Growing Global Internet Menace

Global Internet fraud is increasing so quickly and wildly that no one can devise a reliable rate of growth. But all fraud examiners know that they need to recognize the major types of Internet fraud and adhere to the "best practices" of protection. 

Recently, a 19-year-old Houston, Texas, man pleaded guilty to tricking hundreds of Internet users into providing him with their credit card and bank account numbers through a classic "phishing" expedition.

He sent e-mail messages indicating that an account would be suspended unless the customer updated the personal information requested. A hyperlink then took the customers to a copycat Web site that appeared to be legitimate but actually was controlled by the fraudster. Fortunately, this perpetrator was caught but there are thousands of others perpetrating the crime. Internet fraud is still flourishing.

Scope of Internet fraud could be indeterminable
Internet fraud is defined by the United States Department of Justice as "any fraudulent scheme in which one or more components of the Internet, such as Web sites, chat rooms, and E-mail, play a significant role in offering nonexistent goods or services to consumers, communicating false or fraudulent representations about the schemes to consumers, or transmitting victims' funds, access devices or other items of value to the control of the scheme's perpetrators." (1)

Obviously, global Internet fraud is likely to increasingly occur as more computer users access the Internet. For example, 88 million U.S. adults used the Internet in some manner in mid-2000. However, by the end of that year the number had reached more than 104 million. (2) This increase in Internet use has resulted in a corresponding increase in online crime and deception because anyone with access to the Internet can create a very lucrative fraud scheme. Also, a Web fraudster can construct an enticing site for little cash.

No one knows the full extent or magnitude of Internet fraud. Most probably go unreported to authorities as victims experience confusion about exactly where to report the acts. In fact, recent studies indicate that only one quarter of Internet fraud is ever reported to authorities. (3) In addition, even if complaints do get directed to some type of authority, they are usually lost or misdirected due to the nature of the Internet itself. Furthermore, Internet fraud reaches beyond traditional boundaries thus requiring new technology-based investigative procedures. Tracking the location of a fraudulent Web site or the origin of an e-mail address is often impossible.(4)

Even though the size of Internet fraud could be indeterminable, data from complaint centers, such as the Internet Fraud Complaint Center (IFCC), a partnership between the FBI and the National White Collar Crime Center (NWC3), and the Federal Trade Commission (FTC), indicate that online fraud is growing at alarming rates. Fewer than 1,000 Internet fraud complaints were filed in 1997, but by 2000 the number had increased to 25,000. (5) Internet fraud complaints doubled to almost 50,000 in 2001 and reached 75,000 in 2002. (6) In 2003, 166,617 Internet-related fraud complaints were filed at the FTC's Consumer Sentinel Web site. (7) The problem is expanding so rapidly that the IFCC is being renamed the Internet Crime Complaint Center (IC3) to reflect the expanded scope of its concerns. (8)

According to the IFCC, 48,252 fraudulent referrals were processed during 2002, with a total dollar loss of $54 million, up from $17 million in 2001. (9) (See Figure 1 below.) By one estimate, Internet credit card fraud will create losses of between $30 and $40 billion by 2004.10 The average dollar loss for all types of Internet fraud reported by the IFCC in 2002 was $1,482, and the median loss was $299. Victims of the Nigerian letter scam fraud experienced the highest monetary loss - a median of $3,864 - of the different types of Internet fraud. Credit/debit card fraud (median loss of $120) and non-delivery (median loss of $176) were the least costly types of fraud reported. Almost 23 percent of victims reported a loss of more than $1,000. (11)

[Figure 1 is no longer available. — Ed.]

The FTC reports an even larger total dollar loss than the IFCC. In its 2003 Consumer Fraud and ID Theft Report, the FTC reports that Internet fraud victims lost approximately $200 million, with a median loss of about $195 and an average loss of $1,341. (12) Internet fraud constituted 55 percent of all the fraud complaints, increasing from 45 percent in 2002. Of the more than 500,000 complaints filed with the FTC in 2003, 58.4 percent were complaints about fraud, while the remaining 41.6 percent were complaints about identity theft. (13)

The FTC Internet-related fraud statistics are consistent with those of the IFCC. In 2003, the FTC reported that 48 percent of Internet-related fraud complaint involved Internet auctions. (14) (See Figure 2 below) As the statistics above demonstrate, the most common type of reported Internet fraud relates to victims who paid for goods on Internet auction sites and never received the goods. Internet auction fraud can occur when a perpetrator presents "teaser" offers that result in the actual auction sale of small items to gain the confidence of potential buyers. However, these sales are followed by an auction of a more expensive item that's never delivered.

