September 29, 2022

Volume XII, Number 272


September 29, 2022

Subscribe to Latest Legal News and Analysis

September 28, 2022

Subscribe to Latest Legal News and Analysis

September 27, 2022

Subscribe to Latest Legal News and Analysis

SEC Special Report: Rampant Business Email Compromises Require Reassessment of Internal Accounting Controls

The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in "business email compromises" that are victimizing organizations across industry sectors.

On October 16, 2018, the SEC released a "Report of Investigation" calling for public companies to reassess their internal accounting controls "in light of emerging risks, including risks arising from cyber-related frauds."  In particular, the report focuses on certain types of "business email compromises" (BECs), in which a bad actor uses spoofed or compromised email accounts to trick an organization's personnel into effectuating wire transfers to financial accounts controlled by fraudsters.

The report was prompted by the SEC's investigation into whether nine public companies violated U.S. securities laws "by failing to have sufficient accounting controls" to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel.  The nine companies were victimized by one of two variants of the BEC scheme—involving spoofed or compromised emails from a person purporting to be a either a company executive or a vendor. 

Emails from Fake Executives – A person purporting to be a company executive (usually a CEO or CFO) used a spoofed email domain and address to direct mid-level finance personnel to work with a purported outside attorney (copied on the email) to effectuate large wire transfers to foreign bank accounts controlled by the perpetrators.  The perpetrators used real attorney and law firm names, and emphasized the need for secrecy and time sensitivity in completing the wire transfers that were purportedly related to foreign transactions or acquisitions. The SEC characterized the emails as "not sophisticated frauds," requiring only the creation of a spoofed email address. 

Emails from Fake Vendors – Perpetrators hacked into and took over the email accounts of actual employees of foreign vendors of the company. They then communicated with company personnel via the compromised vendor email accounts, redirecting wire transfers for actual transactions to accounts under the perpetrators' control. 

The nine companies were members of various sectors, including technology, machinery, real estate, energy, financial services, and consumer goods. Each of the nine companies lost at least $1 million; two lost more than $30 million. One company made more than 14 wire payments requested by a fraudster impersonating a company executive—resulting in more than $45 million in losses. Virtually none of the funds were recovered in any of the cases.

The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that "[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws." (See our prior alert and blog post regarding the Interpretive Guidance).

The SEC advised companies to "pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds."

Under Section 13(b)(2)(B)(i) and (iii), these internal controls must reasonably assure that:

  • transactions are executed in accordance with management's general or specific authorization; and

  • access to assets is permitted only in accordance with management's general or specific authorization.

The SEC emphasized that these fraud schemes were not particularly sophisticated. They were widely successful, though, because they used "technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective." The victimized issuers had policies and procedures requiring different authorization levels for payments; management approval of outgoing wires; and verification of changes to vendor data. The critical flaw was in employee interpretation of these controls as capable of being satisfied solely through electronic communications—along with their failure to recognize obvious indications of fraud in the emails.   

The message from this report is remarkably explicit—namely, that internal controls are not static and public companies should continuously refresh their internal control environment to take into consideration known threats. Going forward, public companies must have in place internal controls that are geared toward detecting BECs and by extension other types of cybersecurity frauds. The failure to have such controls likely will be deemed a violation of the Exchange Act subjecting companies to the full panoply of possible SEC sanctions including fines, supervision and debarment of responsible officers from holding public company officer or director positions.

Although the SEC gave no indication what the severity of any possible future punitive actions might be, it stressed that the nine companies it looked into had lost $100 million and that the FBI estimated that such fraud cost companies more than $5 billion since 2013. It further emphasized that investors rely on public issuers to implement internal controls to appropriately address these issues. Additionally, public companies should expect that their auditors will take seriously the SEC's investigative report (similar to what occurred with respect to the SEC's Netflix 21(a) report on social media and Regulation FD) and closely scrutinize whether proper internal controls are in place to stop BEC cyber fraud and other types of cyber fraud as well. Failure to have such controls may require a report of material weakness in internal controls and/or a refusal by accounting firms to sign off on financial statements. Finally, it can also be expected that the absence of such controls will lead to both private securities fraud lawsuits under Section 11 of the Securities Act and Section 10(b) of the Exchange Act, as well as a spate of derivative lawsuits. The SEC's report makes clear that this is not only a consumer fraud issue but one of the integrity of the public markets, as well.

