The Nigerian prince email scams at home have been supplanted by phishing attacks on company accounting groups. The problem has become big enough that the Securities and Exchange Commission released a report indicating that falling victim to this kind of cyber attack could be considered a failure in the company’s internal accounting controls.
The Federal Bureau of Investigation estimated that these so-called “business email compromises” had $675 million in adjusted losses in 2017 based on almost 16,000 complaints. This makes it the biggest out-of-pocket losses from any class of cyber crime during this period.
The SEC focused on nine of these complaints that came from public companies with a combined loss of almost $100 million. Two of those were the biggest, losing more than $30 million each.
The phishing attacks are lumped into two categories: internal impersonation and vendor impersonation.
The internal impersonation is phishing attack, usually a fake email from the CEO. The common elements in the email are
- the need to keep the transaction secret from other company employees
- Time-sensitivity
- foreign transactions
- directed at mid-level employees not typically involved in the transactions
- directed at mid-level employees who rarely communicated with the executive being spoofed in the email
The external impersonation is phishing attack generally involving a hack into a vendor’s email system. Then the hacker would send a change of payment instructions to the company, re-routing the payments to the hackers’ accounts. As a result, the company would make a payment on an outstanding invoice to a foreign account controlled by the hacker instead of the real vendor account. The victim company would usually discover the fraud when the real vendor complained about a lack of payment.
The SEC points out that these two types of attacks do not involve a sophisticated use of technology. They rely on weaknesses in accounting controls. The SEC is not suggesting that every public company that is the victim of a one of these attacks is in violation of the internal accounting controls requirements of the federal securities laws. But it’s also not saying that it might be in some cases.
Sources:
- Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements
- After investigation, SEC issues cyberfraud alert by Jeff Drew in the Journal of Accountancy
- SEC Issues Section 21(a) Report on “CEO Impersonator” Emails
- FBI 2017 Internet Crime Report