Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​The Social Engineering Fraud

National culture plays a part in a whaling fraud that snares the controller at an overseas subsidiary.

Comments Views

​Kai Tang was working late on Dec. 25. It was year-end, so activity in the company was picking up, keeping the controller of the thriving Singapore distributor of a large U.S. manufacturer busy. Because it was a holiday in the U.S., Tang knew he would not be interrupted by inquiries and requests from corporate headquarters. Although the corporate controller and the chief financial officer (CFO) rarely visited him in person, they frequently emailed him with questions, but only called on urgent matters due to the time difference. Additionally, his subsidiary was visited by internal auditors the month before — which didn't raise issues — and they were due for a visit from external auditors in January.

Tang suddenly received an email from the company CEO notifying him of a building purchase for a new office location in Asia. The email expressed urgency in wiring money to close the deal. Tang rarely communicated with the CEO directly, but he knew he had a bad temper and did not tolerate being questioned or challenged.

As Tang contemplated how to contact his general manager — who was on a plane — and how and whether to reach the company's CFO at home on Christmas, his phone rang. The man introduced himself as a senior manager at the company's external audit firm. He stated that he was working with the CEO on this urgent purchase and that Tang's delay of the wire would jeopardize the whole deal. Though his head was spinning, and he had lingering questions, Tang hurriedly prepared the $100,000 wire, confirmed the account information, and clicked "send." This turned out to be a scam and the funds were never recovered by the company.

The next month in the boardroom, as the multinational company tried to understand how it became the victim of such a trite, albeit somewhat sophisticated, scam, board members asked, "What questions did we not ask that could have prevented this?" Several reasons were named in creating this perfect storm of a failure, including national culture, which was brought up more than once.

Dutch social psychologist Geert Hofstede found that six cultural dimensions are at play in the global marketplace. One of them is the Power Distance Index (PDI) that measures the distribution of power — and wealth — between individuals in a business, culture, or nation. In a country like Singapore, where a stronger hierarchy of authority exists, it is common for subordinates to follow the whims of an authoritative figure. As a general rule, in higher PDI cultures, subordinates are less likely to question their superiors than in low PDI cultures and organizations where authority figures work more closely with subordinates and it is more acceptable to challenge authority.

​Lessons Learned

  • Following the letter of the control description is not enough. Ask questions regardless of whether the goal of the control is accomplished and revise the description, if necessary.
  • Company management should work with outside vendors, such as banks, to automate controls.
  • Employee training should be conducted by management or expert consultants to recognize and identify phishing schemes. The training should be comprehensive and frequent.
  • When working in a multinational environment, learn about national culture, identify traits that might facilitate fraud, design more robust controls, if needed, and provide additional coaching to employees.
  • Management should create a support structure and invest time to establish personal relationships with foreign employees to cultivate trust.

Dessalegn Getie Mihret of Deakin University in Australia conducted a study of 66 countries testing the association between national culture dimensions and exposure to fraud. His research suggests high fraud risk exposure in countries with high PDI. This was a case of external fraud but a fraud, nonetheless. In Tang's case, this cultural dimension had a double effect. Tang, being from Singapore, a high PDI culture, was uncomfortable challenging the request of the person he perceived to be the high authority. The CEO of the company was from Albania, another high PDI culture, and was infamous for not tolerating any challenge to his authority. This created a culture of fear within the company. Nobody wanted to be reprimanded by the CEO, who was known to yell and belittle his employees in public.

Another factor in this perfect storm of breakdowns was the absence of trusted advisors within the company with whom Tang could consult in the time of doubt. Because it was a holiday, Tang did not feel comfortable contacting any of his supervisors in the U.S. He did not have a close enough relationship with any of them and felt he'd be bothering them. Trust is paramount in relationships, especially in Asia, and it takes an investment of time to build it. None of the U.S. managers invested time in creating close connections with their Singaporean colleagues.

Whaling is a type of attack that uses email or website spoofing to trick the target into performing a specific action, which in this case was having the controller transfer money to an account. Cybercriminals pose as senior players within an organization targeting other important individuals at the organization with the goal of stealing money or sensitive information, or gaining access to the computer systems. Specifically, whaling targets key people with what appears to be communication from someone senior or influential — such as the CEO — with a request that staff are reluctant to refuse.

Internal controls help prevent such things from happening, but the existing system proved ineffective in overcoming such a strong cultural influence. In fact, the controls proved to be poorly designed for any kind of culture. The only control over bank wires was written as:

Wire transfers are submitted on the bank website. For wire payments, all the backup is given to an authorized signer, the controller/general manager/finance manager for electronic approval on the bank website.

Every time this control was tested during an internal audit, the controller was able to produce the documents of the secondary approval by the general manager. The letter of the control was followed. The internal auditors never asked, "Would it be theoretically possible for one person to approve and send the wire on the banking website?" Evidently, the bank website did not require a secondary approval, which allowed one person to send the wire out.

Additionally, there was a breakdown in IT security controls. The email was clear evidence of a successful phishing scheme where an attacker posed as a reputable person with the intent to defraud the organization. Adequate training to educate employees is critical to prevent these attacks and was obviously lacking in Tang's case.

Anna Howard
Andrew Lough
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Authors



Anna HowardAnna Howard<p>Anna Howard, CPA, CMA, is director, Master of Science in Accounting Program, at Nichols College in Dudley, Mass.​</p>



Andrew LoughAndrew Lough<p>Andrew Lough, CIA, CPA, CRMA, CGMA, is an adjunct professor of internal control audit at Nichols College.​</p>


Comment on this article

comments powered by Disqus
  • AuditBoard-February-2021-Premium-1
  • GAM-February-2021-Premium-2
  • ACGI-February-2021-Premium-3