This report follows on the heels of a July 2018 FBI Public Service Announcement that it had tracked more than 78,000 BECs—totaling more than $12.5 billion in fraud losses—since October 2013. The FBI has identified more than 41,000 BEC victims in the United States—with more than $3 billion in fraud losses since 2013, and $1.6 billion in fraud losses since May 2016. 

The FBI has published a checklist of steps that organizations can take to prevent and respond to BECs.  Below are the FBI's tips, and some of our own:

Steps to Prevent BECs

  • Consider a method other than email of transmitting wire transfer instructions.

  • Do not allow any wire transfer to occur based solely on email communications.

  • Ensure company policies provide for appropriate verification of any wire transfer and any changes to existing invoices, bank deposit information, and contact information.

  • Carefully scrutinize all email requests for transfer of funds to determine if the requests are unusual.

  • Verify wire transfers and any changes in vendor payment location by adding additional two-factor authentication, such as having secondary sign-off by company personnel.

  • Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the email request.

  • Consider using passcodes known only to both parties in a proposed wire transaction—and that are not contained in email communications.

  • Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email of would flag fraudulent email of

  • Create an email rule to flag email communications where the "reply" email address is different from the "from" email address shown.

  • Color-code or add banners to emails based on whether they are transmitted from employee/internal accounts or non-employee/external accounts.

  • Frequently monitor your email Exchange server for changes in configuration and custom rules for specific accounts.

  • Conduct end-user education and training on the BEC threat and how to identify a spear phishing email.

  • Create and publicize detection and response protocols for any employee who suspects an attempted or successful BEC.

Steps to Take When Responding to BECs

  • Immediately contact the originating bank and request a wire recall.

  • Immediately file a complaint with the FBI's Internet Crime Complaint Center and alert your local FBI office (local police are unlikely to be able to help).  Provide the following information:

    • Any messages pertaining to the attack

    • Victim information

    • Overall losses associated with the BEC

    • If a payment associated with the attack was sent, provide transaction details

    • Victim impact statement (e.g., impacted services/operations)

    • IP addresses used to send fraudulent emails

  • Save all messages and evidence associated with the incident.

Copyright © by Ballard Spahr LLPNational Law Review, Volume VIII, Number 295

About this Author

Norman Goldberger, Ballard Spahr Law Firm, Philadelphia, Corporate, Cybersecurity and Litigation Law Attorney

M. Norman Goldberger is the Practice Leader of Ballard Spahr's Securities Enforcement and Corporate Governance Litigation Group. Norman concentrates on complex commercial matters, including securities litigation, consumer fraud class actions, restrictive covenants, derivative actions, internal investigations, False Claims Act litigation, RICO litigation, and issues relating to the availability of insurance coverage for commercial litigation matters.

Norman has represented clients ranging from start-ups to Fortune 500 public clients in industries...

Edward McAndrew, Ballard Spahr, Philidelphia, Washington DC, Data Security, Privacy

Edward J. McAndrew is a counselor, investigator, and trial lawyer who helps clients navigate life in the digital world. He is the Co-Practice Leader of the firm's Privacy and Data Security Group.

Named a "Cybersecurity and Data Privacy Trailblazer" by The National Law Journal, Mr. McAndrew advises clients on cybersecurity, digital privacy, cyber-incident response, social media, online speech, defamation, commercial, employment, intellectual property, corporate governance, regulatory, and criminal matters. He also advises clients on cyber-based national security issues, as...

Terence Grugan, Attorney, Ballard

Terence M. Grugan is an associate in the firm's White Collar Defense/Internal Investigations and Commercial Litigation Practice Groups. In his white collar practice, Terence represents individuals and entities who are targets, subjects, or witnesses in criminal, regulatory, or administrative government investigations, including investigations conducted by the Department of Justice, Internal Revenue Service, Securities and Exchange Commission, state attorneys general, local, state, or federal inspectors general, and local law enforcement. Terence has defended clients from...

Peter Hennesey, Ballard Spahr Law Firm, Philadelphia, Finance Law Attorney

Peter W. Hennessey is an experienced corporate and securities attorney who represents public and private companies, investment banks, and venture capital firms in a broad range of capital markets transactions. Peter handles initial public, follow-on, and secondary equity offerings, and investment-grade, high-yield, and convertible debt offerings.

Peter represents public and private companies in general corporate and securities law matters, Sarbanes-Oxley compliance, and exchange-listing standards. He advises public companies on stock exchange...