The American Institute of CPAs has issued a new report on the growing threat of “executive impersonation,” in which criminals claiming to be corporate executives convince employees to send them sensitive documents and company information.
In the report, the AICPA noted that last year, the FBI’s Internet Crime Complaint Center issued a series of public service announcements warning about how criminals were using company email systems to steal funds. The FBI estimates U.S. businesses lost $179 million in 2014 in such scams. With awareness growing of the scheme, the scammers are now doing a more sophisticated version of what has come to be known as “spearphishing,” in which fraudulent emails are sent to company employees in an effort to convince them to send information such as account numbers and access codes. But in this new more advanced form of the scheme the criminal does more research to be able to successfully impersonate the role of a corporate executive.
The AICPA recommends accountants become more aware of the risks and discuss them with clients and companies. Employees should be trained to beware of the risks, including during the onboarding process for new hires in the accounting and finance departments. Repetition is important, as a single training session can quickly fade from employees’ memories.
CPAs can also help their clients improve their financial controls to safeguard against such risks. During a Sarbanes-Oxley audit of internal controls over financial reporting, they can help clients tighten their controls for specific procedures such as wire transfers initiated by emails.
The AICPA has been making more of an effort to raise CPAs’ awareness of cybersecurity issues. Earlier this week, the Institute’s Assurance Services Executive Committee released for comment two proposed sets of criteria on cybersecurity risk management and trust services (see AICPA Proposes Criteria for Cybersecurity Risk Management).
The AICPA’s partner organization, the Center for Audit Quality, has also been working on making accountants and auditors more aware of cybersecurity issues. The CAQ recently contributed a chapter to a new book on cybersecurity from the Internet Security Alliance, “Social Contract 3.0: Implementing a Market-Based Model for Cybersecurity.” The CAQ’s chapter was about “A New Model for Cybersecurity and Auditing.”
“Given its prominence for investors and markets, cybersecurity has been a top priority for the Center for Audit Quality,” said CAQ Executive Director Cindy Fornelli in a statement. “Auditors can expand their role in accordance with time-tested assurance frameworks, thus bringing the profession’s many strengths to bear on today’s cybersecurity challenges.”