Two recent criminal convictions by New Jersey courts highlight the importance of businesses maintaining corporate accounting controls and cybersecurity training against email compromises. These convictions also re-emphasize the importance of the U.S. Securities and Exchange Commission’s (the “SEC”) cybersecurity guidance issued in 2018, which should be followed when designing and maintaining proper cyber compliance controls.
* * *
I. Recent Cybercrime Convictions
In U.S. v. Espaillat, a New Jersey resident, Lawrence Espaillat, pleaded guilty to conspiracy to commit wire fraud for creating a scheme that enabled him to steal more than $1 million dollars from individual and corporate victims. The scheme entailed creating email addresses that mimicked legitimate email addresses of supervisory employees at various companies and vendors that did business with those companies, enticing the corporate victims to transfer funds by wire transfer into bogus bank accounts, which were controlled by Mr. Espaillat and his co-conspirators.
According to the conviction, one corporate victim was found to have transferred approximately $3.8 million dollars into the bogus bank account after receiving a seemingly legitimate email from the company’s vendor, bearing the name and domain of an actual employee. The email stated that the vendor’s typical beneficiary bank had “been placed on hold indefinitely due to an impromptu auditing.” Therefore, the corporate victim was directed to transfer the balance of any accounts receivable from the typical bank to a bank account that was controlled by Mr. Espaillat and his co-conspirators.
In U.S. v. Ogunremi, a Nigerian national, Olumide Ogunremi, pleaded guilty for conspiracy to commit wire fraud for his role in a scheme to hack U.S. government agencies’ email systems and General Services Administration vendors. According to the conviction, the scheme used ‘phishing’ attacks, which mimicked legitimate e-mails and web pages of U.S. government agencies like the U.S. Environmental Protection Agency, leading U.S. government employees to visit fake web pages and provide their e-mail account usernames and passwords.
Mr. Ogunremi and his co-conspirators used the stolen credentials to access the employees’ email accounts and place fraudulent orders with various vendors for office products. The scheme was found to have defrauded vendors of nearly $1 million dollars on account of the fraudulent orders.
II. Different Types of Schemes
In 2018, the SEC issued an investigative report (the “SEC Report”) to ensure that market participants were aware not only of business email compromises but about their responsibility to maintain internal accounting controls capable of handling various types of cyber threats. The SEC Report outlines two common email schemes that have been employed against corporations, including those used by Mr. Espaillat and Mr. Ogunremi, which landed them in jail.
A. Emails from Fake Executives
As the SEC Report outlines, one type of ‘spoofed’ business email can come from people who purport to be company executives. Scheme perpetrators email company finance personnel, using email domains and addresses of an executive, typically the CEO. The emails appear to be legitimate and direct the finance personnel to work with an outside attorney to cause large wire transfers to foreign bank accounts. Perpetrators have used real law firm and attorney names, and legal services-sounding email domains like “consultant.com,” but in reality, the contact details connect company personnel with an impersonator and co-conspirator. The SEC identified a number of characteristics to help businesses identify this fake executive scheme, including:
- Time Sensitivity – Fake emails describe time-sensitive matters and instruct the recipient to complete the payment within days.
- Secrecy – Fake emails emphasize the need for secrecy from other employees at the company.
- Government Oversight – Perpetrators sometimes imply that the transaction relates to government oversight. For example, one email says that the purported deal is “in coordination with and under the supervision of the SEC.”
- Foreign Transaction – Fraudulent emails state that the funds are needed for foreign transactions or acquisitions and instruct wire transfers be made to foreign banks.
- Midlevel Personnel Recipient – Fraudulent emails are typically sent to people not generally responsible for or involved in the purported transactions, and the recipient is generally not a person who communicates with the executive mentioned in the spoofed email on a regular basis.
B. Emails from Fake Vendors
Another type of cyber fraud identified by the SEC Report involves perpetrators impersonating the victims’ vendors. In this type of scheme, scammers intrude into email accounts of the victims’ foreign vendors. This scheme tends to be more technologically advanced because it uses existing vendors’ email accounts with illegitimate payment requests for otherwise legitimate transactions.
The scammers correspond with personnel responsible for purchasing goods from vendors to get information about real purchase orders and invoices. The perpetrators then ask issuer personnel to change the banking information associated with the vendors and attach new account information associated with the scammer. The scheme relies on the issuer personnel to tell the accounting personnel responsible for maintaining vendor data to change the vendor payment information. The issuers then make payments for legitimate outstanding invoices to accounts controlled by the impersonator, instead of accounts controlled by the actual vendors. This scheme is often more difficult to detect because the targeted company may only learn about the scheme when the real vendor raises concerns about nonpayment of invoices.
This is the technique Mr. Espaillat and his co-conspirators used. Mr. Espaillat used a fake email account purporting to be a vendor to create an excuse for the corporation to wire money to a different bank account than the bank account that the vendor normally used.
