herself in the United States and pays a consulting fee to an international company (controlled by her) for services rendered to her real estate company, where she receives cash distributions both as an employee and as an owner. Now she is free to use that money for loans, salary, and dividends as she chooses with little risk to her freedom.

Money laundering, which involves disguising the origins of illegally generated cash flow to give it the appearance of legitimate income, is enhanced on the Internet due to the near anonymity that can be achieved. Furthermore, Internet banks provide access to accounts anywhere in the world from anywhere. As a result, it is often not clear whether an account is accessed from a country other than the one where the money is held. In addition, monitoring the activity of individual account holders is nearly impossible.

In addition to financial institutions, other businesses, such as Internet-based gambling operations, can also be hijacked for money laundering purposes. Online casino operations further complicate the identification of transactions that might be illegal because the entire operation—including all gambling records—are housed in electronic formats and located offshore in jurisdictions where access is extremely limited. Criminals can facilitate money laundering by “gambling” dirty money at the cybercasinos, converting winnings into cybercash, and then requesting the remittance of seemingly clean money through various cyberpayment and other fund transfer systems. Transactions are quick and may be completed from a computer located anywhere—from the privacy of their own home to the local public library or cybercafé. The borderless nature of the Internet makes it possible for users to play at any casino around the world, often in jurisdictions with minimal or unenforced money laundering laws. Work completed by Forrester Research suggests that there are more than 1,400 Internet gambling sites, most of which are based outside of the United States.21

According to a 1996 study, global Internet money laundering accounted for about $500 billion annually.22 Given the exponential growth of the Internet, that number is likely far greater today. The working paper by Kellerman suggests four models for payment in cyberspace23:

  1. The Merchant Issuer Model—In this case, both the smartcard issuer and the seller of goods are the same person or entity. An example of this model would be the Creative Star fare card used by riders of the Hong Kong transit system.
  2. The Bank Issuer Model—The merchant and the smartcard issuer are separate entities. Financial transactions are cleared through traditional financial systems such as the Banksys’ Proton card in Belgium.
  3. Nonbank Issuer Model—Users buy electronic cash from issuers using traditional money and then spend their e-cash at participating merchants. The merchant then redeems cash from the issuer. An example of this is Cybercash’s electronic coin product.
  4. Peer-to-Peer Model—Bank- or nonbank-issued electronic cash is transferable between users. The only point of contact between traditional payment systems and initial e-cash is the initial purchase of e-cash from the issuer and the redemption of electronic cash from individuals or merchants. An example would be the Mondex stored value card.

In response, worldwide efforts, often led by U.S. law enforcement, the International Monetary Fund (IMF), and the World Bank, have tried multiple approaches to combat money laundering in cyberspace, including those described below.24

  • Identify and Reduce the Ability to Make Anonymous Financial Transactions. Financial Sector Assessment Program (FSAP) is a joint IMF and World Bank effort introduced in May 1999 to increase efforts to promote the soundness of financial systems in member countries. Supported by experts from a range of national agencies and standard-setting bodies, FSAP seeks to identify the strengths and vulnerabilities of a country’s financial system, to determine how key sources of risk are managed, to ascertain developmental and technical assistance needs, and to help prioritize policy responses. Related specifically to cyber-based money laundering, FSAP provides assistance and training on how to identify and reduce new means of money laundering, cybercrime, and terrorist financing using transactions such as the Nonbank Issuer Model and the Peer-to Peer Model.
  • Map Global Payment Systems. The goal of the “Global Payments Systems Mapping Project” is to develop a better understanding of the flow of money, which can, in turn, be converted into knowledge for helping nations craft monetary policies and financial risk assessment models.
  • Facilitate International Information Sharing. Using the U.S. Financial Services Information Sharing and Analysis Center (ISAC) as a model, the goal is to provide real-time information sharing, alerts, notifications, Web-based education, and training on e-money laundering and other cybercrimes. In addition, the data could be used to operate a cyberthreat analysis center.
  • Require All Financial Transactions to Include “Know Your Customers” Policies and Procedures. To increase transparency, authentication solutions, including the use of biometric and public key infrastructure (PKI), can be implemented for users who initiate large value transfers. Two-factor authentication could also be required for all financial transactions.
  • Harmonize and Coordinate International Money Movement Regulations. The standardization of laws and regulations of money movement for all entities would mitigate the threat of nonregistered and informal money transmitters (e.g., e-gold) that are used to facilitate money laundering activities by organized criminal syndicates in cyberspace. Greater entry barriers, such as licensing and registration for all money movement entities, will hinder the effectiveness of money laundering techniques in cyberspace.

