Stinnett is seeing an increase in fraudulent activity around organizations’ accounts receivable and accounts payable processes (cash in / out). Malicious threat actors are gaining access to corporate email systems through phishing campaigns, targeting employees with job responsibilities related to finance and accounting. Once access is gained, the hackers leverage the email access gained to communicate with customers and vendors with the intent of changing financial transaction origination and destination points (e.g., bank account numbers, financial institutions). This leads to fraudulent transactions that are usually unrecoverable by the targeted organization.
An investigative report recently issued by the Securities and Exchange Commission (SEC) highlighted nine public companies that were victims of cyber-related frauds. Each company lost at least $1 million, two lost more than $30 million and in all, the nine lost nearly $100 million – with almost nothing recovered.
At the end of the day, how could this happen? That’s exactly what the report focused on and whether the companies violated federal securities laws by failing to implement a sufficient internal accounting controls infrastructure.
While the organizations under scrutiny were not subject to SEC enforcement actions, the report highlighted that public companies could still be liable for federal securities violations if steps are not taken to protect internal accounting controls from cyber threats.
The schemes in question were all business email compromises (BECs), which the FBI estimates is a $5 billion industry since 2013.
So what does a BEC look like? According to the FBI, there are 5 major types of BEC scams.
- Business Working with a Foreign Supplier
- Business Executive Receiving or Initiating a Request for a Wire Transfer
- Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail
- Business Executive and Attorney Impersonation
- Data Theft
To go a step further, let’s break down what a typical business email compromise looks like:
Is your organization at risk for a BEC attack? Companies of any size, private or public, need to actively maintain internal accounting controls that safeguard assets from cyber thieves.
A strong cybersecurity program protects against enterprise-wide risks which can negatively impact a business through legal implications, direct expense, and brand and reputation damage.
As a controls-based organization, Stinnett assists companies of all cybersecurity maturity levels. Our cyber experts are always ready to discuss a customized solution to make account takeovers more difficult for cyber thieves targeting your business.