Another way perpetrators gain the confidence of potential auction fraud victims is to lurk in chat rooms where prospective buyers are identified and "befriended." After gaining the victim's confidence, the perpetrator lures the individual to legitimate auction sites to transact the fraudulent sale.

Another insidious Internet scam involves fraudulent pornography sites. Because these cases by their very nature are less likely to result in a report to law enforcement, perpetrators of these frauds engage in a more aggressive type of theft. A popup ad entices an Internet viewer to click a button to link to a pornographic site. After the viewer accepts the offer, software is installed on his computer, which dials a server located in a foreign country. Substantial toll call charges are added to the subscriber's next phone bill.

Figure 2 - Statistics from the FTC's 2003 National and State Trends in Fraud & Identity Theft Report: Top Products/Services for Internet-Related Fraud Complaints,
Jan. 1, 2003 - Dec. 31, 2003 

Both the ease and relatively small dollar value of these frauds make these cases very difficult to prosecute. Many of these cases involve "interstate" fraud but are committed for such nominal values that extradition of the perpetrators would be impractical for most state, provincial, county, and local authorities. In addition, federal authorities also require minimum dollar loss thresholds to justify "jacketing" a case and pursuing extradition. (See sidebar on page 35 for examples of specific Internet fraud schemes.)

An Internet fraud for every type of perpetrator
To avoid becoming victims, Internet users, and especially fraud examiners, should recognize the major types of Internet fraud. IFCC analysts determine the fraud type for each Internet fraud complaint received and sort complaints into nine fraud categories. (For more information see: www.ifccfbi.gov/strategy/2002_IFCCReport.pdf)

Financial institution fraud - Knowing misrepresentation of the truth or concealment of a material fact by a person to induce a business, organization, or other entity that manages money, credit, or capital to perform a fraudulent activity. Credit/debit card fraud is an example of financial institution fraud that ranks among the most commonly reported offenses to the IFCC. Identity theft also falls into this category; cases here tend to be those in which the perpetrator possesses the complainant's true name identification (in the form of a social security card, driver's license, or birth certificate), but a credit or debit card fraud hasn't been committed yet.

Gaming fraud - To risk something of value, especially money, for a chance to win a prize when there is a misrepresentation of the odds or events. Sports tampering and claiming false bets are two examples of gaming fraud.

Communications fraud - A fraudulent act or process in which information is exchanged using different forms of media. Thefts of wireless, satellite, or landline services are examples of communications fraud.

Utility fraud - When an individual or company misrepresents or knowingly intends to harm by defrauding a government regulated entity that performs an essential public service such as the supply of water or electrical services.
Insurance fraud - A misrepresentation by the provider or the insured in the indemnity against loss. Insurance fraud includes the "padding" or inflating of actual claims, misrepresenting facts on an insurance application, submitting claims for injuries or damage that never occurred, and "staging" accidents.

Government fraud - A knowing misrepresentation of the truth or concealment of a material fact to induce the government to act to its own detriment. Examples of government fraud include tax evasion, welfare fraud, and counterfeit currency.
Investment fraud - Deceptive practices involving the use of capital to create more money either through income-producing vehicles or through more risk-oriented ventures designed to result in capital gains. Ponzi/pyramid schemes and market manipulation are two types of investment fraud.

Business fraud - When a corporation or business knowingly misrepresents the truth or conceals a material fact. Examples of business fraud include bankruptcy fraud and copyright infringement.

Confidence fraud - The reliance on another's discretion and/or a breach in a relationship of trust resulting in financial loss. A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment. Auction fraud and non-delivery of payment or merchandise are both types of confidence fraud and are the most reported offenses to the IFCC. The Nigerian Letter Scam is another offense classified under confidence fraud.

Law enforcement and industry responses
According to law enforcement sources, the volume of cases reported has dramatically increased in recent years; thousands of reported cases are being received each month just by each of the American states. Law enforcement agencies are beefing up the resources committed to the investigation and prosecution of Internet fraud cases. Some states have taken steps to deal with the influx of cases by dedicating staff and providing ongoing training to investigators to ensure that they are aware of current technologies and specific techniques.

Private industry has also geared up to battle the threat Internet fraud poses to both the business and its customers. Leading these efforts for Prudential Financial is Michael Geraghty, vice president of the High Tech Investigations Unit. Among the concerns Geraghty is addressing are the security of Prudential's Web site and various records of customer personal information and financial transactions. While this task may at first seem relatively easy to address, the actual challenge of protecting access to records and monitoring transactions for propriety requires the concerted efforts of various Prudential functions including the Privacy Office, Information Security personnel, the Corporate Investigations Division, Compliance and Systems area, and Internal Audit. At Prudential, these efforts have required a "task force" approach to proactively evaluate Internet fraud risks and preventative measures. This includes analysis of potential threats from both external and internal sources, according to Geraghty.