III. Recommendations for Compliance Programs
The SEC Report emphasizes that business email frauds often are not sophisticated in design or technology but instead rely on weaknesses in policies and human vulnerabilities. Accordingly, companies must have accounting control systems in place that take into account risks posed by cyber threats and human vulnerabilities to effectively safeguard their assets.
Many companies have procedures in place that require several levels of authorization to facilitate payment requests, management approval for wire transfers, and verification before changes can be made to vendor data, yet they still become victims to crimes that target these areas. The SEC recommends the following four strategies to thwart fraudulent business emails:
A. Employees Need Better Understanding of Compliance Procedures
Many email frauds succeed because the personnel who fall victim to them do not understand the company’s existing controls. In one case, an accounting employee who received a spoof email, did not follow company procedure for deal authorization when making wire payments and improperly directed subordinates to sign-off on the wire transfer request. In another case, an accounting employee did not understand that his company did not give him approval authority at a level reserved for the CFO. It sounds simplistic, but these frauds make clear that companies must ensure that their personnel understand what they are authorized to do and the company procedures regarding wire transfers.
B. Higher Level Executives’ Susceptibility
Higher level executives can also fall prey to these schemes and must be aware of their company’s policies and procedures. The SEC Report outlines at least two instances where executive-level employees initiated payments on account of having received a fake executive email.
C. Employee Failure to Recognize Red Flags
Companies must regularly and thoroughly train employees on how to recognize illegitimate emails since email-based cyber schemes heavily rely on human vulnerability. The SEC Report highlights that although fraudulent emails raised clear red flags, employees often fail to notice the questionable instructions in the emails. There are numerous instances in which transactions are clearly outside of the targeted employee’s domain, including where employees are asked to make multiple payments over several days or weeks, and yet the employees fail to recognize the unconventional payment patterns. For example, in U.S. v. Espaillat, Mr. Espaillat misspelled the traditional vendor’s name when directing the victim to make a payment and requested over $3 million dollars be paid over just three days, which was not the ordinary business practice of either entity involved.
D. Outgoing Payment Confirmation
Companies should employ a system to double check outgoing payments to ensure that they are not paying fraud perpetrators instead of their intended vendor. In the fake vendor scams, companies often end up paying scam perpetrators instead of their regular vendors for months before realizing the error. Vendors will often give customers a grace period before considering a payment to be delinquent; therefore, the scam can continue for many months before a vendor will notify the issuer about the nonpayment of invoices.
While companies that have faced cyber attacks may have bolstered their compliance procedures by improving accounts reconciliation procedures, outgoing payment notification processes to detect payments resulting from fraud, and enhancing their training of personnel who may face relevant threats, cyber criminals continue to adopt new creative schemes to perpetrate fraud and companies must continue to bolster their controls. Companies, regardless of industry or size, must aim to continuously strengthen internal accounting procedures to deal with cyber threats, so they can avoid being the target of schemes like those carried out by Mr. Espaillat and Mr. Ogunremi.
Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that “transactions are executed,” and “access to [company] assets is permitted only in accordance with management’s general or specific authorization. The SEC stressed that while cyber-related threats are relatively new, the expectation is that issuers will have “sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not.” Therefore, although the SEC has not charged or fined companies for internal accounting control failures after phishing attacks yet, the SEC does expect corporations to continually update and maintain internal accounting controls and investigations by regulators into corporate accounting practices after a successful phishing attack may be on the horizon.
 Report of Investigation Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Exchange Act Release No. 84429 (Oct. 16, 2018), available at https://www.sec.gov/litigation/investreport/34-84429.pdf.
 Press Release, Dep’t of Justice, Passaic County Man Sentenced to Five Years in Prison for Role in Business Email Compromise Scheme (Oct. 14, 2020),https://www.justice.gov/usao-nj/pr/passaic-county-man-sentenced-five-years-prison-role-business-email-compromise-scheme.
 Complaint at 10, U.S. v. Espaillat, Mag. No. 18-1522 (D. N.J. 2018).
 Press Release, Dep’t of Justice, Nigerian Man Sentenced to Three Years in Prison for Computer Hacking Scheme that Targeted Government Employees (Sept. 23, 2020), https://www.justice.gov/usao-nj/pr/nigerian-man-sentenced-three-years-prison-computer-hacking-scheme-targeted-government.
 See note 2, supra..
 Complaint at 10 – 13, U.S. v. Espaillat, Mag. No. 18-1522 (D. N.J. 2018).
 15 U.S.C. § 78m(b)(2)(B)(i) & (iii) (level of reasonable assurances required under these provisions is defined as such “degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” 15 U.S.C. § 78m(b)(7)).
 SEC Report, supra note 2, at 2.