1. CHAPTER 17A – FRAUD
IN E-COMMERCE
Jennifer Lowes

2. E-Business
◦ Uses information technology and electronic communication networks to exchange
business information and conduct paperless transactions.
◦ Includes virtual private networks and other specialised connections through which
businesses routinely connect to one another.
Albrecht, Albrecht, Albrecht & Zimbelman, 2012, p 602

3. Elements of Fraud Risk in E-Commerce
Perceived Opportunity
Perceived Pressures:
• Dramatic growth leading to
tremendous cash flow needs.
• Pressure to improve financial results
due to mergers/acquisitions.
• Borrowing or issuing stock.
• New products requiring expensive
marketing.
• Unproven or flawed business
models with tremendous cash flow
pressures.

4. Elements of Fraud Risk in E-Commerce
Perceived Opportunity
Perceived Opportunities:
• Lag between transaction developments
and security developments.
• Complex information systems that make
installing controls difficult.
• Removal of personal contact – easier
impersonation or falsified identity.
• Electronic transfer of funds, allowing large
frauds to be committed more easily.
• Compromised privacy resulting in theft by
using stolen or falsified information.

5. Elements of Fraud Risk in E-Commerce
Perceived Opportunity
Rationalisations:
• Perceived distance that decreases
the personal contact between
customer and supplier.
• Transactions between anonymous or
unknown buyers and sellers – you
can’t see who you are hurting.
• New economy thinking contends that
traditional methods of accounting no
longer apply.

6. E-Commerce Risks Inside Organisations
◦ Easier to infiltrate systems, steal money and information and cause damage when
perpetrators are within firewalls and security checks.
◦ Perpetrators with inside access know the control environment, understand security
mechanisms, and find ways to bypass security.
◦ Most common problem: Abuse of power granted to users.
◦ I.e. programmers with superuser access – often removal of programmers’ access is overlooked
when systems go into production.

7. Survey
◦ > 1/3 of network administrators admitted to snooping into HR records and custom
databases.
◦ 88% of administrators would take sensitive data if they were fired.
◦ 33% would take company password lists.

8. Data Theft
◦ First concern of e-commerce fraud as data have many useful attributes:
1. Can be converted to cash fairly easily.
2. Information is replicable, allowing perpetrators to simply copy data rather than remove
them, leaving the source data intact.
3. Can be transferred easily and quickly to any location.
4. Managers lack the technical expertise to prevent and detect data theft.

9. Passwords
◦ Password selection cannot be fully controlled, as it is left to
the end user.
◦ Common passwords can relate to personal information, so
perpetrators may be able to guess the passwords of their
employees.
◦ Social engineering techniques are used by hackers to gain
access to passwords.
◦ Hackers take information from blogs, Facebook walls and
other social network sites and use this information to ask
victims for “just a little more”.

10. Passwords
◦ Companies may require regular password changes to try
to mitigate the risk of passwords being stolen.
◦ However many employees will merely add a sequential
number to the end of their password.
◦ Companies and websites generally have certain
password requirements such as minimum character
length, upper case, symbol, number etc.

11. Passwords – How many do you have?
University Bank Work login
Email Google Microsoft
Facebook Twitter Instagram
Skype TradeMe Pinterest
Online shops Blogs Online communities
Phone login Utility companies YouTube

12. Need one of these?
◦ http://www.youtube.com/watch?v=Srh_TV_J144

13. Risk vs Convenience?

15. Sniffing
◦ Logging, filtering and viewing of information that passes along a network line.
◦ The most common method of gathering information from unencrypted
communications.
◦ Easily done on most networks by hackers that run freely available applications.
◦ Organisations can use firewalls, spam filters and anti-virus programmes to prevent
sniffing, however employee laptops, tablets and mobile phones can be at risk when on
business trips and connecting to other networks.

16. Wartrapping
◦ Hackers go to places such as airports where business travellers are likely to be and set
up internet access points through their laptop.
◦ The access point will appear to be legitimate i.e. Auckland Airport Free Wireless.
◦ Hackers then use sniffing techniques to find passwords and other data as the traveller
browses the internet through the connection.

17. E-Commerce Risks Outside Organisations
◦ Internet provides a rich medium for external hackers to gain access to personal
systems.
◦ Ability to hack from across international borders means that tracking and prosecuting
hackers is difficult.

18. NZ Statistics:
◦ Year to 9th August 2013:
◦ 562 online frauds reported to NetSafe
◦ $4.4 million
◦ Netsafe’s Chief Executive estimates annual losses from internet fraud to be between
$100m and $400m per year.
◦ In 2012, the Ministry of Business, Innovation & Employment reported 670 bank phishing
and tax refund scams in NZ.

19. Spyware
◦ Installs monitoring software in addition to the regular that a user downloads or buys.
◦ Peer-to-peer music and video-sharing applications are the worst spyware offenders.
◦ Most spyware programs monitor user behaviours so that the company can make a
profit selling the personal data they collect.
◦ More advanced spyware can copy financial or other sensitive data from internal
directories and files and send it to external entities.

20. Phishing
◦ Phishing involves sending emails or pop up messages asking for personal information in
inventive ways.
◦ Common method is to request victims to update account details by clicking on a link
to a website which appears to be the company’s website.
◦ Common targets have been bank customers, TradeMe/ebay customers, even
government departments such as IRD.

21. ANZ
◦ In July 2013, ANZ customers were targeted by a phishing scam.
◦ Phishers sent an email to ANZ customers which appeared to be from ANZ.
◦ It stated that customers must update their account information through the link or service
would be suspended.
◦ The link took customers to a fake website which replicated the logos and formatting of ANZ.
◦ The phishers gained access to bank accounts when customers attempted to log in to the
fake website.
www.stuff.co.nz/technology/digital-living/8985900/Phishing-scam-targets-ANZ-log-in-details

22. Large Retail Company (Un-named)
◦ Major retail chain targeted by overseas cyber criminals in September 2013.
◦ Phishing attack attempted to convince store staff to install rogue software on their
computers.
◦ Phishers called stores claiming to be a senior member of the company and directed
employees to a fake website that was designed to look like the company’s official tech
support site.
◦ No data was lost as the company’s IT staff noticed what was happening and managed to
block access to the website and cleaning it up.
◦ “As soon as there’s real humans involved we as Kiwis are more vulnerable because we’re
extremely trusting”.
www.nzherald.co.nz/business/news/article.cfm?c_id=3&objected=11130882

23. Spoofing
◦ Changes the information in e-mail headers or IP addresses.
◦ Perpetrators hide their identities by simply changing the information in the header, thus
allowing unauthorised access.

25. Falsified Identity
◦ Subtle differences in internet hose names often go unnoticed by internet users.
◦ I.e. “.com” “.org” “.nz” can be easily confused but lead to completely different
websites.
◦ If two similar names are owned by two different entities, one site could mimic the other
and trick users into thinking they are dealing with the original website.

26. “GoogleDirectory”
◦ NZ company with no links to Google, launched July 2013.
◦ Promotes itself as a new online marketing tool, offering special internet advertisement
packages.
◦ Over 100,000 listings – some who were contacted by the NZHerald had no idea they
were listed and had not paid.
◦ One customer was told Google was re-launching in NZ as GoogleDirectory.
www.nzherald.co.nz/business/news/article.cfm?c_id=3&objected=11111728

27. Conclusion
◦ Fraud risks in e-commerce systems are significant.
◦ Many employees do not fully appreciate the risks and methodologies that online fraud
perpetrators take.
◦ As auditors, it is important to be aware of the fraud risk in e-commerce and test internal
controls to minimise the risk.