Module 5: Reporting Cybercrime

The primary federal law enforcement agencies that investigate domestic crime on the Internet include the Federal Bureau of Investigation (FBI), the United States Secret Service, the United States Immigration and Customs Enforcement (ICE), the United States Postal Inspection Service, and the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF).

In addition, the Internet Crime Complaint Center (IC3) was established as a partnership between the Federal Bureau of Investigation (FBI) and the NW3C (formerly the National White Collar Crime Center) to serve as a means to receive Internet-related criminal complaints and to further research, develop, and refer criminal complaints to federal, state, local, or international law enforcement and/or regulatory agencies. The IC3 emphasizes serving the broader law enforcement community to include federal, state, local, and international agencies that are combating Internet crime and, in many cases, participating in the Cyber Crime Task Forces around the world. Since its inception, the IC3 has received complaints across the spectrum of cybercrime, including online fraud in its many forms, such as computer intrusions (hacking), economic espionage, identity theft, intellectual property rights violations, international money laundering, online extortion, theft of trade secrets, as well as Internet-facilitated crimes.

IC3 serves as a repository organization to receive, develop, and refer criminal complaints regarding cybercrime. The IC3 provides a convenient and easy-to-use reporting mechanism for victims. Based on the data provided by victims, the IC3 alerts authorities to suspected criminal or civil violations. For law enforcement and regulatory agencies at the federal, state, local, and international level, IC3 provides a central referral mechanism for complaints involving Internet-related crimes. In addition to partnering with law enforcement and regulatory agencies, IC3 also works to establish effective alliances with industry. Such alliances enable the IC3 and their law enforcement partners to leverage intelligence and subject matter expertise of their industry partners. The goal is to be proactive and aggressive as well as responsive to cybercrime.

We have eight types of assignments for instructors to choose from:

  1. Critical Thinking
  2. Review Questions
  3. Multiple Choice Questions
  4. Fraud Casebook
  5. Brief Cases
  6. Major Case Investigation (MCI)
  7. IDEA Exercises
  8. Tableau Exercises

CRITICAL THINKING

  1. CT-1 So, Who’s Jerry. Tom is lying dead; he has an iron bar across his back and some food in front of him. How did he die?
  2. CT-2 Dry, Dry, Dry. CT-2 Dry, Dry, Dry. A man went outside without an umbrella or a raincoat, yet did not get wet. How?

REVIEW QUESTIONS

  1. How are computers and digital devices used in cybercrime?
  2. What is the difference between computer fraud and computer crime?
  3. Which types of economic damages are related to digital crimes?
  4. What methods are used by insiders to commit cyber fraud? What red flags might indicate that insider digital fraud is occurring?
  5. What is meant by “hacking”?
  6. How might a hacker access and manipulate a digital device for illegal purposes? Are the Internet of Things (IoT) devices at risk for hacker access and manipulation?
  7. How do (digital) viruses work?
  8. List and describe various types of (digital) viruses.
  9. What are some common virus carriers?
  10. What are some indicators that a digital device has been infected?

