The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in "business email compromises" that are victimizing organizations across industry sectors.
On October 16, 2018, the SEC released a "Report of Investigation" calling for public companies to reassess their internal accounting controls "in light of emerging risks, including risks arising from cyber-related frauds." In particular, the report focuses on certain types of "business email compromises" (BECs), in which a bad actor uses spoofed or compromised email accounts to trick an organization's personnel into effectuating wire transfers to financial accounts controlled by fraudsters.
The report was prompted by the SEC's investigation into whether nine public companies violated U.S. securities laws "by failing to have sufficient accounting controls" to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The nine companies were victimized by one of two variants of the BEC scheme—involving spoofed or compromised emails from a person purporting to be a either a company executive or a vendor.
Emails from Fake Executives – A person purporting to be a company executive (usually a CEO or CFO) used a spoofed email domain and address to direct mid-level finance personnel to work with a purported outside attorney (copied on the email) to effectuate large wire transfers to foreign bank accounts controlled by the perpetrators. The perpetrators used real attorney and law firm names, and emphasized the need for secrecy and time sensitivity in completing the wire transfers that were purportedly related to foreign transactions or acquisitions. The SEC characterized the emails as "not sophisticated frauds," requiring only the creation of a spoofed email address.
Emails from Fake Vendors – Perpetrators hacked into and took over the email accounts of actual employees of foreign vendors of the company. They then communicated with company personnel via the compromised vendor email accounts, redirecting wire transfers for actual transactions to accounts under the perpetrators' control.
The nine companies were members of various sectors, including technology, machinery, real estate, energy, financial services, and consumer goods. Each of the nine companies lost at least $1 million; two lost more than $30 million. One company made more than 14 wire payments requested by a fraudster impersonating a company executive—resulting in more than $45 million in losses. Virtually none of the funds were recovered in any of the cases.
The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that "[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws." (See our prior alert and blog post regarding the Interpretive Guidance).
The SEC advised companies to "pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds."
Under Section 13(b)(2)(B)(i) and (iii), these internal controls must reasonably assure that:
-
transactions are executed in accordance with management's general or specific authorization; and
-
access to assets is permitted only in accordance with management's general or specific authorization.
The SEC emphasized that these fraud schemes were not particularly sophisticated. They were widely successful, though, because they used "technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective." The victimized issuers had policies and procedures requiring different authorization levels for payments; management approval of outgoing wires; and verification of changes to vendor data. The critical flaw was in employee interpretation of these controls as capable of being satisfied solely through electronic communications—along with their failure to recognize obvious indications of fraud in the emails.
The message from this report is remarkably explicit—namely, that internal controls are not static and public companies should continuously refresh their internal control environment to take into consideration known threats. Going forward, public companies must have in place internal controls that are geared toward detecting BECs and by extension other types of cybersecurity frauds. The failure to have such controls likely will be deemed a violation of the Exchange Act subjecting companies to the full panoply of possible SEC sanctions including fines, supervision and debarment of responsible officers from holding public company officer or director positions.
Although the SEC gave no indication what the severity of any possible future punitive actions might be, it stressed that the nine companies it looked into had lost $100 million and that the FBI estimated that such fraud cost companies more than $5 billion since 2013. It further emphasized that investors rely on public issuers to implement internal controls to appropriately address these issues. Additionally, public companies should expect that their auditors will take seriously the SEC's investigative report (similar to what occurred with respect to the SEC's Netflix 21(a) report on social media and Regulation FD) and closely scrutinize whether proper internal controls are in place to stop BEC cyber fraud and other types of cyber fraud as well. Failure to have such controls may require a report of material weakness in internal controls and/or a refusal by accounting firms to sign off on financial statements. Finally, it can also be expected that the absence of such controls will lead to both private securities fraud lawsuits under Section 11 of the Securities Act and Section 10(b) of the Exchange Act, as well as a spate of derivative lawsuits. The SEC's report makes clear that this is not only a consumer fraud issue but one of the integrity of the public markets, as well.
This report follows on the heels of a July 2018 FBI Public Service Announcement that it had tracked more than 78,000 BECs—totaling more than $12.5 billion in fraud losses—since October 2013. The FBI has identified more than 41,000 BEC victims in the United States—with more than $3 billion in fraud losses since 2013, and $1.6 billion in fraud losses since May 2016.
The FBI has published a checklist of steps that organizations can take to prevent and respond to BECs. Below are the FBI's tips, and some of our own:
Steps to Prevent BECs
-
Consider a method other than email of transmitting wire transfer instructions.
-
Do not allow any wire transfer to occur based solely on email communications.
-
Ensure company policies provide for appropriate verification of any wire transfer and any changes to existing invoices, bank deposit information, and contact information.
-
Carefully scrutinize all email requests for transfer of funds to determine if the requests are unusual.
-
Verify wire transfers and any changes in vendor payment location by adding additional two-factor authentication, such as having secondary sign-off by company personnel.
-
Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the email request.
-
Consider using passcodes known only to both parties in a proposed wire transaction—and that are not contained in email communications.
-
Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
-
Create an email rule to flag email communications where the "reply" email address is different from the "from" email address shown.
-
Color-code or add banners to emails based on whether they are transmitted from employee/internal accounts or non-employee/external accounts.
-
Frequently monitor your email Exchange server for changes in configuration and custom rules for specific accounts.
-
Conduct end-user education and training on the BEC threat and how to identify a spear phishing email.
-
Create and publicize detection and response protocols for any employee who suspects an attempted or successful BEC.
Steps to Take When Responding to BECs
-
Immediately contact the originating bank and request a wire recall.
-
Immediately file a complaint with the FBI's Internet Crime Complaint Center and alert your local FBI office (local police are unlikely to be able to help). Provide the following information:
-
Any messages pertaining to the attack
-
Victim information
-
Overall losses associated with the BEC
-
If a payment associated with the attack was sent, provide transaction details
-
Victim impact statement (e.g., impacted services/operations)
-
IP addresses used to send fraudulent emails
-
-
Save all messages and evidence associated with the incident.