The Corporate Impostor​

Organizations should be on the lookout for fraudsters who appear to be their usual vendors.​

Comments Views

​A Lithuanian man has been arrested on charges of impersonating a Taiwan-based electronics manufacturer to carry out a $100 million fraud scheme, Fortune reports. According to U.S. federal prosecutors, Evaldas Rimasauskas impersonated Quanta Computer to trick two U.S. tech companies into wiring money to accounts he controlled, under the company's name, in Cyprus and Latvia. He allegedly sent the U.S. companies forged invoices, contracts, and letters signed by executives from their companies. Quanta Computer acknowledged that its name had been used in the crimes, but says it did not suffer financial harm. U.S. federal prosecutors say much of the money has been recovered, and Rimasauskas is in jail in Lithuania awaiting extradition to the U.S. for trial.

Lessons Learned

Spoofing — impersonating an email sender's identity — is forgery. It is now a common way to perpetuate fraud, and such attacks are becoming increasingly sophisticated and credible-looking. Spoofing involves four main strategies: impersonation (as in this story), infecting computers by hackers, phishing, and spamming. In cases of impersonation, typically the headers of these emails show that the message was sent from an account owner's email server or another trusted source, rather than the email server of the spoofer. Simple Mail Transfer Protocol (SMTP) is the most frequently used method to send outgoing email. But SMTP does not require authentication of the sender. While there is no foolproof method, here are some suggestions for better preventing and combating this kind of fraud:

  • One of the most ​​effective ways to prevent spoofers from forging email addresses is to use combinations of various encryption and authentication measures to strengthen email security. It's surprising that more organizations don't use strategies such as encryption software, digital signatures, two-step verification and message origin authentications, proof of submission and delivery, and secure access management. Encryption verifies that the email hasn't been altered or tampered with in transit. It also verifies that the sender of the email can be identified in the message. The most commonly used approaches include use of Secure Sockets Layer (SSL), which uses a private key to encrypt data being transmitted over a SSL connection; Secure HTTP, a complementary approach to SSL that is designed to transmit individual messages securely; and Secure Multipurpose Internet Mail Extensions, which supports public key encryption-based secure email. These approaches ensure a secure connection that can send and receive any amount of data, once established. Organizations should demand that those they deal with use the same kinds of measures as a way to ensure mutual protection. Small and mid-sized organizations can also purchase affordable email encryption software.

  • Equally important, educate, equip, and empower employees. Conduct training sessions with mock spoofing scenarios. Establish policies and procedures that require employees to act to prevent spoofing. In today's technology-driven world, organizations should make sure employees are technically equipped. Make sure employees understand the types of attacks they may face, the risks, and how to address them. The organization should share intelligence and knowledge about the spoofers, who are increasingly informed about the organizations, roles, employees, and key data they seek to defraud. Informed employees and appropriately secured systems are key when protecting the organization from attacks. Recipients must consider context, content, and sender, particularly if monetary transactions are involved. Concerted coaching to teach employees to be vigilant by not clicking suspicious links or downloading attachments is critical. To verify authenticity, employees should cross-check by sending a separate follow-up email, texting the alleged sender, or calling to validate that the email is from the correct source. That might mean that corporate culture needs to change to reflect a degree of empowerment of employees to resist authoritative sounding orders, if they are bogus.​

There are additional steps an organization can take to protect itself against these kinds of fraud:

  • Encrypt all sensitive company information and ensure all employees and contractors are required to use encryption routines for that kind of sensitive information.
  • Develop an in-house capacity or acquire advice to keep a pulse on the most current phishing strategies. Confirm that the organization's security policies and solutions can eliminate threats as they evolve.
  • Consider using newer technological approaches. One example is to use a heuristics product to determine whether an email is fraudulent. However, the success rate of these solutions can be mixed, particularly where more cleverly designed emails are involved.
  • Consider investing in cybersecurity liability insurance. However, the return on investment for this type of insurance should be weighed against the business model, the data stored, and the potential damages that could be incurred in the event of a data breach.​


Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx

 

Comment on this article

comments powered by Disqus
  • PwC_May2017_Prem1
  • SCCE May2017_Prem 2
  • IIA CIA LS_Prem 2