The Accounting Policy & Practice Report ® provides financial accounting policy makers, advisors, and practitioners with the latest news, expert insights, and guidance on emerging, evolving,...
By Denise Lugo
Cybercrime, the number one threat U.S. companies face today, has become a nightmare for finance departments because companies neglect to train accountants to practice vigilance against it, Verizon Enterprise Solutions’ Chris Novak told Bloomberg BNA.
Scammers therefore find it easy to exploit human nature and trick busy accountants into handing over millions of dollars, said Novak, global director of the firm’s RISK Team, a group that specializes in cyber investigations.
Companies’ finance divisions are easy scams because of the nature of their work, said Novak. Finance departments can’t do their jobs without handling invoices daily from vendors, many of which come in an email with a PDF or some other form of attachment they have to open.
Often companies aren’t able to recoup the moneys stolen through such scams, because most organizations don’t notice what has happened until too long afterwards, he said. Some losses reach up to $200-to-$300 million dollars.
Scammers like to use phishing and social engineering— the psychological manipulation of people into performing activities or divulging confidential company information. “They send an email that looks exactly like whoever it is you might normally receive emails from,” said Novak.
“But there’s usually one tiny thing that’s a little bit off, and if you’re not tech savvy you’re not even going to notice it, so you reply or you click on the link to open the attachment,” he said. Once the scammers have the password they can then log in remotely.
Most commonly targeted and hit are retailers and banks because of the trillions of transactions that go through those types of companies. “People know those are the holders of all the funds,” said Novak. “If you can get into a bank or a processor or someone like that who handles a lot of transactions, you can move $10 million or $100 million dollars,” he said.
It’s not too hard to trick employees into giving up their password. One company, said Novak, allowed an accountant to check company emails remotely, which enabled scammers to trick him into letting them access the email account and create a fake email thread.
The scammers changed some of the names, dates, took some of the previously attached invoices, tax forms and the like, and made up fake ones. They then sent the email from the accountant’s email box to the chief financial officer saying, “Oops we’ve got one more of these that need to be paid in a hurry, please just reply back approved”, said Novak. The fake invoice was for $3 million.
Novak said companies should be extra vigilant to ensure proper training and safeguards are in place to guard against cybercrime. Among steps they can take is to ensure IT departments are consistently on top of educating all divisions to bring continual awareness of how scammers operate.
“Two-factor authentication is something a lot of organizations still do not have but it helps to prevent the social engineering and trickery,” he said.
The other thing Novak recommends is a prefix on emails so when an employee gets an email from outside of the organization it indicates the message is coming from an external source. “It helps prevent these situations where people can pretend that they’re the CFO or someone from accounting, because the CFO wouldn’t email from Yahoo, especially if it’s something important,” he said.
Many corporations today still lack basic defenses against foiling cyberscams , according to Verizon’s 2016 Data Breach Investigations report. Sixty-five (65) percent of confirmed data breaches involve using weak, default or stolen passwords, the report states.
The topic, which has generated huge interest nationwide, is also being looked at on a much broader scale. The government is tracking it as potentially the cause of the largest ongoing loss the U.S. economy will sustain going forward.
On March 7 the Cybersecurity Disclosure Act of 2017 was introduced by Senator Jack Reed ( D-RI) to require public companies to disclose if it has a board member that is considered to be a cyber-security expert advising the company about such issues.
If a company doesn’t have a board member as a cybersecurity expert , it would have to include in its disclosure why it‘s not necessary.
Copyright © 2017 Tax Management Inc. All Rights Reserved.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)