Companies continue to lose millions as a result of cybercrime. Often, these types of crimes occur via schemes in which imposters send “phishing” emails to a company’s accounting or finance personnel. These emails are “spoofed” to look like they are from a current vendor with the intent of inducing the company to alter the bill payment route to another bank account, one set up by the perpetrator to collect these payments.
Basic accounting controls could prevent such crimes from happening. Given the relatively simple way cybercrime can be committed, it would be wise for companies to design, implement, and/or enhance their internal accounting controls and training to address these schemes. Recent government actions and statistics indicate a growing number of cybercrime matters, but by looking at these cases, companies can learn a number of lessons on how to fortify their books against a phishing attack.
On March 20, 2019, the United States Department of Justice (DOJ) announced that Evaldas Rimasauskas, a Lithuanian citizen, pled guilty to wire fraud for orchestrating a fraudulent email compromise scheme that induced two U.S.-based internet companies to wire a total of more than $100 million to bank accounts the perpetrator controlled.[1] According to sources, the two U.S.-based Internet companies are believed to be Facebook and Google.[2] According to the DOJ’s release, the scheme was conducted from 2013 through 2015 as follows:
Rimasauskas registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2. Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by Rimasauskas. These emails purported to be from employees and agents of Company-1, and were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1. This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.
After the Victim Companies wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, Rimasauskas caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. Rimasauskas also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.
On October 16, 2018, the Securities and Exchange Commission (SEC) issued a 21(a) Report of Investigation describing how nine public companies lost nearly $100 million because company personnel received spoofed or otherwise compromised electronic communications purporting to be from a company executive or vendor, causing the personnel to wire large sums or pay invoices to accounts controlled by the perpetrators of the scheme, and that almost none it was recovered.[3] According to the SEC’s report, the issuers spanned a variety of industries, each had substantial annual revenues, and all had securities listed on a national securities exchange. The SEC described the two types of schemes as follows:
1. Emails from Fake Executives. The first type of business email compromise the SEC reviewed involved emails from persons not affiliated with the company purporting to be company executives. In these situations, the perpetrators of the scheme emailed company finance personnel, using spoofed email domains and addresses of an executive (typically the CEO) so that it appeared, at least superficially, as if the email were legitimate. In all of the frauds, the spoofed email directed the companies’ finance personnel to work with a purported outside attorney identified in the email, who then directed the companies’ finance personnel to cause large wire transfers to foreign bank accounts controlled by the perpetrators. The perpetrators used real law firm and attorney names, and legal services-sounding email domains like “consultant.com,” but the contact details connected company personnel with an impersonator and co-conspirator. These were not sophisticated frauds in general design or the use of technology. In fact, from a technological perspective, they only required creating an email address to mimic the executive’s address. Each of the schemes had some common elements:
2. Emails from Fake Vendors. The second type of cyber-related fraud involved electronic communications impersonating the issuers’ vendors. This form of scam was more technologically sophisticated than the spoofed executive emails because, in the instances the Division reviewed, the schemes involved intrusions into the email accounts of issuers’ foreign vendors. After hacking the existing vendors’ email accounts, the perpetrators inserted illegitimate requests for payments (and payment processing details) into electronic communications for otherwise legitimate transaction requests. The perpetrators of these scams also corresponded with unwitting issuer personnel responsible for procuring goods from the vendors so that they could gain access to information about actual purchase orders and invoices. The perpetrators then requested that the issuer personnel initiate changes to the vendors’ banking information, and attached doctored invoices reflecting the new, fraudulent account information. The issuer personnel responsible for procurement relayed that information to accounting personnel responsible for maintaining vendor data. As a result, the issuers made payments on outstanding invoices to foreign accounts controlled by the impersonator rather than the accounts of the real vendors
Unlike the fake executive scams, the spoofed vendor emails had fewer indicia of illegitimacy or red flags. In fact, several victims only learned of the scam when the real vendor raised concerns about nonpayment on outstanding invoices. Because vendors often afford issuers months before considering a payment delinquent, the scams, in certain circumstances, were able to continue for an extended period of time.
On July 12, 2018, the Federal Bureau of Investigation (FBI) stated that losses from “business email compromise (BEC)/email account compromise (EAC)” schemes cost businesses and individuals more than $12 billion since the agency started tracking them in October 2013 (through May 2018).[4] The FBI also reported that Asian banks located in China and Hong Kong were the primary destinations of fraudulent funds, but that financial institutions in the United Kingdom, Mexico, and Turkey were also prominent destinations.[5]
These aforementioned examples from regulatory agencies exemplify the risks companies are increasingly facing when it comes to phishing attacks. Whether your company is private or public, effective internal accounting controls are the hallmarks of any well-run company. These controls will, among other things, provide reasonable assurance that payments made to vendors are to the correct supplier for goods or services that were properly received.
If your business is a U.S. publicly traded company, then it is likely that it is also subject to certain government requirements. For example, Section 13(b) of the Securities Exchange Act of 1934 requires public companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are executed in accordance with management’s general or specific authorization,” and that “access to assets is permitted only in accordance with management’s general or specific authorization.”[6] In addition, the Sarbanes-Oxley Act of 2002 requires company management to annually assess and report on the effectiveness of the company’s internal controls over financial reporting (ICFR); it also requires their independent auditors to attest to that assessment.[7]
Although some of the specifics of these matters have not been made public,[8] they do offer valuable lessons. The key to success in these schemes was the perpetrators’ presumption that company personnel would not verify the identity of the sender of emails or the information contained within it. In the Rimasauskas case, he sent emails to employees of the victim companies that purported to be from actual vendors. The DOJ also found that Rimasauskas submitted false and forged documents to banks to support the large volume of funds that were transmitted via wire transfer in furtherance of the scheme. While some banks do have controls that flag suspect transactions, these should be relied on by companies in lieu of its own controls.
Similar to Rimasauskas, the companies subject to the SEC’s investigation were also victimized because of failure’s to identify phishing emails and failing to fully vet the information contained in them. In its 21(a) Report of Investigation, the SEC shared a few common internal-control lapses it observed that provided the opportunity for the perpetrators to succeed in their endeavors. According to the SEC’s release, the nine companies it investigated failed to prevent payments to the phony recipients, at least in part, because:[9]
It would be prudent for companies to revisit policies, procedures, and internal controls in this area. Here are 10 things companies may consider as they revisit anti-phishing-related policies, procedures, and controls:
It is clear that the receipt of emails from fictitious executives and vendors poses a pervasive and costly threat to companies of all shapes and sizes. Spending a little time up-front to make sure your company’s controls are updated and that your people are trained appropriately could go a long way toward saving a lot of company time and money in the long run. It is also notable that the SEC did not charge any of the nine issuers with violating the federal securities laws; however, the 21(a) Report of Investigation serves as a warning to companies that fail to heed lessons learned, because the next time a company finds itself a victim of a similar phishing scam, it may also be a recipient of an SEC enforcement action.
10 Red Flags an Email Is Phishing
References