Email Scammers Still Tripping Up Finance Personnel

In an investigative report designed to bring attention to the need to beef up internal accounting controls to protect against fraud, the Securities and Exchange Commission found that the finance departments of publicly held companies continue to fall prey to relatively unsophisticated cyber-scams.

The report, released Tuesday, was based on the SEC Enforcement Division’s investigation of nine public companies that were victims of business email compromises (BECs).

Each of the companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million, the SEC said. In total, the nine companies wired nearly $100 million as a result of the frauds, most of which was unrecoverable.

In a BEC, the perpetrators pose as company executives or vendors and use emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators.

The BECs that the SEC studied broke down into two kinds: faked emails from executives and faked emails from vendors. In the first kind, fraudsters used spoofed email domains and addresses of an executive (typically the CEO) so that it appeared, at least superficially, as if the email were legitimate. The spoofed emails directed finance personnel to work with a purported outside attorney identified in the email, who then directed the companies’ finance personnel to execute large wire transfers to foreign bank accounts.

One company made 14 wire payments requested by a fake executive over the course of several weeks — resulting in over $45 million in losses — before the fraud was uncovered by an alert from a foreign bank, the SEC said.

In the second kind of BEC, which was a bit more sophisticated, fraudsters hacked the email accounts of companies’ existing vendors and then inserted illegitimate requests for payments (and payment processing details) into electronic communications for otherwise legitimate transaction requests.

“The perpetrators of these scams also corresponded with unwitting issuer personnel responsible for procuring goods from the vendors so that they could gain access to information about actual purchase orders and invoices,” the SEC said. “The perpetrators then requested that the issuer personnel initiate changes to the vendors’ banking information, and attached doctored invoices reflecting the new, fraudulent account information.”

In one instance, an issuer paid eight invoices totaling $1.5 million over several months in response to a vendor’s manipulated electronic documentation for a banking change; the fraud was only discovered when the real vendor complained about past-due invoices, the SEC said.

Why did these scams succeed? The SEC pointed out that “systems of internal accounting controls, by their nature, depend also on the personnel that implement, maintain, and follow them.”

With the reviewed BECs, the fraud succeeded in part because the employees did not completely understand the company’s existing controls or did not recognize indications in the emailed instructions that the communications weren’t reliable, the SEC said.

In one instance, an accounting employee who received a spoofed email did not follow the company’s dual-authorization requirement for wire payments, directing unqualified subordinates to sign-off on the wires. In another, an accounting employee misinterpreted the company’s authorization matrix as giving him approval authority at a level reserved for the CFO, the SEC said. In two instances, the SEC said, chief accounting officers initiated payments in response to fake executive emails.

The issuers fell victim to the attacks even though they had procedures requiring certain levels of authorization for payment requests, management approval for outgoing wires, and verification of any changes to vendor data, the SEC said. In the wake of the attacks, the issuers sought to strengthen their payment authorization procedures and verification requirements for vendor information changes.

Also, because many only learned of the email scams as a result of third-party notices, such as from law enforcement or foreign banks, they took steps to bolster their account reconciliation procedures and outgoing payment notification processes to aid detection of payments resulting from fraud.

“While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the SEC said in the report.

Public issuers subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.

“Having internal accounting control systems that factor in cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets,” the SEC pointed out.

No charges were brought against the nine companies or any of their personnel.