Companies continue to lose millions as a result of cybercrime. Often, these types of crimes occur via schemes in which imposters send “phishing” emails to a company’s accounting or finance personnel. These emails are “spoofed” to look like they are from a current vendor with the intent of inducing the company to alter the bill payment route to another bank account, one set up by the perpetrator to collect these payments.

Basic accounting controls could prevent such crimes from happening. Given the relatively simple way cybercrime can be committed, it would be wise for companies to design, implement, and/or enhance their internal accounting controls and training to address these schemes. Recent government actions and statistics indicate a growing number of cybercrime matters, but by looking at these cases, companies can learn a number of lessons on how to fortify their books against a phishing attack.

DOJ Discovers Fraudulent Business Email Scheme Exceeding $100 Million

On March 20, 2019, the United States Department of Justice (DOJ) announced that Evaldas Rimasauskas, a Lithuanian citizen, pled guilty to wire fraud for orchestrating a fraudulent email compromise scheme that induced two U.S.-based internet companies to wire a total of more than $100 million to bank accounts the perpetrator controlled.^[1]  According to sources, the two U.S.-based Internet companies are believed to be Facebook and Google.^[2]  According to the DOJ’s release, the scheme was conducted from 2013 through 2015 as follows:

Rimasauskas registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2. Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by Rimasauskas. These emails purported to be from employees and agents of Company-1, and were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1. This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.

After the Victim Companies wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, Rimasauskas caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. Rimasauskas also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

SEC Investigation on Certain Cyber-Related Frauds Against Public Companies

On October 16, 2018, the Securities and Exchange Commission (SEC) issued a 21(a) Report of Investigation describing how nine public companies lost nearly $100 million because company personnel received spoofed or otherwise compromised electronic communications purporting to be from a company executive or vendor, causing the personnel to wire large sums or pay invoices to accounts controlled by the perpetrators of the scheme, and that almost none it was recovered.^[3] According to the SEC’s report, the issuers spanned a variety of industries, each had substantial annual revenues, and all had securities listed on a national securities exchange. The SEC described the two types of schemes as follows:

1. Emails from Fake Executives. The first type of business email compromise the SEC reviewed involved emails from persons not affiliated with the company purporting to be company executives. In these situations, the perpetrators of the scheme emailed company finance personnel, using spoofed email domains and addresses of an executive (typically the CEO) so that it appeared, at least superficially, as if the email were legitimate. In all of the frauds, the spoofed email directed the companies’ finance personnel to work with a purported outside attorney identified in the email, who then directed the companies’ finance personnel to cause large wire transfers to foreign bank accounts controlled by the perpetrators. The perpetrators used real law firm and attorney names, and legal services-sounding email domains like “consultant.com,” but the contact details connected company personnel with an impersonator and co-conspirator. These were not sophisticated frauds in general design or the use of technology. In fact, from a technological perspective, they only required creating an email address to mimic the executive’s address. Each of the schemes had some common elements:

• The spoofed emails described time-sensitive transactions or “deals” that needed to be completed within days, and emphasized the need for secrecy from other company employees. They sometimes implied some level of government oversight, such as one fraudulent email claiming the purported transaction was “in coordination with and under the supervision of the SEC.”
• The spoofed emails stated that the funds requested were necessary for foreign transactions or acquisitions, and directed the wire transfers to foreign banks and beneficiaries. Although all of the issuers had some foreign operations, these purported foreign transactions would have been unusual for most of them. The emails also provided minimal details about the transactions.
• The spoofed emails typically were sent to midlevel personnel, who were not generally responsible or involved in the purported transactions (and who rarely communicated with the executives being spoofed). The emails also often included spelling and grammatical errors. 

2. Emails from Fake Vendors. The second type of cyber-related fraud involved electronic communications impersonating the issuers’ vendors. This form of scam was more technologically sophisticated than the spoofed executive emails because, in the instances the Division reviewed, the schemes involved intrusions into the email accounts of issuers’ foreign vendors. After hacking the existing vendors’ email accounts, the perpetrators inserted illegitimate requests for payments (and payment processing details) into electronic communications for otherwise legitimate transaction requests. The perpetrators of these scams also corresponded with unwitting issuer personnel responsible for procuring goods from the vendors so that they could gain access to information about actual purchase orders and invoices. The perpetrators then requested that the issuer personnel initiate changes to the vendors’ banking information, and attached doctored invoices reflecting the new, fraudulent account information. The issuer personnel responsible for procurement relayed that information to accounting personnel responsible for maintaining vendor data. As a result, the issuers made payments on outstanding invoices to foreign accounts controlled by the impersonator rather than the accounts of the real vendors

Unlike the fake executive scams, the spoofed vendor emails had fewer indicia of illegitimacy or red flags. In fact, several victims only learned of the scam when the real vendor raised concerns about nonpayment on outstanding invoices. Because vendors often afford issuers months before considering a payment delinquent, the scams, in certain circumstances, were able to continue for an extended period of time.

FBI Statistics on Email-Related Schemes

On July 12, 2018, the Federal Bureau of Investigation (FBI) stated that losses from “business email compromise (BEC)/email account compromise (EAC)” schemes cost businesses and individuals more than $12 billion since the agency started tracking them in October 2013 (through May 2018).^[4] The FBI also reported that Asian banks located in China and Hong Kong were the primary destinations of fraudulent funds, but that financial institutions in the United Kingdom, Mexico, and Turkey were also prominent destinations.^[5] 

Internal Accounting Controls

These aforementioned examples from regulatory agencies exemplify the risks companies are increasingly facing when it comes to phishing attacks. Whether your company is private or public, effective internal accounting controls are the hallmarks of any well-run company. These controls will, among other things, provide reasonable assurance that payments made to vendors are to the correct supplier for goods or services that were properly received.