MULTIPLE CHOICE QUESTIONS

  1. Which of the following is true concerning computer fraud and computer crime?
    1. Computer crime is defined as an act where the computer hardware, software, or data is altered, destroyed, manipulated, or compromised.
    2. Computer fraud and computer crime are seldom used interchangeably.
    3. Law enforcement crime fighters have been ahead of technologically savvy criminals in identifying the types of computer-based crimes that perpetrators are likely to attempt.
    4. Computer crime suggests that the computer’s owner is the perpetrator whereas computer fraud suggests that the computer owner is a victim.
  2. Which of the following is most accurate concerning the role of digital devices in cybercrime?
    1. Digital devices can be integral to the act, but seldom the concealment or the conversion associated with a fraud or financial crime.
    2. Digital devices are considered ineffective when attempting to deceive victims into investment, pyramid, and other “traditional” fraud schemes.
    3. Technologists can use digital devices to commit a crime.
    4. Digital devices, including computers and network systems, are infrequently subject to physical sabotage, theft, or destruction of information.
  3. Which of the following type of economic damages related to computer crimes is not considered a special case?
    1. Physical injury to a person
    2. Damage to a computer that could have an impact on national security
    3. Threats to public health or safety
    4. Damage to a computer that causes a company to file for bankruptcy
  4. Which of the following is not associated with increased risk regarding insider cyber fraud?
    1. Supervisors can implement strict controls over information system personnel.
    2. Insiders are often aware of the “holes” in the system of internal controls in the digital environment.
    3. Operators, media librarians, hardware technicians, and other staff members hold positions with high levels of access privilege.
    4. Insider computer fraudsters are often very intelligent.
  5. Which of the following statements is most accurate with regard to “hacking”?
    1. Logic bombs and data leakage are not considered forms of hacking.
    2. Social engineering is a required tool of hackers.
    3. The most direct way of gaining access to a computer is through “back doors” in software programming.
    4. A hacker may assume a number of different disguises to accomplish deception.
  6. Which of the following can investigate but not prosecute domestic Internet crimes?
    1. Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF)
    2. Internet Crime Complaint Center (IC3)
    3. United States Postal Inspection Service
    4. Federal Bureau of Investigation (FBI)
  7. Why is Internet fraud particularly difficult to police?
    1. More people are online feeding leads to police.
    2. Con artists are more convincing online than they are when operating in person.
    3. Nearly 70% of Internet consumers are shredding documents, destroying required transaction information needed for investigation and prosecution.
    4. Law enforcement may lack the training, resources, and jurisdiction to investigate and prosecute reported cases of Internet fraud.
  8. Which of the following is not categorized as a type of digital virus?
    1. TSRAM
    2. Multipartite
    3. Salami
    4. Parasitic
  9. Which of the following is most accurate regarding crime in cyberspace?
    1. Money laundering is seldom carried out in cyberspace.
    2. PayPal is a form of money laundering in cyberspace.
    3. The ability to make oneself anonymous in cyberspace is an important advantage to the criminal.
    4. Crimes carried out in cyberspace would most likely be committed by “Neolithic era” criminals.
  10. Which of the following statements is most accurate with regard to cybersecurity?
    1. Piggybacking and impersonation are viruses susceptible to antivirus software.
    2. The E-SIGN Act resulted in improved cyber security.
    3. Passwords are the most effective form of authenticating valid users.
    4. Biometrics verification techniques include fingerprints, palm prints, voice prints, signatures retina scans, and facial recognition.
  11. Why is the Internet such an attractive operational location for criminal enterprises?
    1. Criminals can profit by stealing and selling information.
    2. Cyberspace gives criminals a worldwide reach.
    3. The World Wide Web is relatively anonymous.
    4. All of the above.
    5. None of the above.
  12. Which of the following is not an approach used to combat money laundering in cyberspace?
    1. Identify and reduce the ability to make anonymous financial transactions.
    2. Require confidential financial transactions.
    3. Coordinate international money movement regulations.
    4. Facilitate international information sharing.

FRAUD CASEBOOK

NetWare

Read the following article or other related articles regarding the NetWare case and then answer the questions below:

Source:

Byron Acohido, “Meet A-Z: The computer hacker behind a cybercrime wave,” USA TODAY, August 5, 2008.

Short Answer Questions

1. From what country is A-Z believed to live?

2. From what country(ies) is(are) his accomplices?

3. From what country(ies) is(are) A-Z’s victims?

4. What is the name of the software program that tracks a PC user’s keystroke activity and alerts the cyber-gang each time the PC user logs into their bank account?

5. How much money did the A-Z scheme net in total?

6. Where was the computer server holding key instructions discovered?

Discussion Questions

1. Why is a threat such as the one allegedly perpetrated by A-Z so difficult to investigate and prosecute?

2. What are the means by which cybercriminals meet and agree to participate in such an activity?

3. Can society expect more or fewer crimes similar to that allegedly perpetrated by A-Z? Why?

BRIEF CASES

Brief cases 1–4 are based on the following information.

Your client, Virus-Victim, Inc. (VVI), has suffered an attack. The company sells popular retail items only via the Internet to customers all over the world. The perpetrator has been identified and local law enforcement and the county prosecutor are handling the criminal action.

VVI believes that the perpetrator has the deep pockets to compensate VVI for its losses associated with the attack. The perpetrator committed the act at 12:01 am Saturday, July 4th and the retail website was down for 8 hours. At 12:01 am, alarms triggered and the Director of Information Technology (IT) and 10 IT programmers worked all weekend long, 20 hours, to restore and remediate the attack.

