Email spam may be looked at as the poor cousin to bigger hacking episodes, but in a new study by the Securities and Exchange Commission, “spoofed or manipulated electronic communications are an increasingly familiar and pervasive problem,” the report stated. In fact, the FBI 2017 Internet Crime Report stated that “business email compromises” caused more than $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017, “the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period,” the SEC report stated.

Experts long have said spam is the first wave of cyberattacks, and in its investigation, the SEC wanted to see how firms were devising and maintaining internal accounting controls that were adequately protecting company assets.

Although the SEC is not pursuing enforcement actions against those who have been victims of this fraud, it wanted to warn firms what spam attacks have done and how they’ve been perpetrated.

This type of cyberattack covered all sectors, from financial, to technology to real estate to energy and others, the report stated. Each of the nine companies studied lost at least $1 million, and two lost more than $30 million. Together, the nine firms alone lost $100 million due to spoofing fraud.

Many times the company didn’t know it was a victim until a third party, such as a foreign bank or law enforcement agency, uncovered it. And sometimes the fraud took several weeks to detect. For example, one company made 14 wire payments totaling $45 million requested by a fake executive over several weeks, until a foreign bank alerted the firm. Another paid eight invoices totaling $1.5 million over several months to a vendor’s manipulated electronic documentation for a banking change, and didn’t realized it until the real vendor complained about unpaid invoices.

Two Main Spam Techniques

The SEC found the two key ways spoofing can compromise a company are emails from fake executives and emails from fake vendors.

Fake executives typically used email that, at least superficially, appeared legitimate. “In all of the frauds, the spoofed email directed the companies’ finance personnel to work with a purported outside attorney identified in the email,” the SEC found. From there, that person directed large wire transfers to be made to fake foreign bank accounts.

Although the SEC noted these weren’t sophisticated frauds, they had common elements:

  1. Time sensitivity: Spoofed emails were described as time-sensitive, as well as emphasizing the need for secrecy. Also, they sometimes “implied some level of government oversight,” at times stating it was done under the supervision of the SEC.
  2. Foreign transactions: Spoofed emails also stated that funds were necessary for foreign transactions or acquisitions, therefore directed the wire transfers to foreign banks and beneficiaries. Typically, minimal details were provided.
  3. Targeted midlevel personnel: Spoofed emails typically were sent to midlevel personnel who weren’t generally weren’t responsible for those type of transactions nor usually dealt directly with the executive being spoofed.

The other common scam was emails from fake vendors. The SEC noted this form was more sophisticated than executive emails, largely because they typically  involved “intrusions into the email accounts of issuers’ foreign vendors.”

After hacking a vendor’s account, the scammers typically would access information to gain real purchase orders or invoices, and send them to the company, which would pay the “outstanding invoices” to the perpetrator’s foreign account. Because of the long cycle in payments, it typically took longer to notice the problem, the SEC stated.

In its acknowledgement of the threat cyber fraud presents to the capital markets, the agency advised firms that “cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.” Further, “systems of internal accounting controls, by their nature, depend also on personnel that implement, maintain and follow them.” In other words, train all staff to be attuned to these scams, be vigilant and not take shortcuts. Even chief financial officers have fallen for these types of scams, so education should happen on all levels, the SEC stated.

In conclusion, the SEC noted that “given the prevalence and continued expansion of these attacks, issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from the risks.”

— Related on ThinkAdvisor: