The SEC on Tuesday issued an investigation report warning public companies to be wary of a type of cyberfraud called “business email compromise” and to consider such frauds when devising and maintaining internal accounting controls.
The report, produced by the SEC’s Division of Enforcement in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, detailed the results of an investigation into nine public companies that lost many millions of dollars as a result of cyber-related frauds in which company personnel received spoofed or otherwise compromised electronic communication. In response to those messages, company personnel wired large sums of money or paid fake invoices to accounts controlled by the fraudsters, the SEC said.
The SEC did not name the companies it investigated but said each had significant annual revenue and securities listed on a national exchange. Each company lost at least $1 million, with two of them losing more than $30 million. Losses for the nine issuers totaled nearly $100 million, almost all of which was not recovered, according to the SEC report. Some of the schemes lasted for an extended period and were not discovered until a third party alerted the company to a problem.
The companies covered a range of sectors, including technology, machinery, real estate, energy, financial, and consumer goods. This, the SEC said, demonstrates that every type of business is a potential target for cyber-related fraud schemes.
After investigating whether the companies complied with internal accounting control requirements laid out in Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, the SEC decided not to pursue an enforcement action. The commission instead issued a Report of Investigation pursuant to Section 21(a) of the Exchange Act to make issuers of securities and other market participants aware of the threat of spoofed or manipulated electronic communications and to consider those threats when devising and maintaining a system of internal accounting controls as required by federal securities laws, the SEC said.
Emails from fake executives
The SEC report focuses on two types of business email compromises — emails from fake executives and emails from fake vendors. In schemes involving emails from fake executives, also called executive impersonation, fraudsters not affiliated with a company use spoofed email domains and addresses to send communications that appear to come from a company executive, usually the CEO. In all of the frauds covered in the SEC investigation, the spoofed emails directed company personnel to wire large sums to foreign bank accounts controlled by the fraudsters.
The spoofed emails used real law firm and attorney names with email domains such as “consultant.com.” The SEC said the frauds were not sophisticated in their design or use of technology. In addition, the SEC report found the following common elements:
- The spoofed emails referred to time-sensitive transactions or “deals” that needed to be completed within days. The emails emphasized the need for secrecy from other company employees and sometimes suggested some form of government oversight, such as one email that claimed the purported transaction was “in coordination with and under the supervision of the SEC.”
- The spoofed emails, claiming that the requested funds were needed for foreign transactions or acquisitions, all directed the wire transfers to foreign banks and beneficiaries. The emails provided minimal details about the transaction and, while all of the companies had some foreign operations, these types of foreign transactions would have been out of the ordinary for most of them.
- The spoofed emails usually went to midlevel personnel who rarely communicated with the executives being spoofed and generally were not responsible for or involved in the supposed transactions.
- The spoofed emails often included spelling and grammatical errors.
Emails from fake vendors
Emails from fake vendors are, as the name implies, electronic communications that impersonate a company’s vendors. The cases the SEC investigated showed a higher level of technological sophistication than the spoofed executive emails, with the schemes involving the hacking of existing vendors’ email accounts. After accessing the vendor email accounts, the fraudsters inserted illegitimate requests for payments, with payment processing details, into electronic communications for otherwise legitimate transaction requests.
In addition, the fraudsters tricked company personnel responsible for procuring goods from the vendor into providing access to legitimate purchase orders and invoices. The criminals then requested changes to the vendors’ banking information and attached doctored invoices with the new, fraudulent account information. The company personnel responsible for procurement sent that information to accounting personnel responsible for maintaining vendor data. This resulted in payments on outstanding invoices being made to foreign bank accounts controlled by the fraudsters.
Advice to public companies
In its Report of Investigation, the SEC advises public companies to factor cyber-related threats into the design and implementation of internal controls. In the cases the SEC investigated, the schemes “relied on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective. Having internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.”
— Jeff Drew (Jeff.Drew@aicpa-cima.com) is a JofA senior editor.