United States

Risk assessment: Email scams


As discussed in an SEC investigative report, it is important for companies to consider cyber threats when implementing internal accounting control. Specifically noted in the report was an increasingly pervasive problem of companies falling victim to cyber fraud through email scams. In those frauds, perpetrators posing as company executives or vendors used emails to dupe company personnel into wiring large sums of money to bank accounts controlled by the perpetrators. The frauds in some instances lasted months and often were detected only after intervention by law enforcement or other third parties. In total, the nine public companies that were victims of the email scams wired nearly $100 million to fake recipients as a result of the frauds, most of which was not recoverable.

Because email scams are an increasingly familiar problem, especially for companies engaged in transactions with foreign customers or suppliers, it is important to thoughtfully consider the risks associated with these types of issues. When establishing controls related to fraud and cybersecurity, matters to consider include the following, among others:

  • Does the company engage in transactions with foreign customers or suppliers, such that its exposure to significant risks and financial losses through email scams is greater?
  • Has the company calibrated its internal accounting controls to the current risk environment and assessed and adjusted its policies and procedures accordingly? For example:
    • What controls are in place when personnel are asked to initiate changes to vendors’ banking information?
    • Are there dual-authorization requirements for wire payments?
    • Are account reconciliation procedures such that a misdirected payment would be detected?
    • Does the company have appropriate technology in place to help block phishing emails?
  • Have employees been trained about how to recognize scam emails that superficially appear to be legitimate (e.g., through poor grammar or spelling, generic greetings, urgent language, etc.)?
  • Does the company send “test” emails to its employees to determine whether they would recognize a scam email?
  • What measures do the company’s major vendors have in place to prevent hacking of their email accounts that could result in illegitimate requests for payments or payment-processing details?