Posted on 08/31/2015 6:51:15 PM PDT by Brad from Tennessee
The accountant for a U.S. company recently received an e-mail from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details.
“It was not unusual for me to receive e-mails requesting a transfer of funds,” the accountant later wrote, and when she was contacted by the lawyer via e-mail, she noted the appropriate letter of authorization—including her CEO’s signature over the company’s seal—and followed the instructions to wire more than $737,000 to a bank in China.
The next day, when the CEO happened to call regarding another matter, the accountant mentioned that she had completed the wire transfer the day before. The CEO said he had never sent the e-mail and knew nothing about the alleged acquisition.
The company was the victim of a business e-mail compromise (BEC), a growing financial fraud that is more sophisticated than any similar scam the FBI has seen before and one—in its various forms—that has resulted in actual and attempted losses of more than a billion dollars to businesses worldwide. . .
(Excerpt) Read more at fbi.gov ...
Smart executives take some basic precautions to guard against this kind of fraud. The essential first step is to keep all email on a private server in some guy’s bathroom.
Solution 20 years ago is digital certificates to sign email (side benefit: recipient’s public key can be used to encrypt email). 20 years later there are other secure messaging solutions but good old signed email is still there waiting for those bankers to start using it.
“Further assisting the perpetrators, the website also listed the company’s executive officers and their e-mail addresses and identified specific global media events the CEO would attend during the calendar year.”
A little common sense can also be helpful in preventing this sort of thing.
no prior notice. Oh i sat on it. i sit on everything out of the ordinary. my boss doesn’t yet know but he’s learning. when i sit on it, it is a sit on. he will learn to not get upset no matter who it is and how high up they are barking it’s still a sit on. he only 95% trusts my judgment. and i have no finesse. he assume i’m just not being nice just sitting.
and that really is not a lot of money
and again an email from my boss while he is where ever. would be deleted like a fart at a wedding. my fist pass is that he is going on a permanent vacation.
Even our CEO/President had a “spending limit” without approval. I am sure it was higher than my $2,000... But it sure as hell was a or less than $500,000 without a co-sign of the CFO. And if the deal was THAT big and important, the person signing off on the wire would know about it.
I know it’s the 21st century, but has everyone forgotten what financial “controls” are?
Funny Ted meme...lol
Cryptography could have aided greatly in detecting this kind of fraud. It shocks me that in 2015, public key cryptography is not routinely used to authenticate a sender’s validity.
Most email within a company’s domain is considered secure without certificates etc. Normally issues arise from out of network email.
corporate best practices 101 - Don’t send three quaters of a million dollars without at least a phone call.
Not at my company.
Exactly.
Making a confirmation call isn’t too much to ask.
That’s generally true and that can have link security, but it’s not really secure.
I suspect that as companies trimmed staff the controls requiring input from multiple people have fallen by the wayside. Many of the controls in terms of segregation of duties collapse as companies contract.
I used to think the controls were stupid. Then I started working with our comptrollers and auditors. I had an auditor come into the office and he showed me all of the ways the front line people were “ripping us off.”
For example, the cash drawers were sometimes off in multiples of the cost of a soda from the company soda machine. Sometimes the work orders were for houses right next to each other...and the tech took “travel time” from one place to the other.
I embraced controls, not because I wanted to be a jerk, but because it meant I could trust my numbers and my people. And after that, we never had a “recurring” theft.
Then I went to work at a bank. Talk about a place with controls. And the security guys wouldn’t even talk to me about what they would catch. It took years for them to start telling me stories.
In short, if you give anyone around money the opportunity—sooner or later someone is going to try to steal from you. But they don’t realize that there is nothing new under the sun. And most of the time you will get caught.
These “internet” hacks are almost ALL inside jobs.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.