Was the scandal at Enron the result of fraud, or poor—perhaps unethical—management practices? In this section, we discuss management fraud, computer fraud, and computer abuse. Let’s begin by defining fraud as a deliberate act or untruth intended to obtain unfair or unlawful gain. Management’s legal responsibility to prevent fraud and other irregularities is implied by laws such as the Foreign Corrupt Practices Act, 1 which states “a fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled.” Instances of fraud undermine management’s ability to convince the various authorities that it is upholding its stewardship responsibility.
Why are Congress, the financial community, and others so impassioned about the subject of fraud? In some highly publicized business failures that caught people completely by surprise, financial statements showed businesses that were prospering. Tinkering with the financial statements, as at Enron, causes hardship or failure for many firms and individuals.
Let’s examine some fraud-related problems that management must address when the organization is engaged in e-business. First, an organization that receives payment via credit card, where the credit card is not present during the transaction (e.g., sales via telephone or Web site), absorbs the loss if a transaction is fraudulent. To prevent this, the organization may install controls, such as antifraud software. Some banks will drop merchants who have unacceptably high fraud rates.
The proliferation of computers in business organizations has created expanded opportunities for criminal infiltration. Computers have been used to commit a wide variety of crimes, including fraud, larceny, and embezzlement. In general, these types of computer-related crimes have been referred to as computer fraud,computer abuse, or computer crime. Technology Insight 8.1 describes some of the better-known techniques used to commit computer fraud or to damage computer resources.
Be aware of two things: insiders commit the majority of computer crimes, and the methods listed in the summary are by no means exhaustive. For instance, two abuses not shown in Technology Insight 8.1 that typically are perpetrated by someone outside the organization are computer hacking and computer viruses. Technology Insight 8.2 has a brief explanation of computer viruses. Both of these computer crimes, spreading viruses and hacking, are a major concern to organizations engaged in e-business because they affect the actual and perceived reliability and integrity of their electronic infrastructure.
Here are three important facts to remember. First, those who have authorized access to the targeted computer perpetrate the majority of malicious acts. Second, it has been estimated that losses due to accidental, nonmalicious acts far exceed those caused by willful, intentional misdeeds. Third, the manipulation of events (i.e., adding, changing, or deleting of events) is one frequently employed method of committing computer fraud. The most cost-effective method for minimizing simple, innocent errors and omissions as well as acts of intentional computer crimes and fraud is to apply normal controls within existing systems conscientiously.
What are the relationships between fraud, in general, and internal control? Between computer fraud, in particular, and internal control?
Technology Insight 8.1
Computer Abuse Technologies
Salami. Unauthorized instructions are inserted into a program to steal very small amounts. For example, a program is written to calculate daily interest on savings accounts. A dishonest programmer includes an instruction that if the amount of interest to be credited to the account is other than an even penny (for example, $2.7345)—the excess over the even amount (.0045) is to be credited to the programmer’s account. While each credit to his account is minute, the total can accumulate very rapidly.
Trap Door (back door). During the development of a program, the programmer may insert a special code or password that enables him to bypass the security features of the program in order to simplify his work. These features are meant to be removed when the programmer’s work is done, but sometimes they aren’t. Someone who knows the code or password can still get into the program.
Logic Bomb. Similar to the trap door, unauthorized code is inserted into a program at a time when a programmer has legitimate access to the program. When activated, the code causes a disaster, such as shutting the system down or destroying data. The technique is usually tied to a specific future date or event, in which case it is a time bomb. For example, if the programmer’s name no longer appears on the payroll records of the company, the bomb is activated and the disaster occurs.
Trojan Horse. Like a Logic Bomb, a Trojan Horse is a module of unauthorized instructions covertly placed in a program; a Trojan Horse, unlike the Logic Bomb, lets the program execute its intended function while also performing an unauthorized act. Some Trojan Horses are distributed by e-mail to steal passwords. This was an element of the ILOVEYOU virus of May 2000.
Worm. A program that replicates itself on disks, in memory, and across networks. It uses computing resources to the point of denying access to these resources to others, thus effectively shutting down the system. They also may delete files and be spread via e-mail. Many recent viruses have included these worm features.
Zombie. A program that secretly takes over another Internet-attached computer, then uses that computer to launch attacks that can’t be traced to the zombie’s creator. Zombies are elements of the denial-of-service attacks discussed in this chapter.
Sources: Esther C. Roditti, Computer Contracts (New York, NY: Matthew Bender & Co., Inc., 1998); Steve Alexander, “Viruses, Worms, Trojan Horses and Zombies,” Computerworld (May 1, 2000): 74.
What is a computer virus?
Technology Insight 8.2
A computer virus is a program that can attach itself to other programs (including macros within word processing documents), thereby “infecting” those programs and macros. Computer viruses may also be inserted into the boot sectors 2 of PCs. Viruses are activated when you run an infected program, open an infected document, or boot the computer from an infected disk. Computer viruses alter their “host” programs, destroy data, or render computer resources (e.g., disk drives, central processor, networks) unavailable for use. Unlike other malicious programs such as logic bombs and Trojan Horses, viruses differ in that they reproduce themselves in other programs.
Some viruses are fairly innocent—they might merely produce a message such as “GOTCHA” or play “The Blue Danube” through the computer’s speakers. Other viruses can be more harmful. Some viruses delete programs and files; some even reformat the hard drive, thus wiping away all that is stored there. Finally, there are some viruses that will overload your network with “messages,” making it impossible to send or receive e-mail or to connect to external sources, such as the Internet.
Many viruses first enter an organization through PCs; many have been introduced via electronic bulletin boards, shared software, and files attached to e-mail messages. This sharing allows viruses to become an epidemic like a biological virus. The real fear that causes information systems managers to lose sleep, of course, is that the virus will spread to the organization’s networks (and networked computing resources) and destroy the organization’s most sensitive data. In May 2000, the “ILOVEYOU” virus quickly spread throughout the world, infecting a million computers. This virus was written in Visual Basic script (file extension .vbs) and came attached to an e-mail message. If the recipient launched the program, the virus deleted artwork files and altered music files. If the victim was using the Microsoft Outlook mail program, the virus mailed itself to everyone in the victim’s e-mail address book. Thus, the “ILOVEYOU” virus would set a trap for many others who would think they were getting mail from a colleague. Finally, the virus contained a Trojan Horse that mailed victim passwords to an e-mail account in the Philippines.
How does one protect from a viral infection? If you are going to share files and disks with others, use virus protection software to scan all files and disks before the disks are used or the files are opened. This is, of course, especially true of files received as e-mail attachments. Don’t open e-mail from people you don’t know. Don’t open e-mail with .xxx or .xbs extensions. Back up files regularly. Use an up-to-date anti-virus program to scan your hard disk regularly. E-mail servers could be set to block attachments written in Visual Basic script.
Sources: Ann Harrison, “ ‘Love Bug’ Spotlights Misuse of VB Script,” Computerworld (May 8, 2000): 1, 111; Ted Bridis, “Poisonous Messages Potential to Destroy Files Prompted Vast E-Mail Shutdown,” The Wall Street Journal, (May 5, 2000): B1, B4; Stan Miastowski, “Virus Killers (Tips for Self-Protection),” PC World (March 1997): 180.