COMPUTER FRAUD

Computer fraud describes a diverse class of electronic crimes that involve some form of electronic information theft and often monetary gains for the perpetrators. Common types of computer fraud include:

• altering or falsifying corporate computer records for personal gains;
• breaching a computer network (hacking) for sabotage or for obtaining sensitive information, such as passwords or data;
• eavesdropping on phone lines or network connections via computer programs in order to glean sensitive information; and
• offering bogus products or services over a public computer network such as the Internet.

The spread of computers and networking revolutionized the business world and simplified life for many people. Unfortunately, computers also contributed to an increase in fraud, which results in severe financial losses for businesses and individuals alike. Estimates suggest that U.S. computer fraud in the late 1990s amounted to $10 billion per year in losses. Computer thieves are not content to steal small amounts of money at a time, either. The typical bank robber averages $6,100 a heist; electronic thieves average over $100,000 per incident.

Perhaps most significant is the extent to which computer fraud permeates contemporary business and government systems. Some studies suggest that upwards of 90 percent of all major corporations (e.g., Fortune 500) have been targets of computer fraud, as have numerous U.S. government agencies—including the Department of Defense. The vast majority of these cases have resulted in some financial losses to the target organization. This high percentage apparently stems in part from the fact most computer crimes—up to 85 percent according to some studies—are committed by insiders like employees and contractors. However, some analysts believe that this high rate is artificially inflated because internal breaches are the easiest to catch.

DETECTING COMPUTER FRAUD

Computer crimes that involve system breaches are difficult to detect, and indeed security experts believe that only a fraction of them—perhaps only 5 percent as of 1998—come to light. Often the problem arises when organizations fail to view their computer systems from a holistic perspective: they place tight safeguards only on the systems housing the most sensitive information, but ignore the potential weak link between high-security systems and their other systems, which are minimally protected. Other times, network administrators and other managers fail to grasp the security issues affecting their systems. A noteworthy example is in the large number of network penetration incidents that could have been prevented if the company had installed the security upgrades provided by the software vendor (often free of charge).

Still, if a company monitors its systems for potential fraud on a continuous basis, it greatly improves its chance of at least detecting the break-in and tracing its source, if not preventing it. However, the best security measures can also be costly to implement, leaving management to choose between the high overhead of a secure system and the uncertain costs of potential fraud.

By contrast, consumer fraud perpetrated via computer, especially through the Internet, is often detected in much the same way as other forms of consumer fraud: when the consumers don't receive the goods or services they paid for. Finding and prosecuting the offender, though, can be complicated because of the Internet's decentralized and international nature. Web sites can be up one day and gone the next, and they can be hosted from foreign computers beyond the normal jurisdiction of U.S. courts.

SOCIETY'S REACTIONS TO COMPUTER
FRAUD

Society has not always reacted strongly to computer fraud. Courts have often been reluctant to punish criminals who indulge in computer crimes because they view such infractions as somewhat harmless compared to street crime. According to a study conducted in Washington, D.C., of 82 people convicted of white-collar crimes, 50 percent received suspended sentences or probation. About 8 percent received sentences ranging from one week to six months in prison. Approximately 10 percent received sentences ranging from six months to three years in prison. Only about 20 percent received sentences exceeding three years in prison. One of the first things that must happen if computer crime is to be taken seriously is to change judges' and juries' attitudes about its importance.

One of the problems in dealing with computer criminals is that, until recently, the people charged with detecting their activities, apprehending them, and ultimately trying them in court have not been capable of dealing with the technological aspects of the crimes. That is partly because computer crime is a relatively new phenomenon. Major cases of computer crime date back only to 1971 or so.

One of the first major cases allegedly involving computer tampering was reported by the New York-Penn Central Railroad. Officials disclosed that more than 200 of the company's freight cars had been rerouted from Philadelphia to an obscure yard in Chicago. The original markings on the cars were painted out and changed. The same thing happened to another 200 or so cars, which were also reported missing. Each lost car cost the railroad an average of $60,000.

The chief of the Federal Organized Crime Strike Force at the time suggested that someone might have gained unauthorized access to the railroad's computer and changed program instructions to misroute the cars to other locations. Since that case, and another highly publicized case in California a year later in which an engineering student stole more than $1 million worth of electronic equipment from the state's largest telephone company, computer crime has drawn more attention from business, law enforcement, and judicial officials. It has also become a focus of home computer owners, many of whom have fallen prey to computer fraud.

