Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

How CPAs, CFOs, Finance Staff Can Fight Off Executive Impersonation Cyber Attacks

How CPAs, CFOs, Finance Staff Can Fight Off Executive Impersonation Cyber AttacksThe American Institute of CPAs (AICPA) is looking to better equip CPAs, finance chiefs and their staffs across all industry sectors with measures to fight off cyber attacks that involve impersonating executives in order to get employees to transfer large sums of money between subsidiaries or to suppliers on behalf of the company. This type of cyber crime is part of a growing risk known as business email compromise (BEC), a topic we discussed previously. Now the AICPA has published a fraud report to help stem these types of losses.

Specifically, an executive impersonation scam involves an email being sent from an executive to a subordinate asking for a wire transfer or payment to a new bank. The attackers tend to target companies with foreign suppliers or units that regularly perform wire transfers to foreign banks, and strike when executives are travelling and cannot be reached. Finance chiefs and their staff are particularly popular targets for this type of attack, because of their access to company accounts.

“The top concern for company stakeholders is that this type of cyber attack persuades employees to ignore internal controls around making payments, said Annette Stalker, chair of the AICPA’s Forensic and Litigation Services Committee, in a written statement. “Executive impersonation bypasses the security systems that company IT departments have put in place to neutralize cyber attacks by going where companies and their employees are most vulnerable, their email systems,” she added.

Key characteristics of an email impersonating an executive include the following:

  • Email requests come from a senior (C-suite) executive or a key vendor or supplier.
  • The email address is substantially similar to the purported sender’s address, with small, subtle differences. For example, if the actual address is CEO@abcdeco.com, the impersonator address might be CEO@abcedco.com. Alternatively, the email display name may appear correct, but when the cursor hovers over the email address, a different underlying address is displayed.
  • Requests occur when the executive is traveling and cannot be contacted.
  • There is an element of urgency or secrecy regarding the disbursement.
  • The amount is within the typical range of transactions so as not to raise a red flag.
  • Other employees are referred to or copied in the email, however, their email addresses are also modified.
  • Requested payments are payable to a foreign bank.

The AICPA has outlined several practice measures to help combat BEC schemes:

  • Awareness and discussion of the risks involved with BEC scams with all departments is key. This includes anyone involved in the payment of funds, including IT, treasury and purchasing. Be sure they are kept continually abreast of the various types of impersonation schemes.
  • Training should begin with the on-boarding process of new hires for the accounting and finance functions. Some or all of these people may be in a position to authorize, initiate, or record wire transfers. Encourage a healthy level of skepticism in finance and treasury employees, and establish procedures to verify the origin of all wire requests. Remind all employees to use the company fraud hotline to anonymously report suspicious activity without fear of retaliation.
  • Keep the issue front and center. This may involve sending a periodic newsletter to accounting and finance that highlights recent frauds perpetrated against companies as a reminder that the need for vigilance is constant.

Employ Robust Best Practices

Be sure to review policies and procedures for requesting, initiating and approving wire transfers. Email requests should be verified by phone calls to company-registered phones, and two employees should be assigned to approve wire requests and authenticate the recipient’s identity before the wire is released. Also, conduct a risk assessment of the wire transfer process to identify weaknesses that could be exploited. In addition, consider engaging a cybersecurity firm to perform a penetration test of the company’s firewalls, email, security software, operating systems and browsers. Flag incoming emails with domains that are similar, but not identical, to those of the company. Identify “look-alike” domains and register them in the name of the company to prevent hackers from attempting BEC attacks.

Equally important is examining your insurance program and whether it includes Cyber Liability insurance, including coverage for fraud, data breach, ransomware and losses arising from denial of service attack. Axis Insurance Services specializes in providing companies with Crime and Cyber Liability insurance coverages and can assist you in reviewing your current program and what gaps if any may exist. Just give us a call at (877) 787-5258.

Comments

comments

Blogged on: October 4, 2016 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions