In late 2018, the SEC issued an investigative report on cyber threats to be considered in implementing internal accounting controls. The issue came to its attention as the result of 9 public companies losing over $1 million each in two different types of schemes; one wired $45 million to an incorrect account (in case you thought the $1 million was immaterial).
The total losses were estimated at over $100 million, and most of it was not recovered. In that same report, the FBI is quoted as indicating fraud losses related to business email compromises totaled over $5 billion since 2013. The two primary email schemes involved in the losses examined by the SEC were those where fraudsters emailed companies pretending to be either vendors or company executives and had funds diverted from appropriate accounts to ones controlled by the fraudsters. These types of cyber threats are not uncommon.
Large and small entities
Perhaps you’re thinking this could only happen at a large company with lots of employees where people don’t see each other often, call to verify transfers of funds, or talk to one another. That is not the case! Fraud can happen anywhere and in any size organization – and usually begins with some kind of cyber threat. With email and online interactions, it’s easy for fraudsters to pose as others. In the last month, two different school districts in two different states have been defrauded of over $5 million earmarked for construction and renovation of schools. This happened when employees of the school districts were convinced by emails from the fraudsters that the vendor’s bank account numbers had changed.
Simple things to prevent fraud
Employees are both the biggest risk and a vital part of protecting an organization from fraud. Let’s look at a few simple things that any employee in any size organization can do to help prevent fraud losses.
- Be aware of organizational information security policies.
- Read. Look at the address the email is coming from, the spelling and grammar within it, and keep current on trends in cybersecurity breaches through education, so you know what to look for.
- Trust, but verify. Ask questions, particularly if it’s an unusual request, outside normal procedures, or coming from a source you don’t usually interact with. Make that phone call, consult with others if the request is out of the norm.
How we can help
All of the above are simple things to do, and yet somehow 30 different people at one organization were convinced to wire funds multiple times to a bank account that was not the vendor’s. While there are sophisticated techniques and electronic controls to help catch fraudsters, many techniques can be found in simple controls as well. You can thwart cyber threats and prevent fraud with ongoing training, diligence and vigilance.