An SEC report highlights the risk of 'fake executive emails' for financial and accounting personnel – and how companies that fall victim to such fraud, at a cost of $5 billion since 2013, could be breaking a law passed more than 80 years ago. The Securities and Exchange Commission (SEC) yesterday issued a report on 'cyber-related frauds perpetrated against public companies and related internal accounting controls requirements'.
The SEC looked at the business email compromises of nine public companies. The frauds involved phishing or spoof emails, such as emails from fake executives/fake vendors, which the FBI estimates have caused “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017 – the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.”
Controls apply in cyber age
But the question the SEC really wanted to explore is whether the large corporations that have fallen victim to such scams had sufficient internal accounting controls in place. If not, they may have violated federal securities laws. The law that the SEC had in mind predates the age of email by a considerable length of time. But the Securities Exchange Act of 1934 requires companies to ensure that payments are only made with authorisation from management. The report acknowledges that although “the cyber-related threats posed to issuers’ assets are relatively new,” the requirement for companies to have sufficient internal accounting controls is not. It states: “Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
The nine companies investigated by the SEC, each of which have substantial annual revenues and had securities listed on a national securities exchange at the time of the fraud, are from a range of sectors including technology, machinery, real estate, energy, financial and consumer goods, reflecting the reality that every type of business is a potential target of cyber-related fraud. To illustrate how serious the crimes were, the SEC states that each of the nine firms lost at least $1 million; two lost more than $30 million and, in total, nearly $100 million was taken, almost all of which was never recovered.
Some of the companies were unwittingly victims of fraud over a protracted period, with one company making 14 wire payments requested by a fake executive over the course of several weeks, resulting in over $45 million in losses while another paid eight invoices totalling $1.5 million over several months to a fraudster's account. Many frauds are only uncovered by third parties (such as law enforcement, a foreign bank or a real vendor that enquires about missing payments), underlining how vulnerable companies are when there is a lack of internal accounting controls.
Fraudulent emails from fake executives/vendors are often sent to mid-level personnel and state that the transaction has to made urgently, often to a foreign account as part of a deal with a foreign supplier or acquisition, and often with some required level of secrecy from other colleagues. They often imply oversight by an authority and even contain obvious errors such as spelling mistakes, mis-spellings of names, email addresses and domain names.
While these kinds of characteristics can alert the recipient to the fraud, relying on an employee to spot these isn't sufficient protection and can't replace internal accounting controls, which are correctly implemented, maintained, and adhered to by personnel. Failing to follow internal controls can include:
- not understanding the company’s existing controls,
- not following a dual-authorisation requirement for wire payments, instead directing unqualified subordinates to sign-off on payments,
- not understanding the company’s authorisation matrix, which gives approval authority only to the CFO.
Like this item? Get our Weekly Update newsletter. Subscribe today