The Classification of Cyber-Crime

banner

books-6The Central Virginia Chapter of Certified Fraud Examiners (RVACFES), in cooperation with our venue partner the Virginia State Police, is initiating a series of quarterly luncheon meetings for our Chapter members and guests on various cutting edge fraud investigation topics.  We’re hoping to have the first such meeting in May or June, 2014 on the topic of cyber crime and its investigation.  To set the stage for the meeting, I thought I’d do a short post on the classification of the various types of cyber crime that a fraud examiner new to the profession might expect to encounter in actual practice.  As computer assisted crimes have escalated exponentially over the last year,  every fraud examiner needs to be aware of the risks associated with cyber crime perpetrated against a client entity of interest, and especially of those perpetrated using the entity’s own systems (as in the recent Target case).

Computer intrusion schemes.  These types of schemes include cyber-crimes or preparatory exploits perpetrated against an entity resulting, directly or indirectly,  in a quantifiable loss from an illegal or unethical act.  The area of concern most in the news of late is industrial espionage featuring the theft of customer, financial or intellectual property related data.  Some countries seem to support its citizens engaging in this type of hacking related activity against entities in other countries and some governments engage in espionage directly for what appears to be a whole host of different reasons.   Entities subject to this risk (and areas of related concern) include among others, national retail chains, aeronautics firms, space systems, armaments, energetic materials, chemical systems, biologic systems, kinetic energy systems and enterprises engaged in weapons countermeasures.  Other areas of computer intrusion include unauthorized access to information or data from an entity’s own computer systems, infecting computers with viruses and other forms of malware and infrastructure attacks such as denials of service.

–Intellectual property rights.  Intellectual property is increasingly available by electronic means, e.g., copyrighted books or materials that have been digitized.  An example of a cyber-crime involving intellectual property is the illegal use or duplication of software.  Differing international laws and customs complicate this issue; many copyright laws protect software products in one country, but not in another.  Cyber attacks originating from outside the target country are difficult to prosecute if the countries involved don’t have similar laws.

Credit card fraud.  The Association of Certified Fraud Examiners reports that some criminals, who formerly would not have been criminals or would have been traditional street criminals (engaged in localized drug sales, extortion or loan sharking), are taking advantage of readily available hacking software tools for sale on the internet, to engage in credit card theft targeting big name retailers as a means of simply earning a living.  Organized crime world-wide is increasingly turning to cyber-crime, including credit card and identity theft, online gambling, online extortion, online narcotic sales and cyber terrorism as opposed to the street basedactivities associated with the organized crime of the past.

Identity theft.  This is the cyber crime most familiar to the general public because it’s the most reported on in every category of media.  It includes the ubiquitous phishing schemes targeting every e-mail user and in every endless variation whose goal is to steal someone’s identity for the purpose of gaining unauthorized access to credit or financial assets.  I dare say every one of the readers of this blog has received a phishing e-mail in the last week.  In addition, every one of your corporate clients entities can have its identity stolen by web-site hijacking.  Cyber criminals spoof the company website of a real enterprise and using e-mail or other means, drive customers and others to the phony website where the cyber criminals captures personal and private information.

Money laundering.  Banks and certain other financial institutions have to file suspicious activity reports (SAR’s) for identified suspicious activities, originally as a result of terrorist attacks and related, subsequently imposed regulations.  Many of the identified activities that turn into Federal investigations deal with money laundering.  Money laundering  doesn’t necessarily involve computers but wire transfers are used constantly to facilitate these types of schemes.  Areas of concern include offshore money-laundering web sites, illegal or unauthorized wire transfers and similar activities.

Every fraud examiner needs to be aware of the possible cyber-crime scenarios  relevant to the fraud scheme(s) involved in whatever examination she’s currently conducting or is being asked to conduct—increasingly, investigative skills related to cyber schemes will constitute a substantial percentage of the foundation for modern fraud examination.  The specific risks and applicable cyber-crimes can be expected to vary from examination to examination but the necessity for a general knowledge of cyber-crime and how to investigate it can be expected pose an increasing challenge for the conduct of any thorough fraud examination.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the Topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

Comments are closed.