If your business is a U.S. publicly traded company, then it is likely that it is also subject to certain government requirements. For example, Section 13(b) of the Securities Exchange Act of 1934 requires public companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are executed in accordance with management’s general or specific authorization,” and that “access to assets is permitted only in accordance with management’s general or specific authorization.”^[6] In addition, the Sarbanes-Oxley Act of 2002 requires company management to annually assess and report on the effectiveness of the company’s internal controls over financial reporting (ICFR); it also requires their independent auditors to attest to that assessment.^[7] 

Lessons Learned

Although some of the specifics of these matters have not been made public,^[8] they do offer valuable lessons. The key to success in these schemes was the perpetrators’ presumption that company personnel would not verify the identity of the sender of emails or the information contained within it. In the Rimasauskas case, he sent emails to employees of the victim companies that purported to be from actual vendors. The DOJ also found that Rimasauskas submitted false and forged documents to banks to support the large volume of funds that were transmitted via wire transfer in furtherance of the scheme. While some banks do have controls that flag suspect transactions, these should be relied on by companies in lieu of its own controls.

Similar to Rimasauskas, the companies subject to the SEC’s investigation were also victimized because of failure’s to identify phishing emails and failing to fully vet the information contained in them. In its 21(a) Report of Investigation, the SEC shared a few common internal-control lapses it observed that provided the opportunity for the perpetrators to succeed in their endeavors. According to the SEC’s release, the nine companies it investigated failed to prevent payments to the phony recipients, at least in part, because:^[9] 

1. Personnel did not understand the company’s existing internal controls (e.g., dual authorization for payments were not followed, approval authorities were not properly understood, or executive level personnel received the emails directly and authorized the payments).
2. Personnel did not recognize that the email instructions received lacked reliability (e.g., personnel did not question the request).

It would be prudent for companies to revisit policies, procedures, and internal controls in this area. Here are 10 things companies may consider as they revisit anti-phishing-related policies, procedures, and controls:

1. Revise policies to specifically address the threat of phishing, what it is, and why it is a threat
2. Establish a workflow process to follow when a questionable email is detected; ensure there are clear lines of responsibility and avenues to resolve the issues
3. Create a standardized form or documentation; perhaps create a database to track and manage the email disposition process
4. Review and update vendor-vetting protocols
5. Update payment-approval authority requirements and communicate them effectively; ensure a protocol is in place to update authority roles when employee changes occur
6. Include a list of red-flag examples that may indicate an email is not credible in policy or procedure documents for the convenience of employees; revisit and update periodically
7. Incentivize individuals for bringing phishing emails or other questionable communications to the attention of management
8. Include anti-phishing controls as a key control for ICFR assessment and testing
9. Train or retrain accounting and finance staff on the threats of phishing and the identification of phishing/spoofing emails (e.g., refreshing on red flags, vendor/email due diligence and communication), as well as the related policies and procedures
10. Report phishing emails to authorities, such as the FBI’s Internet Crime Complaint Center^[10] 

It is clear that the receipt of emails from fictitious executives and vendors poses a pervasive and costly threat to companies of all shapes and sizes. Spending a little time up-front to make sure your company’s controls are updated and that your people are trained appropriately could go a long way toward saving a lot of company time and money in the long run. It is also notable that the SEC did not charge any of the nine issuers with violating the federal securities laws; however, the 21(a) Report of Investigation serves as a warning to companies that fail to heed lessons learned, because the next time a company finds itself a victim of a similar phishing scam, it may also be a recipient of an SEC enforcement action.

10 Red Flags an Email Is Phishing

1. It is unusual that you specifically received it
2. There are misspellings and/or poor grammar
3. It requests private or sensitive information
4. Payment is urgent
5. Secrecy from fellow employees is requested
6. It includes threatening language
7. It requests or changes payment method to a wire transfer or to a series of wire transfers under a certain amount
8. The payments are to foreign banks
9. The vendor name does not match exactly those known to be real
10. The email display name and real email address don’t match

References

1. “Lithuanian Man Pleads Guilty to Wire Fraud for Theft of Over $100 Million in Fraudulent Business Email Compromise Scheme,” Press Release No. 19-087, U.S. Department of Justice, March 20, 2019.
2. “Lithuanian Pleads Guilty in U.S. to Massive Fraud Against Google, Facebook,” Reuters, March 20, 2019.
3. “Report of Investigation Pursuant to Section 21(a) of the Securities and Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements,” (the “21(a) Report of Investigation”) Release No. 64429, Securities and Exchange Commission, October 16, 2018.
4. Public Service Announcement of the FBI, Alert Number I-071218-PSA, July 12, 2018.
5. Id.
6. Section 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934.
7. The Sarbanes-Oxley Act of 2002, §404. See also SEC Rules and Regulations for applicability requirements.
8. Neither the DOJ’s release nor its indictment provided specifics as to what controls failed to detect or prevent the misdirected payments. See https://www.justice.gov/usao-sdny/press-release/file/950556/download for a copy of the indictment. The FBI’s announcement was limited on specifics in regard to controls, as well.
9. 21(a) Report of Investigation at 6.
10. Claims to the FBI’s Internet Crime Complaint Center can be filed at https://www.ic3.gov/complaint/default.aspx.