HOME COMPUTERS AND FRAUD

The great increase in personal computers in people's homes has spawned a new era of crime. Investment scam artists in particular are busy defrauding individuals of millions of dollars a year through sophisticated scams. Often, scam artists operate across state lines in perpetrating their schemes. While this presents them with larger audiences of potential victims, it also opens the door for federal officials to hunt and prosecute them. However, the rampant growth of consumer Internet use has only fueled the potential for nationwide computer scams.

In one Missouri case, an unlicensed stockbroker offered his services to unsuspecting victims. He made dubious claims about stocks which were not licensed for sale in the state. He suggested fallaciously that Donald Trump was a major investor in a small cruise line whose seldom-traded stock the unlicensed stockbroker was promoting. Fortunately, state regulators uncovered his scheme before he could bilk state residents out of large sums of money. Not all criminals are detected so quickly, though.

In another scam, in New Jersey, computer criminals pushed the stock of a Canadian modular housing firm whose shares jumped from 42 cents a share to $1.30 early in 1994. As a result, activity in the stock among computer users rose quickly. The daily trading volume reached 600,000 shares—for a stock which had an activity level of only 175,000 shares in all of December 1993. The stock price dropped quickly from $1.30 to only 60 cents a share, which meant many people lost money on the deal. The criminals, however, walked away with a healthy profit.

Another popular activity of computer criminals is pyramid schemes. In these, people are encouraged to send sums of money ranging from $1 to $2,000 each to the top five names on an electronic mail chain list. After they send the money, their names go on the bottom of the list. Eventually, they are led to believe, they will rise to the top of the list and will receive sums as high as $600,000 from people on the lower rungs. Needless to say, more people lose their few dollars than gain $600,000—or even recoup their original investments.

CORPORATE COMPUTER SECURITY
TACTICS

Businesses have implemented a wide variety of techniques to forestall computer fraud. The primary goal of business executives in fighting computer crime is to reduce its impact as much as possible and uncover fraud quickly. Specific security measures include the following:

1. Companies can maintain a rigorous schedule of system traffic audits and logs to document access to the system and some forms of file manipulation. Audits may include electronic mail surveillance to track movement of large quantities of data in individual messages.
2. Access to key computers—both physical and through network connections—can be restricted to only the most essential users. Physical security may include placing the computers in controlled access facilities. Employees can also be screened through background checks before receiving access to critical data.
3. Extensive data back-up policies, including off-site storage, can be implemented to minimize the loss of archival data to sabotage.
4. Employees may be trained in computer security issues and procedures to reduce inadvertent compromises of security.
5. Formal computer security policies can be publicized to employees and contractors along with the associated disciplinary measures for violations.
6. An individual or group of individuals can be charged with overseeing all computer security issues in order to ensure these issues receive ongoing and undivided attention.

Before deciding on which measures to implement, managers may need to conduct a thorough review of past security problems and potential risks. There is also a growing pool of security consultants who can assist with risk assessment and security strategy development. Various software and consulting firms also sell software tools that can be used to tighten security and combat fraud; demand for such programs and services rose sharply in the late 1990s.

THE LAW ENFORCEMENT RESPONSE TO
COMPUTER FRAUD

Police departments are becoming more sophisticated in their approach to fighting computer crime. They are adding more computers to their arsenals and establishing partnerships with local businesses. For example, representatives of the Lake Worth, Florida, Police Department meet monthly with a coalition of people from the city's private businesses, banking and financial institutions, other law enforcement agencies, and government organizations. Other departments are adopting similar partnership approaches.

Most police departments in the United States today have added people to their staffs who specialize in the investigation of computer-related crimes. In fact, 80 percent of the departments polled by Law and Order Magazine for an article in its July 1994 issue reported that they had such specialists on their staffs. This is an indication that police departments are becoming more active in their investigations into computer crimes—and more proficient besides. The federal government has encouraged heightened police involvement in detecting computer-related crimes through special funding for such programs.

However, many obstacles to prosecuting computer crimes remain. Acceptable police tactics and the kinds of evidence needed to prove a case are not yet well established, leading to many state and local variations in how computer fraud is handled. The relatively thin case history also makes for inconsistencies in the courts.