Prudential is an example of an organization in which the consumer's confidence in the integrity of the Prudential name is considered a valuable asset to the company. This is one of the reasons why Prudential allocates significant resources to ensure that others don't fraudulently use the Prudential name to perpetrate Internet fraud, Geraghty says.

One example of such a threat is "spamming," in which individuals seek to fraudulently route messages through Prudential servers or use Prudential's logo in an attempt to "legitimize" their fraudulent offers. According to Geraghty, many Internet mail servers don't require authentication, thus allowing individuals who operate outside U.S. boundaries to defraud individuals by creating the impression they actually represent legitimate organizations.

Among the measures taken by Prudential is reviewing all systems, data, and access capabilities for both external and internal threats. Geraghty noted that financial institutions may need to consider improved "footprints" to allow identification of individuals with "view access" in addition to the traditional audit trails for actual transactions. The critical components to success, he says, are awareness by all levels within the organization to the various threats that exist and a coordinated effort to stay one step ahead of the fraudsters.

Other financial services organizations have also faced up to the challenges posed by Internet business applications. For instance, potential customers often are able to submit loan applications to a company Web site, but the customer must appear in person and produce appropriate identification to finalize the loan. It's also customary for financial services organizations to use comprehensive data encryption techniques as well as Virtual Private Network (VPN) technology to protect the privacy and non-alterability of all customer information traversing the public Internet.

Global Internet fraud threat
Internet fraud is a serious problem that's growing rapidly throughout the globe as more people gain access to the Web and business and personal transactions increase. Fraud examiners of all stripes should recognize the major types of Internet fraud and adhere to the "best practices" of protection.

1 Federal Bureau of Investigation. (2003). "About the Internet Fraud Complaint Center." www.fbi.gov/hq/cid/fc/ifcc/about/about_ifcc.htm.
2 Federal Trade Commission. (2001). "Prepared Statement of the Federal Trade Commission on Internet Fraud, Before the Committee on Finance, United States Senate, April 5, 2001." www.ftc.gov/os/2001/04/internetfraudstate.htm.
3 Federal Bureau of Investigation. (2003). "IFCC 2002 Internet Fraud Report: Jan. 1, 2002 - Dec. 31, 2002." www.ifccfbi.gov/strategy/2002_IFCCReport.pdf.
4 Federal Bureau of Investigation. (2003). "About the Internet Fraud Complaint Center." www.fbi.gov/hq/cid/fc/ifcc/about/about_ifcc.htm.
5 Federal Trade Commission. (2001). "Prepared Statement of the Federal Trade Commission on Internet Fraud, Before the Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce, United States House of Representatives, May 23, 2001." www.ftc.gov/os/2001/05/internetfraudttmy.htm.
6 Federal Bureau of Investigation. (2003). "IFCC 2002 Internet Fraud Report: Jan. 1, 2002 - Dec. 31, 2002." www.ifccfbi.gov/strategy/2002_IFCCReport.pdf.
7 Federal Trade Commission. (2004). "National and State Trends in Fraud & Identity Theft, January-December 2003." www.consumer.gov/sentinel/pubs/Top10Fraud2003.pdf
8 United States Department of Justice. (2003). "New Information and Corresponding Source." FBI Press Release, Dec. 23, 2003. www.fbi.gov/pressrel/pressrel03/ic3122303.htm
9 Federal Bureau of Investigation. (2003). "IFCC 2002 Internet Fraud Report: Jan. 1, 2002 - Dec. 31, 2002." www.ifccfbi.gov/strategy/2002_IFCCReport.pdf.
10 Cameron, A. (2002). "Fighting Internet Credit Fraud: Problems Still Remain." Business Credit. Issue 7. Pp. 57-59.
11 Federal Bureau of Investigation. (2003). "IFCC 2002 Internet Fraud Report: January 1, 2002 - December 31, 2002." www.ifccfbi.gov/strategy/2002_IFCCReport.pdf.
12 Federal Trade Commission. (2004). "National and State Trends in Fraud & Identity Theft, January-December 2003." www.consumer.gov/sentinel/pubs/Top10Fraud2003.pdf
13 Ibid.
14 Ibid.

[Some links may no longer be available. —Ed.]

Craig R. Ehlen, DBA, CPA, CFE, is professor of accounting at the University of Southern Indiana. Robert E. Holtfreter, Ph.D., distinguished professor of accounting and research at Central Washington University. John Langione, CFE, CIA, CLU, is senior manager at Ernst & Young, LLP. Anna M. Green is a doctoral student in marketing at Louisiana State University.