SEC Investigation Into Email Fraud Finds 9 Businesses Lost Nearly $100 Million Total
Targeted businesses were in industries ranging from technology, machinery, real estate, energy, financial, to consumer goods.
Following an investigative report into cases of enterprise grade cyber threats, the Security Exchange Commission (SEC) warned public companies to “consider cyber threats when implementing internal accounting controls.”
Specifically, the SEC identified cases of “business email compromises” (BECs) where nine companies wired a combined total of close to $100 million to fraudulent actors. In many cases the lost funds were unable to be recovered. In accordance with Section 13(b)(2)(B) of the Securities Exchange Act of 1934, public issuers are required to continuously calibrate internal accounting controls to meet the current threat level of the environment.
Based on the SEC report, in cases where the thefts were successful the perpetrators of the phishing attacks used language to indicate that transfers were related to time sensitive deals, under the auspices of SEC compliance or related to some other government oversight, and stressed the importance of keeping other employees out of the loop for security reasons.
Although the companies in the spotlight failed to fend off the email threats, the SEC has not filed any charges against those companies or employees.
“In light of the facts and circumstances, we did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations,” said Stephanie Avakian, Co-Director of the SEC Enforcement Division.
Rather than be a scare tactic, the report is a wakeup call to companies to keep their guard and audit their security practices, which makes sense; the FBI provided an estimate that indicates BECs alone accounted for over $5 billion in losses since 2013.
“By this report, the Commission is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.”
As National Cybersecurity Awareness Month continues, MetaCert Protocol is serving the public with free tools designed to put an end to phishing on the internet. Our latest tool, is designed to warn you against threats in your email. A verified link will have a green shield next to it, while a red shield will show up beside a phishing link. If a link has a grey shield beside it, you know to think twice before clicking, because it hasn’t been validated, and might be a scam.
The tool currently works on Apple Mail and Mozilla’s desktop client, Thunderbird, with support coming for Gmail, Samsung, and Outlook mail services soon. Right now we are inviting members of our community to join open registration to beta test this security tool for email as we roll it out across mail services.
MetaCert Protocol is the new shield of trust for the internet. If you want to find out more about how MetaCert Protocol powers tools that help to protect over 1 million members of the cryptocurrency ecosystem, join us on Telegram: https://t.me/metacert, read our white paper and technical paper, and don’t forget to follow us @MetaCert on Twitter.
MetaCert Protocol is decentralizing cybersecurity for the Internet, by defining ownership and URL classification information about domain names, applications, bots, crypto wallet addresses, social media accounts and APIs. The Protocol’s registry can be used by ISPs, routers, Wi-Fi hotspots, crypto wallets and exchanges, mobile devices, browsers and apps, to help address cyber threats such as phishing, malware, brand protection, child safety and news credibility. Think of MetaCert Protocol as the modern version of the outdated browser padlock and whois database combined.