The Accounting Policy & Practice Report ® provides financial accounting policy makers, advisors, and practitioners with the latest news, expert insights, and guidance on emerging, evolving,...
By Denise Lugo
Cybercrime, the number one threat U.S. companies face today, has become a nightmare for finance departments because companies neglect to train accountants to practice vigilance against it, Verizon Enterprise Solutions’ Chris Novak told Bloomberg BNA.
Scammers therefore find it easy to exploit human nature and trick busy accountants into handing over millions of dollars, said Novak, global director of the firm’s RISK Team, a group that specializes in cyber investigations.
Companies’ finance divisions are easy scams because of the nature of their work, said Novak. Finance departments can’t do their jobs without handling invoices daily from vendors, many of which come in an email with a PDF or some other form of attachment they have to open.
Often companies aren’t able to recoup the moneys stolen through such scams, because most organizations don’t notice what has happened until too long afterwards, he said. Some losses reach up to $200-to-$300 million dollars.
Scammers like to use phishing and social engineering— the psychological manipulation of people into performing activities or divulging confidential company information. “They send an email that looks exactly like whoever it is you might normally receive emails from,” said Novak.
“But there’s usually one tiny thing that’s a little bit off, and if you’re not tech savvy you’re not even going to notice it, so you reply or you click on the link to open the attachment,” he said. Once the scammers have the password they can then log in remotely.
Most commonly targeted and hit are retailers and banks because of the trillions of transactions that go through those types of companies. “People know those are the holders of all the funds,” said Novak. “If you can get into a bank or a processor or someone like that who handles a lot of transactions, you can move $10 million or $100 million dollars,” he said.
It’s not too hard to trick employees into giving up their password. One company, said Novak, allowed an accountant to check company emails remotely, which enabled scammers to trick him into letting them access the email account and create a fake email thread.
The scammers changed some of the names, dates, took some of the previously attached invoices, tax forms and the like, and made up fake ones. They then sent the email from the accountant’s email box to the chief financial officer saying, “Oops we’ve got one more of these that need to be paid in a hurry, please just reply back approved”, said Novak. The fake invoice was for $3 million.
Novak said companies should be extra vigilant to ensure proper training and safeguards are in place to guard against cybercrime. Among steps they can take is to ensure IT departments are consistently on top of educating all divisions to bring continual awareness of how scammers operate.
“Two-factor authentication is something a lot of organizations still do not have but it helps to prevent the social engineering and trickery,” he said.
The other thing Novak recommends is a prefix on emails so when an employee gets an email from outside of the organization it indicates the message is coming from an external source. “It helps prevent these situations where people can pretend that they’re the CFO or someone from accounting, because the CFO wouldn’t email from Yahoo, especially if it’s something important,” he said.
Many corporations today still lack basic defenses against foiling cyberscams , according to Verizon’s 2016 Data Breach Investigations report. Sixty-five (65) percent of confirmed data breaches involve using weak, default or stolen passwords, the report states.
The topic, which has generated huge interest nationwide, is also being looked at on a much broader scale. The government is tracking it as potentially the cause of the largest ongoing loss the U.S. economy will sustain going forward.
On March 7 the Cybersecurity Disclosure Act of 2017 was introduced by Senator Jack Reed ( D-RI) to require public companies to disclose if it has a board member that is considered to be a cyber-security expert advising the company about such issues.
If a company doesn’t have a board member as a cybersecurity expert , it would have to include in its disclosure why it‘s not necessary.
Copyright © 2017 Tax Management Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)