"How could anyone be so [insert adjectives] as to fall for that?" It's easy to judge in retrospect, yet highly educated financial executives in sophisticated companies are wiring money to unknown bank accounts in China, Turkey, the Caymans … only to learn later the "executive" who made the request to wire the money was an imposter.
A company president received an email from the founder's wife requesting a transfer of $150,000 to her bank account so that she could purchase a particular painting as a birthday present for her husband. The president looked up the painting online, saw that the painting did exist, though he found it curious that this particular piece of art would sell for such a price. He asked his chief financial officer (CFO) to look into it. When the CFO called the owner's wife, she indicated that she had made no such request and that was not her bank account number.
Some crooks have become quite clever. We've all received poorly worded emails full of grammar errors luring us to click on a link to an odd Web address. But in this example, the sender implemented a ruse (a real painting) and misdirection (the owner's wife) to add layers of complexity that made the request seem authentic.
Most importantly, the sender demonstrated a fundamental understanding of human nature. People inherently balk at questioning authority, and we tend to override our internal alarms and bypass details when we are called to hurry. How about questioning the owner's wife? Over an upcoming birthday?
Still, the executives did what they needed to do: they called to confirm the request and avoided an embarrassing and costly error.
Mattel's finance executive saw an email from their CEO as unremarkable: a request for a new vendor payment to China. The CEO had officially taken over only that month, and Barbie doll sales in China were bombing. So, the finance executive saw this as a chance to please her new boss. She followed the procedure: fund transfers required approval from two executives. She qualified, and so did the CEO.
Satisfied, the finance executive wired over $3 million to the Bank of Wenzhou in China. Later, she mentioned the payment to the CEO, who told her he hadn't made any such request. Frantic, Mattel executives called their US bank, the police, and the Federal Bureau of Investigation (FBI). The response: you're out of luck; the money is already in China.
Mattel notified the Chinese police, who quickly launched a criminal investigation. When the Bank of Wenzhou opened the following Monday, a China-based antifraud executive from Mattel presented a letter from the FBI to the bank's international business department. Chinese police froze the account that very morning. A few days later, Mattel got its money back.1
Ubiquiti Networks, Inc., was not so fortunate. They disclosed the following in their 8-K.
On June 5, 2015, the Company determined that it had been the victim of a criminal fraud. The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties … the Company has recovered $8.1 million of the amounts transferred. Furthermore, an additional $6.8 million of the amounts transferred are currently subject to legal injunction and reasonably expected to be recovered by the Company in due course. The Company is continuing to pursue the recovery of the remaining $31.8 million.2
It is important to note: Ubiquiti's systems were not hacked; the transfers were voluntary.
The statistics gathered by the FBI's Internet Crime Complaint Center (IC3) for 2018 show Internet-enabled theft, fraud, and exploitation were responsible for $2.7 billion in financial losses in 2018, up 91 percent from 2017. The most frequently reported complaints were for nonpayment/nondelivery scams, extortion, and personal data breaches. The most financially costly complaints involved business email compromise, romance or confidence fraud, and investment scams, which can include Ponzi and pyramid schemes.3
What to Do?
If companies are falling for these scams despite internal audit departments, tight controls over wire transfers, and intensive Sarbanes-Oxley documentation of procedures, then what's the problem?
The problem may exist within the human element of your internal control system. Controls are merely window dressing if folks aren't communicating or paying attention to detail. Additionally, controls are far less effective if the process owners do not understand what problems the controls are intended to prevent.
One solution in particular to the fake executive scam seems overly simple, though not necessarily easy: confirm requests for payment with whoever made the request. Yet, how accessible is a CEO or a board member? And how much time do top executives allot for reviewing details of transactions they are supposed to approve? Have they delegated their approval authority to their assistants?
Therein lay the issues. If an executive is required to sign off on particular transactions, then the onus is on that executive to understand the details of the transaction and to set aside time to talk with subordinates about internal control matters. The responsibility should not be laid on the subordinate to figure out how to pry into their schedule.
To coincide with the 50th anniversary of the moon landing, Apollo 11: First Steps Edition was released in IMAX theaters. For anyone interested in control systems, two subtle aspects were striking about the procedures followed by the astronauts and Flight Control in Houston.
First, they strictly followed their checklists. No detail was overlooked or taken for granted.
Second, when a procedure was communicated between the astronauts and Flight Control, whoever received the communication repeated the sentence exactly as stated. This confirmed the message was received exactly as delivered.
To organizations interested only in "optimization," there is no time to waste on such redundancy; for many, these procedures just seem silly. None of our companies is sending people to the moon.
To executives who are committed to protecting assets from cyber criminals and other crooks, it is wise to build some redundancy and regular checkpoints into the control system. This means an extra set of eyes reviewing transactions with attention to detail, especially those that bear their approval signature. It can also mean employing effective communication techniques to synchronize each party's understanding of a particular transaction.
Internal controls over risky transactions fail for the simplest reasons, such as lazy communications and lack of attention to detail, particularly in the mundane. It helps to regularly discuss problems affecting other companies, such as spoofing and fake executive wire transfer requests. This lets folks know why you have controls over certain transactions, and it also allows leaders to assess whether their controls are sufficient to not only prevent but also detect symptoms of these problems.
Don't just email and text, and don't make your reviews of transactions perfunctory. Invest some time in talking and understanding.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
1 "Mattel vs. Chinese Cyberthieves," Associated Press, March 29, 2016.
2Form 8-K, Ubiquiti Networks, Inc., US Securities and Exchange Commission, August 4, 2015.