Fraud Examination, 3ELearning ObjectivesE-commerce Fraud RiskSlide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Preventing Fraud in E-commerceSlide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Detecting E-commerce FraudSlide 23Slide 24Slide 25Fraud Examination, 3EChapter 17: Fraud in E-CommerceCOPYRIGHT © 2009 South-Western, a part of Cengage LearningLearning Objectives•Understand e-commerce fraud risk.•Take measures to prevent fraud in e-commerce.•Detect e-business fraud.2E-commerce Fraud RiskPressures to Commit E-commerce Fraud•Dramatic growth, which has created tremendous cash flow needs.•Merger or acquisition activity, which creates pressures to “improve the reported financial results.”•Borrowing or issuing stock, additional pressures to “cook the books.”3E-commerce Fraud RiskPressures to Commit E-commerce Fraud•New products, which require intensive and expensive marketing and for which an existing market does not yet exist.•Unproven or flawed business models, with tremendous cash flow pressures.4E-commerce Fraud RiskOpportunities to Commit E-commerce Fraud•New and innovative technologies for which security developments often lag transaction developments.•Complex information systems that make installing controls difficult.•The transfer of large amounts of information, a factor that poses theft and identity risks such as illegal monitoring and unauthorized access.5E-commerce Fraud RiskOpportunities to Commit E-commerce Fraud•Removal of personal contact, which allows for easier impersonation or falsified identity.•Lack of “brick-and-mortar” and other physical facilities that facilitate falsifying Web sites and business transactions.6E-commerce Fraud RiskOpportunities to Commit E-commerce Fraud•Inability to distinguish large and/or established companies from new and/or smaller companies, making it easy to deceive customers by falsifying identity and/or business descriptions.•Electronic transfer of funds, allowing large frauds to be committed more easily.•Compromised privacy, which results in easier theft by using stolen or falsified information.7E-commerce Fraud RiskRationalization to Commit E-commerce Fraud•The perceived distance that decreases the personal contact between customer and supplier.•Transactions between anonymous or unknown buyers and sellers—you can’t see who you are hurting.•New economy thinking contends that traditional methods of accounting no longer apply.8E-commerce Fraud RiskRisks Inside an OrganizationData theftSocial engineeringSniffingWartrappingVandalismEmployee laptops9E-commerce Fraud RiskRisks Outside an OrganizationComputer virusesSpywarePhishingSpoofingFalsified identityDatabase query (SQL) injectionsBust-outE-mail and Web visits10Preventing Fraud in E-commerceSecurity Through ObscurityKeeping security holes, encryption algorithms, and processes secret in an effort to confuse attackers.Appealing, yet ineffectiveRather than take chances with security through obscurity, employ robust, time-tested security methods11Preventing Fraud in E-commerceInternal ControlsInternal controls involve five different elements: (1) The control environment(2) Risk assessment(3) Control activities or procedures(4) Information and communication(5) Monitoring12Preventing Fraud in E-commerceThe Control Environment“Tone at the Top”•Integrity and Ethical Values•Board of Directors and Audit Committee Participation•Management’s Philosophy and Operating Style•Human Resources Policies and Practices13Preventing Fraud in E-commerceRisk AssessmentIdentify the risks of doing business with e-business partners•The control environment of business partners•Risks involved in electronic exchange or information and money•Intrusion detection14Preventing Fraud in E-commerceControl Activities•Adequate separation of duties•Proper authorization of transactions and activities•Adequate documents and records•Physical control over assets and records•Independent checks on performance15Preventing Fraud in E-commerceAdequate Separation of DutiesMake sure individuals who authorize transactions are different from those who actually execute them.Doing so prevents the most common fraud in purchasing: kickbacks and bribery.16Preventing Fraud in E-commerceProper Authorization of Transactions and Activities•Passwords•Firewalls•Digital signatures and certificates•Biometrics17Preventing Fraud in E-commerceAdequate Documents and Records•Electronic Documents:–sales invoices, purchase orders, subsidiary records, sales journals, employee time cards, checks, etc.•In e-commerce, additional controls must be put in place.ENCRYPTION18Preventing Fraud in E-commercePhysical Control over Assets and RecordsNeed to protect:1.IT equipment2.Programs3.Data FilesPhysical controls:•Locks, safe storage space, high-level security access, third-party providers.19Preventing Fraud in E-commerceIndependent Checks on PerformanceOrganizations should always conduct checks on their e-business partners (Dun & Bradstreet reviews, full-fledged investigations)20Preventing Fraud in E-commerceIndependent Checks on PerformanceUnderstand the management or business partners and what motivates them. Check the following:•Their backgrounds•Their motivations•Their decision-making influences21Detecting E-commerce FraudData-driven Fraud Detection1. Endeavor to understand the business or operations of the organization2. Identify what frauds can occur in the operation3. Determine the symptoms that the most likely frauds would generate4. Use databases and information systems to search for those symptoms22Detecting E-commerce FraudData-driven Fraud Detection5. Analyze the results6. Investigate the symptoms to determine if they are being caused by actual fraud or by other factors23Detecting E-commerce FraudTechnical Knowledge and ExperienceIt is extremely important for fraud investigators who specialize in e-commerce to understand the tools and methods that perpetrators use.24Detecting E-commerce FraudTechnical Knowledge and Experience•Web-servers•E-mail clients and servers•Intrusion programs (nmap, Airsnort, Wireshark, etc.)•Unix•Perl, Python, Ruby and Bash scripting