1. and 2. VVI’s supervisor from information technology and an accounting clerk have assembled the following lists of costs:

  • The IT Director earns a salary of $175,000 annually.
  • Each IT person earns $40 per hour; IT personnel work scheduled shifts to provide 24 hour coverage; each of the 10 IT programmers had worked 40 hours the prior week and worked their scheduled 40 hours the week after the incident.
  • The company’s cost for benefits is approximately 25%.
  • The police and prosecutor believe that the perpetrator worked alone, but his daughter works for VVI IT and earns $50 per hour and is normally scheduled for 40 hours per week. She averages 10 hours of overtime each week. The company put her on paid-administrative leave starting, Monday, July 6. She was paid administrative leave until police arrested her father on August 3, 28 days later. The daughter and VVI worked out an “exit” compensation package, where the daughter resigned immediately on August 3 and was paid for her expected earnings for 20 weeks.
  • IT Department utilities and nonpersonnel operational costs for the month of the attack were approximately on budget of $500,000, though 5% higher than the prior year. Operational costs equal $672 per hour during the month of July.
  • As part of the remediation process, the company purchased a redundant server. The cost of the server, peripherals, and software totaled $75,000.
  • After the attack, the company purchased a new software protection package for $100,000 to prevent future attacks, similar to then July 4th attack.
  1. Assuming that ALL costs above are damages, estimate incremental costs to VVI.
  2. Assuming that true incremental costs to remediate and restore the Internet website are damages, estimate incremental costs to VVI.
  3. The warehouse and distribution center usually operates 24 hours a day, 7 days per week. Normal productivity is 50 packages per hour. Sales are packaged and ready for shipping an average of two hours after the customers completes their purchase on the VVI website. During the Internet outage productivity in the warehouse operated as follows:
    • 12–2 am—Normal workload = 100 packages
    • 2–4 am—Productivity = 76 packages
    • 4–6 am—Productivity = 50 packages
    • 6–8 am—Productivity = 24 packages
    • At the 8-hour mark, the warehouse and distribution center was at zero packages.
    • 8–10 am—Productivity = 24 packages
    • 10–12 pm—Productivity = 50 packages
    • 12–2 pm—Productivity = 76 packages
    • 2–4 pm—Productivity =100 packages

    The variable warehouse and distribution costs average $400 per hour; annual warehouse and distribution fixed costs average $250 per hour. The warehouse maintained full operational capability during the outage and restoration period. Estimate lost productivity to VVI.

  4. VVI is an international retailer and the flow of retail sales is approximately equal for each hour in a 24-hour day. VVI has seasonal sales variability. The following are relevant sales data:
    Sales Annual July
    Total 96,000,000 10,000,000
    Per Month 8,000,000 10,000,000
    Per Day 263,014 322,580
    Per Hour 10,959 13,441

    VVI sells generic low-cost groceries with lots of competition. When customers cannot buy from VVI, they typically do not return, but rather purchase from a competitor. VVI’s historical gross margin is 45%; incremental profit margin is 20% and net profit margin is 7%. Estimate lost (a) sales and (b) profits to VVI.

MAJOR CASE INVESTIGATION

The following is the “inventory” of items received to continue the examination at Johnson Real Estate. The goal is to focus on the missing deposits: who, what, when, where, and how.

  • Interview Excerpts: James Rogers

These items will be provided by the course instructor.

Assignment: Continuing to focus on evidence associated with the act, concealment, and conversion, use the evidentiary material to continue the examination.

In terms of the missing JRE deposits:

  • Who—link chart
  • what (did the person(s) do)—flow diagram
  • when (during what period?)—time line
  • where (physical place, location in books and records, etc.)
  • How (perpetrate the scheme (act), conceal the act, and benefit from the scheme)

Your primary assignment is to re-examine all of the information, evidence, and activities received for this case.

IDEA EXERCISES: ASSIGNMENT 13

ideaCase Background: See Chapter 1.

Question: The HR (human resources) department has requested some assistance. They would like to identify all employees who are not withholding the maximum savings amount for the 401K retirement plan of 6% to invite them to some retirement planning training sessions.

Student task: Students should (a) examine the listing of employees and note the “E_RetPCT” percentage for the employees whose 401K withholding percentage is less than 6% and (b) discuss the finding and recommend investigative next steps.

Student Material for step-by-step screenshots for completing the assignment are available from your instructor.

TABLEAU EXERCISES: ASSIGNMENT 13

tableauCase Tableau Background: See Chapter 1.

The forensic audit has identified ghost employee with disbursements in the payroll system for which clients may have been inappropriately billed: Theresa Angelina. The forensic audit did not reveal which clients may have been affected.

Question: Can you graphically present the total billings by client and a grand total for Theresa Angelina for the time period after termination?

Student task: Students should (a) graphically present the total billings (to clients) by client for Theresa Angelina for the time period 1/5/2019 to 6/30/2019 and (b) discuss the finding and recommend investigative next steps.

Student Material for step-by-step screenshots for completing the assignment are available from your instructor.

Endnotes

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.192.110