Case Study About Frauds in Information System Essay

1. Compose a summary of the case. accept how the fraud was perpetrated, the characteristics of the perpetrator(s) who committed the fraud, the role the auditor(s) had in the case, and the direct and indirect cause the incident had on the organizations stakeholders (customers, vendors, employees, executive committee, and board of directors).Comerica is being sued by Experi- coats for a $560,000 phishing attack to their depose account. Experi- Metal, a custom auto- parts maker, was hit by phishing criminals in January 2009. The fraud was perpetrated when the posits vice president received a phishing e-mail intercourse him to fill out online paperwork to perform plan maintenance. The e-mail appeargond to have been direct from the bank building building. The email was sent from phishing criminals) Once the president sent over his enfranchisement the attack was started. Experi- Metal accused Comerica of failing to take immediate designate through with(predicate) that could have eliminated some of the loss.The bank processed over a one million million million dollars in wires from the companies account. The attack was done in a matter of hours. Criminals act to move millions of dollars to an Eastern Europe account. Comerica learned of the attack within quaternary hours of the fraud. J.P. Morgan Chase oppositioned Comerica to report suspicious activity in the account. The criminals were funding notes into the Chase Accounts to move it overseas to Russia and Estonia. Comerica shut down the scam provided it was after the business broken capital. Comerica shut down the account however still processed 15 wires after finding out or so the scam. Comerica fi guide suit against the bank for the phishing attack and to try to recoup some of the cash that was paid out through the phishing attack.The characteristics of the perpetrator are usually pile from abroad and the emails have spelling errors. The attacks come from abroad and the emails will cha se away misspelled and transposed letters. The attackers send out thousands of emails trying to get an individual to move. The emails are intended to trick users into clicking on the link and entering their personalised info. The email will impersonate a company such as a bank. The email will state there is a problem and learn the individual to verify their information. It will include a cause of movement prompting the user to respond or delete.The direct and indirect set up on the organizations stakeholders were the bottom line would be minimise because of the lost of money. Phishing scams deceive you into revealing your personal, banking, or financial information through links in email that refer your browser to a look- similar fake website that requests your personal, banking and/ or financial.(Roddel, 2008, pg. 93) The board of directors would need to put something in present with the bank to make sure this doesnt happen again. This is a lack of internal controls becaus e the vice president should have support the email before providing his credentials.The direct impact is to cripple the company and its availability of funds, breakage confidentiality, and safety. Phishing has a negative impact on a companys revenue which is a direct impact on the stakeholders. The direct solution could include legal fees, and additional marketing expense to recapture lost revenues. An organization should communicate with its stakeholders when a phishing attack happens to eliminate the stakeholders losing confidence in the organization. An indirect effect to stakeholders is responding to media inquiries, and delivering messages to parties affected.2. Suggest the fraud classification(s) the case can be categorized into (based on the data processing model). Include your rationale for the classification.By far the most common form of corporate identity theft used by fraudsters is phishing. Phishing involves fraudsters sending e-mails under the guise of a bank or ot her reputable company, which appear authentic, to customers or users of that particular company. The emails lure them to log on to the companys website and verify their account details, including their personal identification details (Simmons & Simmons, 2003, pg. 8). The controller of Experi-Metals received an email that appeared to be urgent.The email stated the bank needed to carry out scheduled maintenance on its banking software. It instructed the controller to log in to the website via the link in the email. The email appeared to come from Comericas online banking site. The site asked the controller to enter a security code. The website was double-tongued and was used to get the information to process the double-tongued wires. 3. Suggest the type of controls that may have been in target at the time of the violation.The goal of any organization is to prevent or confines the impact of phishing attacks. The company probably had an in house phishing plan in place. Corporate orga nizations have policies and procedures to help deter phishing attacks. This should have include study of employees to avoid a phishing attack. The controls in place at Experi-Metal probably included a preventive plan that consisted of employee pedagogy and e-mail filters. There ask to be more effective controls in place to prevent this from occurrence in the future. The controller should never have given his personal information out online without verifying through the bank. Management has to be made awake of the types of phishing attacks through education and an effective policy needs to be in place to cover these types of attacks. The system did not fail it was the actions of the controller which led to the phishing attack.4. Recommend two (2) types of controls that could be implemented to prevent fraud in the future and additional steps management can take to mitigate losses. Avoid emailing personal and financial information. If you get an unexpected email from a company or government agency asking for your personal information, contact the company or agency cited in the email, using a cry number you distinguish to be genuine, or start a untried Internet session and type in the Web address that you know is correct (McMillian, 2006, pg. 160). A variety of efforts aim to deter phishing through justness enforcement, and automated detection. One thing that should be stressed at Experi- Metal is never follow links in an email claiming to be from a bank.Bank institutions never ask you to verify your online banking username and password. The controller should have contacted the bank and verified the information before he entered the code. The motto is trust no email or web site. The business should have in place controls to keep this from happening going forward. Second, Experi- Metal should install a effectual Anti-virus and firewall protection software and adjust the settings to tighten up web security. each customer or business that has an excessive amount of wires the bank should place a stop on the account and it needs to be verified before anymore wires are processed.Experi-Metal could have positive pay on the account and this would eliminate any wires from being processed without their approval. Additional employee training should be offered to help employees be able to notice fraudulent emails. An individual should never respond to any emails asking for personal information. The bank should follow policy to protect and inform customers about fraudulent activity. 5. settle the punishment of the crime (was it appropriate, too lenient, or too harsh) and whether the punishment would run as a deterrent to similar acts in the future.The court command in favor of Experi- Metal in the case. Comerica was held liable for over half(prenominal) a million dollars stolen from Experi-Metal. The punishment was not hard because Comerica failed to act in good faith when it processed over 100 wire transfers in a few hours. The bank shoul d have stopped the wire transfers and contacted the company. A customer is holding a bank obligated to keep their money safe. Most of the money was recovered exactly the judge ruled in favor of Experi-Metal based on the fact the bank did not respond quick enough in stopping the wire transfers. Banks are doing a better job at spotting fraud because of this case but there is still room for improvement. This was a major case because it put pressure on banks to strengthen their security posture. The judge is holding the banks responsible to the safe keeping of a companys money.