Nine companies lost $1 million or more apiece to cyber fraud

The U.S. Securities and Exchange Commission report issued last month investigated whether public issuers who were cyber fraud victims violated federal securities laws because of inadequate internal accounting controls.

The nine unidentified firms discussed in the report, who have not been charged by the SEC, lost at least $1 million each. They included one that made 14 wire payments requested by a fake executive that resulted in more than $45 million in losses before the fraud was uncovered by a foreign bank.

Another company paid eight invoices totaling $1.5 million over several months because of manipulated email, and only discovered the theft when the real vendor complained about past-due invoices.

The frauds, which cut across all industry sectors, are of two types. The first are emails from fake executives that directed companies’ finance personnel to work with a purported outside attorney who then had them wire large amounts

to foreign bank accounts controlled by the perpetrators. “These were not sophisticated frauds in general design or the use of technology,” said the report.

The second, more sophisticated, technique required intrusion into foreign vendors’ email accounts. After hacking into these accounts, the criminals inserted illegitimate requests for payments into what were otherwise legitimate transaction requests.

All the firms had procedures requiring authorizations for payment requests, but these were interpreted by personnel to mean electronic communications were sufficient for them to proceed with the criminals’ directions.

The firms later bolstered their payment authorization procedures and verification requirements, according to the report.