“DANGER! DANGER! Warning Young Will Robinson,” Says Sec
October 23, 2018 | Daniel J. Donnellon
The Securities and Exchange Commission (“SEC”) recently issued a “Report of Investigation” under Section 21(a) “Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.” The Report arose out of the investigation of 9 publicly traded companies who had been the victims of fake email scams which it called “spoofed or manipulated electronic communications” purporting to be internal from company executives or known vendors. The SEC began this investigation because of the significant risk these scams pose. According to the Report, “the Federal Bureau of Investigation recently estimated that these so-called ‘business email compromises’ had caused over $5 billion in losses since 2013.” The nine companies (“issuers” in SEC parlance) spanned many industry sectors and involved companies in “technology, machinery, real estate, energy, financial, and consumer goods.” Obviously, these scams are pervasive and every business with an email server must take heed and ensure internal accounting and controls are up to snuff.
The Report stated that “each of the nine issuers lost at least $1 million; two lost more than $30 million. In total, the nine issuers lost nearly $100 million.” The SEC did not issue citations to any of the companies and “is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of federal securities laws.” Rather, the SEC issued the formal 21(a) Report as a warning that “internal accounting controls may need to be reassessed” at every level.
The investigation revealed two fairly common and somewhat unsophisticated types of email scams: Fake Emails purporting to be from Company Executives; and, Fake Emails from known Vendors. In the first scheme, the fraudster would spoof or simulate the email domain and address of an executive (typically the CEO) so that it appeared, at least superficially, to be a legitimate internal email when it was not. The spoofed email would direct the financial personnel to work with an outside attorney to make large wire transfers to foreign banks controlled by the perpetrators. The emails would use real law firm and attorney names, but the financial personnel would actually be communicating with a co-conspirator. They would usually avoid C-suite personnel, although a few were directly to the CFO, and would state that the funds were necessary for a foreign transaction or acquisition. According to the SEC, these “were not sophisticated frauds in general design or the use of technology,” yet they resulted in dozens of million-dollar wire transfers that will likely never be recovered.
The second scheme was much more sophisticated and involved the hacking of an actual vendor of the issuer company, creating doctored invoices, and would simulate actual, legitimate purchase orders along the lines of what the company had typically done with the vendor. The only problem was the unwitting financial personnel would be instructed to initiate changes to the vendor’s banking information to now involve a different, foreign bank. Similar to the executive scam, they involved allegedly urgent wire transfers of millions of dollars.
Many times, the issuers only learned of the fraud as a result of third-party notices from law enforcement or their banks. Thereafter, they would implement new procedures to bolster accounting reconciliation procedures and notification processes to aid in detection of a fraudulent scheme. Of course, that is closing the proverbial barn door after the horse was out.
Every company, no matter the size or field of service, needs to learn from the unsuspecting victims who were part of this investigation. Consult with your IT personnel who can implement procedures to label every email from outside your company as “**External Email**” at the beginning and end. That way, even though it appears to be from a higher-up within your organization, the recipient will immediately know that it is not. Email recipients should read carefully the text of the correspondence. Often, in the case of the executive scam, the emails would have grammar or syntax problems or be worded in a way not usually used by the executive from whom it purports to be. For vendor issues, make sure your company’s authorization matrix is followed closely; many times the midlevel personnel who were targeted did not have the corporate authority to wire amounts in the size requested. Finally, use something as simple as the telephone. Call your superior or your vendor to simply confirm the validity of the request.
Failure to conform conduct to appropriate, reasonable standards that result in damages is the very definition of negligence. Now that data is rolling in about the seriousness of these scams, regardless of whether the SEC issues citations, businesses who negligently put their assets at risk could face shareholder lawsuits.