You have probably heard about Business Email Compromise (BEC) attacks where scammers pose as company executives and ask the accounting department to wire money to them.
The FBI says this is highly effective and big business. To the tune of $5 billion in losses since 2013.
In fact the SEC discovered that 9 publicly traded companies collectively wired almost $100 million dollars to scammers.
Is the SEC worried that these companies lost money to bad guys?
No, not exactly.
They ARE worried that these companies violated section 13(b)(2)(B)(i) of the Securities Exchange Act of 1934 which requires some businesses to have appropriate accounting controls in place.
Wouldn’t that be a bit of a bummer to find out that you got fleeced out of $45 million (like one company did) and now you are being investigated over your accounting controls.
The SEC COULD sanction companies for having inadequate financial controls.
In some of the cases investigated, the Chief Accounting Officer was the one that was duped.
The good news is that the SEC has decided that none of THESE companies will be fined.
Whether the number is $100 million for 9 companies or $5 billion over the last 5 years, the number is huge and other than large publicly traded companies, this could be both a resume generating event for you and an existential threat for your company.
So what can you do?
First of all, if you are responsible for your company’s money, you need to become educated about the problem. Quickly!
You need to train your employees. Not just once, but recurringly. For small companies we have a program we can provide that will allow you to send test emails to all of your employees every day if you want (probably overkill!) for less than $20 per employee per year. Significantly less for bigger companies, so it is affordable (especially compared to wiring a million dollars to a scammer).
There is insurance that can be purchased to cover this loss. Note that GCL (General Commercial Liability) insurance will not cover this, nor will fidelity insurance. It is specialized insurance but it is not particularly expensive. If you don’t have it, get it. NOTE: some of these policies have quirks so make sure you understand what the policy requires you to do in order to get reimbursed.
You also need to create policies that cover procedures so that it is harder for an employee to accidentally wire money to the scammers. Most of the time the scam starts with an email. If you get an email changing payment instructions, even though this means extra work, you need to verify the change. And NO! that does not mean reply to the email asking ARE YOU SURE? Communicate using a verified communications method.
If this wasn’t so damn profitable, scammers would stop. Your employees are the only ones who can make it unprofitable.
Be part of the solution and save yourself a bucket of money on top of it.