After investigation, SEC issues cyberfraud alert
The SEC on Tuesday issued an investigation report warning public companies to be wary of a type of cyberfraud called “business email compromise” and to consider such frauds when devising and maintaining internal accounting controls.
The report, produced by the SEC’s Division of Enforcement in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, detailed the results of an investigation into nine public companies that lost many millions of dollars as a result of cyber-related frauds in which company personnel received spoofed or otherwise compromised electronic communication. In response to those messages, company personnel wired large sums of money or paid fake invoices to accounts controlled by the fraudsters, the SEC said.
The SEC did not name the companies it investigated but said each had significant annual revenue and securities listed on a national exchange. Each company lost at least $1 million, with two of them losing more than $30 million. Losses for the nine issuers totaled nearly $100 million, almost all of which was not recovered, according to the SEC report. Some of the schemes lasted for an extended period and were not discovered until a third party alerted the company to a problem.
The companies covered a range of sectors, including technology, machinery, real estate, energy, financial, and consumer goods. This, the SEC said, demonstrates that every type of business is a potential target for cyber-related fraud schemes.
After investigating whether the companies complied with internal accounting control requirements laid out in Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, the SEC decided not to pursue an enforcement action. The commission instead issued a Report of Investigation pursuant to Section 21(a) of the Exchange Act to make issuers of securities and other market participants aware of the threat of spoofed or manipulated electronic communications and to consider those threats when devising and maintaining a system of internal accounting controls as required by federal securities laws, the SEC said.
The SEC report focuses on two types of business email compromises — emails from fake executives and emails from fake vendors. In schemes involving emails from fake executives, also called executive impersonation, fraudsters not affiliated with a company use spoofed email domains and addresses to send communications that appear to come from a company executive, usually the CEO. In all of the frauds covered in the SEC investigation, the spoofed emails directed company personnel to wire large sums to foreign bank accounts controlled by the fraudsters.
The spoofed emails used real law firm and attorney names with email domains such as “consultant.com.” The SEC said the frauds were not sophisticated in their design or use of technology. In addition, the SEC report found the following common elements:
Emails from fake vendors are, as the name implies, electronic communications that impersonate a company’s vendors. The cases the SEC investigated showed a higher level of technological sophistication than the spoofed executive emails, with the schemes involving the hacking of existing vendors’ email accounts. After accessing the vendor email accounts, the fraudsters inserted illegitimate requests for payments, with payment processing details, into electronic communications for otherwise legitimate transaction requests.
In addition, the fraudsters tricked company personnel responsible for procuring goods from the vendor into providing access to legitimate purchase orders and invoices. The criminals then requested changes to the vendors’ banking information and attached doctored invoices with the new, fraudulent account information. The company personnel responsible for procurement sent that information to accounting personnel responsible for maintaining vendor data. This resulted in payments on outstanding invoices being made to foreign bank accounts controlled by the fraudsters.
In its Report of Investigation, the SEC advises public companies to factor cyber-related threats into the design and implementation of internal controls. In the cases the SEC investigated, the schemes “relied on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective. Having internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.”
— Jeff Drew (Jeff.Drew@aicpa-cima.com) is a JofA senior editor.
Research & References of After investigation, SEC issues cyberfraud alert|A&C Accounting And Tax Services