It takes a digital detective to track down today's computerised criminals

Computer fraud is costing British businesses pounds 10bn each year. Schemes range from sophisticated fund transfers involving millions of pounds to simple theft of commercially sensitive data. Ian Grayson reports on the battle against hi-tech fraudsters being waged by the Serious Fraud Office and corporate investigators
Click to follow
The Independent Culture
Computer fraudsters have a glamorous image. Armed only with a PC and their wits, they can hack into banks and transfer vast amounts of cash into shady offshore accounts. Corporate secrets are easy prey. A few clicks of the mouse and latest product developments are theirs for the taking. What a great way to make a living.

It's easy to subscribe to this image - to dismiss computer fraud as a great subject for Hollywood movies but one with little relevance to daily life. Unfortunately, it's not true.

Estimates of the cost of computer fraud to UK businesses vary greatly, but usually tend to be large. According to Mike Carlton, senior manager in Ernst & Young's fraud investigation unit, the figure could be as high as pounds 10bn per year. That's big by any standard. To put it into some sort of perspective, the estimated cost of vehicle crime in the UK is between pounds 400m and pounds 500m per year, while burglary runs at a similar level.

"You're never going to know the total cost because you can't measure what you haven't discovered," Carlton says. "But it is certainly far higher than most people think."

For Carlton, defining computer fraud is a problem in itself. "People talk as though it is a specific type of fraud, but I disagree," he says. "The computer is the medium and not necessarily the cause. Technology will only do what the user tells it."

Instances of computer fraud range from sophisticated fund transfer schemes involving millions of pounds to the copying of data files and theft of corporate information.

Mike Hainey, head of IT investigations at the UK's Serious Fraud Office, says very few cases actually involve computers being used to create frauds. More often, they are simply tools used in the fraud process. Recent examples include cases of forgery where computers were used to generate fake documents. "It is now significantly easier to generate documents that look exactly like the original," he says. "You can send one copy to a client and an amended copy can appear elsewhere - that's one we come across quite often."

Other computer frauds regularly uncovered within companies include creating fictitious creditors and then paying funds into private accounts, putting "ghost" staff on payrolls, falsifying cash sales and making unauthorised write-offs.

According to Michael Bacon, director of information security services at KPMG, computer frauds can also involve small amounts of money taken from a company over a long period of time.

"It is the old salami slicing technique where you take off very small bits, but over time they mount up and you end up with the entire sausage," he says. "UK firms should be more alert to the potential of fraud taking place within their organisations."

While the message about the true extent of computer fraud seems to be getting through, many companies have yet to take the steps necessary to curb it. A recent international research report published by Ernst & Young found that 90 per cent of senior executives surveyed felt their companies were vulnerable to computer fraud. Alarmingly though, 80 per cent felt they did not have sufficient understanding of their IT systems to be able to do anyathing about it.

"Most senior managers in the industry tend to have grown up before the computer era. So a lot of people are not accustomed to using them or do not understand how they work - they get frightened by them," Carlton says.

The report also found that, of the organisations that had suffered fraud, 78 per cent had found it to be the work of employees. It appears the primary threat to companies is within rather than without.

Combating computer fraud is a lucrative business. All the major accounting firms offer consultancy services that help companies to assess risk and take steps to minimise the potential for loss. According to Carlton, it can often just be a matter of ensuring that the fundamentals are being covered. "You need to have basic security measures in a computer environment," he says. "It's making sure that simple things are done correctly - that passwords are in place or that computers accessing data log out after five minutes of non-use. It's not rocket science, just common sense."

Other anti-fraud techniques include regular security checks of computer systems, limiting access to crucial information, and proper auditing of financial transactions.

As well as offering advice on computer fraud defence, uncovering evidence of past misdeeds is also a growing area. Here, as well as being the instruments of fraud, computers are often the best tools for its detection.

"For the Serious Fraud Office, the growing reliance of companies on computer technology is actually an advantage," says Hainey. "Increasingly, we are coming across cases where we are finding no paper, but where computers are used to manage electronic documents."

The benefit here is speed. Searches of electronic documents can be conducted many times faster than those involving paper. Sophisticated software tools enable investigators to uncover data that would have been virtually undetectable through manual methods. "The types of searches that once would have taken months to do can now be completed in seconds," says Hainey.

The SFO itself is moving towards a paperless operation. New systems soon to be installed will enable vast quantities of paper-based evidence to be scanned and converted into electronic form. This will significantly streamline search processes and save on operating costs.

Often, the challenge in computer fraud cases is proving that certain actions were undertaken or data changed. Investigators must ensure that their activities do not inadvertently change the materials they are examining. They must also check for evidence that may have been hidden or deleted by the fraudster.

Increasingly, investigators are using imaging techniques combined with an armoury of sophisticated software tools. Imaging involves making a replica of a system that is then examined for evidence. The replica includes all hidden areas and deleted files.

"Even if a fraudster has tried to cover his tracks by hiding or deleting files they will still be captured in the image," says Jacqui Hildreth, business development manager at forensic computing company AuthenTec International. "It also ensures the original machine remains intact and unaltered which is important to ensure it can be used to build a prosecution case against an employee."

The company has developed an analysis software package that enables companies to check their systems for evidence of fraud. Working with an image, AuthenTec Forensic Software (AFS) allows files to be examined and searches carried out regardless of where information has been stored.

For example, an employee may have hidden sensitive corporate information within the code of a picture file, e-mailed it to a competitor and then deleted the file from the system. According to Hildreth, conventional searches may not find such data; however, AFS could locate it and determine its source. Computer imaging is admissible in court and is becoming a powerful tool in the fight against fraud.

Computer fraud will continue to be a part of modern business life. Just as they were before the IT revolution, greed, revenge and vindictiveness will continue to motivate some individuals to defraud the system. But with suitable safeguards and use of investigative tools, the cost of fraud to business can be kept to a minimum l