Computer Fraud
Computer fraud is the use of a computer, network, or digital system to deceive another party for financial gain, unauthorized access, or misappropriation of data or identity, including forms such as phishing, account takeover, payment fraud, and invoice fraud.
What Is Computer Fraud?
Computer fraud is the use of a computer, network, or digital system to deceive another party for financial gain, unauthorized access to resources, or the misappropriation of data or identity. It is a specific category within the broader domain of computer crime, distinguished by the element of deliberate deception rather than pure disruption or vandalism. Common forms include phishing, in which attackers impersonate trusted entities to harvest credentials; account takeover, in which stolen or guessed authentication credentials are used to access accounts the attacker does not own; payment fraud, in which card data or banking credentials are used without authorization; and invoice fraud, in which falsified documents redirect wire transfers to attacker-controlled accounts. The field sits at the intersection of computer security, financial regulation, and law.
Legal frameworks addressing computer fraud have evolved alongside the technologies used to commit it. The U.S. Computer Fraud and Abuse Act (CFAA) of 1986 established federal criminal liability for unauthorized access to protected computers, and subsequent amendments have extended its scope to cover fraud perpetrated through access to computer systems. The NIST National Cybersecurity Center of Excellence publishes practice guides for financial institutions addressing authentication, identity management, and transaction monitoring in the context of fraud prevention.
Types of Computer Fraud
Phishing attacks deliver fraudulent messages, typically email, that mimic legitimate correspondence from banks, government agencies, or online services. Spear-phishing targets specific individuals using personal information gathered from prior reconnaissance, increasing the credibility of the lure. Business email compromise (BEC), a particularly costly variant, involves compromising or impersonating a corporate email account to redirect financial transactions. Identity theft uses personal data obtained through data breaches, credential-stuffing attacks, or social engineering to open fraudulent accounts or file false tax returns. Ransomware, while primarily a disruption tool, has a fraud dimension when attackers falsely claim to have stolen sensitive data and threaten to publish it unless payment is made, a technique sometimes called double extortion. Card-not-present (CNP) fraud exploits the gap between card issuance security and remote transaction verification, becoming the dominant payment fraud vector as chip-and-PIN adoption reduced in-person card cloning.
Fraud Detection and Prevention
Automated fraud detection applies statistical and machine learning techniques to behavioral and transaction data to identify anomalous patterns. Card transaction monitoring systems score each transaction in milliseconds, comparing the current purchase against a model of normal spending behavior for that cardholder; transactions that exceed a risk threshold are declined or routed to step-up authentication. Behavioral biometrics analyze typing cadence, mouse movement, and touchscreen interaction to distinguish account owners from fraudsters operating on stolen credentials. Multi-factor authentication adds a possession factor (such as a time-based one-time password generated by an authenticator app) or a biometric factor to the knowledge-based password, reducing the value of stolen credential data. The IEEE Security and Privacy journal has documented advances in fraud detection architectures, including graph-based methods that identify fraud rings by analyzing transaction networks rather than individual events.
Legal and Regulatory Frameworks
Beyond the CFAA, fraud affecting financial systems is regulated through multiple overlapping authorities. The Electronic Fund Transfer Act and Regulation E establish liability rules for consumers who report unauthorized transactions in a timely manner. Payment Card Industry Data Security Standard (PCI DSS), maintained by the PCI Security Standards Council, mandates technical and procedural controls for any organization that stores, processes, or transmits cardholder data. The EU's General Data Protection Regulation (GDPR) has fraud implications by requiring prompt notification of data breaches that could expose personal data to misuse. Law enforcement cooperation across borders is facilitated through mutual legal assistance treaties (MLATs), a necessity given that computer fraud operations routinely span multiple jurisdictions. The CISA (Cybersecurity and Infrastructure Security Agency) provides advisories and reporting channels for organizations affected by fraud-related intrusions.
Applications
Computer fraud countermeasures are applied across a wide range of sectors, including:
- Online banking and payment processing, where real-time transaction scoring is standard
- E-commerce platforms, where account takeover and CNP fraud are persistent threats
- Tax administration, where identity theft leads to fraudulent refund claims
- Healthcare systems, where medical identity fraud results in false insurance claims
- Telecommunications, where subscription fraud involves creating accounts using stolen identities