Email spam may be looked at as the poor cousin to bigger hacking episodes, but in a new study by the Securities and Exchange Commission, "spoofed or manipulated electronic communications are an increasingly familiar and pervasive problem," the report stated. In fact, the FBI 2017 Internet Crime Report stated that "business email compromises" caused more than $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017, "the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period," the SEC report stated.
Experts long have said spam is the first wave of cyberattacks, and in its investigation, the SEC wanted to see how firms were devising and maintaining internal accounting controls that were adequately protecting company assets.
Although the SEC is not pursuing enforcement actions against those who have been victims of this fraud, it wanted to warn firms what spam attacks have done and how they've been perpetrated.
This type of cyberattack covered all sectors, from financial, to technology to real estate to energy and others, the report stated. Each of the nine companies studied lost at least $1 million, and two lost more than $30 million. Together, the nine firms alone lost $100 million due to spoofing fraud.
Many times the company didn't know it was a victim until a third party, such as a foreign bank or law enforcement agency, uncovered it. And sometimes the fraud took several weeks to detect. For example, one company made 14 wire payments totaling $45 million requested by a fake executive over several weeks, until a foreign bank alerted the firm. Another paid eight invoices totaling $1.5 million over several months to a vendor's manipulated electronic documentation for a banking change, and didn't realized it until the real vendor complained about unpaid invoices.
Two Main Spam Techniques
The SEC found the two key ways spoofing can compromise a company are emails from fake executives and emails from fake vendors.