Carl in accounting receives an urgent email from Erica, the company CEO.
The unusual email captures Carl’s attention, so he verifies that it is from Erica’s email and notes how the tone and writing style is consistent with her other email messages. The CEO is requesting a wire be sent immediately to the bank displayed in the email. Since Erica is out of town, Carl complies and sends the wire as requested.
Two days later… When Erica returns to the office, Carl confirms the wire was sent per her email instructions. “What email?” Erica asks. The funds are never recovered.
This is a true story and more common than you realize.
Recently released court documents show that European-based cinema chain Pathé lost a small fortune to a business email compromise (BEC) scam in March 2018. How much? The attack, which ran for about a month, cost the company an astonishing US $21.5 million (roughly 19 million euros).
Cybercrime and cyber fraud are two of the biggest risks facing companies today. While most everyone is generally aware of the risk, the full extent of the problem may not be fully appreciated. Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
The FBI’s Internet Crime Complaint Center (IC3) recently reported a 136% increase in actual and attempted monetary losses on a global scale between December 2016 and May 2018 due to BEC scams.
According to The Rise and Rise of Business Email Compromise Scams published by Duo Security, BEC scams are growing at a “terrific rate with losses in the United States alone of nearly $3 billion in the last 18 months.
While cybercrime comes in many forms, it is commonly found in one of these two forms:
- Emails from fake executives aka Business Email Compromise Scam (BEC).
- Fake vendor/supplier requests.
Business Email Compromise Scam (BEC)
In the first instance, spoofed emails from company executives that direct employees to send wires to an outside entity. These directions typically include the use of foreign banks and may be accompanied by tight deadlines, references to actual law firms and/or some type of regulatory matter.
According to the FBI, “The Business Email Compromise (BEC) scam is defined as a type of sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
Fake vendor/supplier requests
Fake vendor requests are made to look like legitimate emails to the customer, requesting changes to the vendor’s ‘remit to’ information. The customer changes the address and sends payment to the new vendor bank account. Because a vendor may not follow up in a timely manner on outstanding receivables, this could go on for several weeks (perhaps longer) before the problem is discovered.
According to the AICPA, these are steps to establish an environment conducive to improving cybersecurity in a business.
- General employee awareness of cybersecurity threats and how they manifest in companies like theirs.
- Provide cybersecurity training during onboarding and continue emphasis on awareness and training.
- Always encrypt sensitive data especially saving to external devices or the cloud.
- Keep system software and anti-virus protection up to date. The AICPA estimated that as much as 90% of cyber breaches could have been prevented If proper system controls had been in place.
How CFOs and Controllers can help
CFOs and Controllers can assist in this effort by ensuring the company’s internal controls over disbursements are well defined and are strictly adhered to.
- Require two approvals on outgoing wires/ACH payments and verify all email requests for such through company registered phones.
- Work with the bank to see if the latest security features are in use.
- Confirm all changes to vendor remittance information by confirming directly with the company through telephone numbers found on the company’s website.
- Stay on top of accounts receivable balances. Look for different patterns in customer payments. Is a customer that usually pays in a timely manner suddenly behind? Confirm they have made payment to the proper address/lockbox/ACH account.
- If the company allows personal devices to have access to the company’s information, ensure that it is equipped with the same security software as company owned hardware and is updated regularly. Access to company payment portals should be restricted to company-issued computers/laptops only.
- Review crime/cyberfraud insurance with the broker to confirm that company setup (ex., remote workforce, use of contractors, etc.) affects coverage for a cyberfraud event.
Cyberfraud is not just a large company problem. Small companies are just as much at risk, perhaps even more so. They are likely not as able to adequately segregate duties to the extent larger companies can. Therefore, they must rely on the training and the diligence of their team members to help protect the company.
What’s your story about cyberfraud and fake CEO emails? Please share in a comment below.
About the Author
Larry Numata brings 30 years of accounting and financial management experience to the CFO Selections team. He has held numerous positions as Chief Financial Officer, Controller, Director of Accounting, Corporate Secretary, and Consultant. Most recently, he was the CFO for SECO Development Inc, a mixed-use real estate development company, and he has also been CFO of Computech Systems Corporation.
Larry graduated from the University of Washington with a Degree in Accounting and holds a CPA license in Washington. He is a member of the Washington Society of Certified Public Accountants and the American Institute of Certified Public Accountants, and has held Board positions for Atlantic Steel Center and Municipal Golf of Seattle.