SEC issues report on cyber-related frauds perpetrated against public companies
Oct 16, 2018
On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report about companies with deficient internal controls – in particular, nine unnamed companies that became victims of a cyberfraud called “business email compromises.”
As noted in an article from the Journal of Accountancy, there were two kinds of business email compromises — emails from fake executives and ones from fake vendors.
In schemes involving emails from fake executives – also called “executive impersonation” – fraudsters not affiliated with a company use spoofed email addresses to send communications that appeared to come from a company executive, typically the CEO. Sometimes, the spoofed emails used real law firm and attorney names. The executive impersonation emails often had these common elements:
- Referred to time-sensitive “deals” that needed to be completed within days, emphasizing the need for secrecy from other company employees and sometimes suggested some form of government oversight.
- Claimed that the requested funds were needed for foreign transactions – and all directed the wire transfers to foreign banks. The emails provided minimal details about the transaction – and while all of the companies had some foreign operations, these types of foreign transactions would have been out of the ordinary.
- Typically went to mid-level personnel who rarely communicated with the executives being spoofed – and who typically were not involved in the supposed transactions.
Review the press release and report on the SEC's website.