By Mitchell Marcus, CPA
11.06.2018 | Berdon Industry Insights
A recent Securities and Exchange Commission (SEC) investigation1 of nine publicly traded companies revealed their susceptibility to cyber-related frauds that were not technologically sophisticated, but merely used technology to identify weaknesses in policies and procedures and exploit human weaknesses to penetrate the control environment. The nine companies lost nearly $100 million in total and almost none of that money was ever recovered.
“Spoofing” Exploited Their Vulnerabilities
The companies that were investigated encompassed numerous industries including technology, machinery, real estate, energy, financial services, and consumer goods. In each instance, the companies fell victim to two forms of spoofing where the perpetrators sent communications from an unknown source disguised as a source known to the receiver.
- Emails from Fake Executives. The perpetrators emailed company finance personnel using spoofed email domains and addresses of company executives. The emails directed the finance personnel to work with a purported outside attorney, who told them to send large wire transfers to foreign bank accounts controlled by the perpetrators. To be more convincing, the perpetrators used real law firm and attorney names. They added a sense of urgency by saying that the transfers were time-sensitive and pivotal to a transaction. These were not very sophisticated fraudulent activities, as they only required creating an email address to mimic the executive’s address.
- Emails from Fake Vendors. In these situations, the perpetrators used more technologically sophisticated scams, which involved intrusions into the email accounts of the companies’ foreign vendors. By hacking the vendors’ email, the perpetrators were able to insert bogus requests for payments into electronic communications for otherwise legitimate transactions. The perpetrators corresponded with unknowing company personnel responsible for procuring goods from vendors to access information about real purchase orders and invoices. The perpetrators then requested changes to the vendors’ banking information, and attached fake invoices reflecting the new, fraudulent account information. The result? The companies paid outstanding invoices to foreign accounts controlled by the perpetrators.
In its investigation, the SEC considered whether the issuers complied with SEC provisions2, which stated that the publicly traded companies maintain a system of internal accounting controls sufficient to provide reasonable assurances that:
- Transactions are executed with management’s general or specific authorization
- Access to company assets is permitted only with management’s general or specific authorization
While the cyber-related threats posed to companies’ assets are relatively new, the SEC expects and encourages organizations to review and update their internal accounting controls to address these growing threats. The SEC determined not to pursue an enforcement action based on the conduct and activities of the nine public issuers.
Lessons Learned – Tighten Your Controls, Enhance Employee Training
The SEC did, however, deem it in the public interest to publish a report of the investigation to make publicly traded companies and other market participants aware of the growing cyber-related threats of spoofed and manipulated electronic communications. The victimized companies took this experience as a lesson to revisit and tighten their controls and institute employee training to reduce their vulnerability to similar frauds.
Here are a few important cyber security safeguards that are applicable across all industries:
- Increase cyber security training for everyone in the organization and perform frequent validation of its effectiveness
- Procure and deploy cyber security tools/services that can defend against email impersonation, malicious URLs, and malware attachments, as well as spam and other unsolicited, undesired and illegal electronic messages
- Recovering from an attack is also important, so make your data backup and recovery a high priority and test the process frequently
- Test and check the continuity of all your critical IT systems
- Add another layer to the authentication process by using multi-factor authentication (MFA).
If you have questions about revising your internal accounting controls and enhancing your employee education and improving your cyber defense to defend against cyber-fraud, contact Mitchell Marcus, CPA and Principal at 212.331.7460 | firstname.lastname@example.org or Alexander Moshinsky, CPA, Director, Operational Advisory and Risk Management at 212.331.7488 | email@example.com.
Berdon LLP New York Accountants
1 Securities Exchange Act of 1934 Release No. 84429/October 16, 2018
2 Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934