The email Keith McMurtry received in early June read, “This is a strictly confidential operation,” and it was signed by his boss, Chuck Elsea, CEO of the Scoular Co., a commodities-trading firm based in Omaha, Nebraska. So, McMurtry took the mysterious missive seriously, even though the address was unfamiliar.
Subsequent messages outlined that McMurtry, an accountant with the firm, would be helping the company orchestrate a hush-hush deal to acquire a Chinese firm. By the end of June, the “confidential operation” concluded with the accountant wiring $17 million of Scoular’s money to a Chinese bank account. But as he soon discovered, there was no acquisition. According to documents released by the FBI, the 123-year-old company had been scammed.
As hackers apply new tactics and seek out increasingly lucrative targets, cyberattacks and Web scams constitute a significant growing threat to financial firms. From run-of-the-mill email fraud to sophisticated malware infiltration, companies face an ever-widening array of security concerns, the extent of which is often hidden from consumers and shareholders. Although a major trader in grains and feed, Scoular is hardly an industry titan. But if a regional commodity merchant can be so easily bilked out of $17 million, how much is at stake for corporate giants?
Quite a bit more, it turns out. A Deloitte report last year found cybercrime cost the average financial-services company $24 million in 2013, a 44 percent increase over the previous year.
A U.S. Securities and Exchange Commission report released this week underscores the dangers. An overwhelming majority of broker-dealers and investment advisers surveyed had experienced cyberattacks. Eighty-eight percent of the brokers had faced attacks, compared with 74 percent of advisers.
Some of the industry’s problems result from an inconsistent approach to cybersecurity. “At some of the larger players, the level of awareness is pretty high,” said Vikram Bhat, a principal in Cyber Risk Services at consulting firm Deloitte & Touche. “Having said that, there’s a significant disparity in maturity across the industry.” Many smaller firms lack the technical talent to fend off attacks and guard against even garden-variety scams.
Most incidents in the SEC report involved fraudulent emails -- gambits familiar to anyone who has received appeals from erstwhile members of Nigerian royalty requesting a few thousand dollars to recoup their lost fortunes.
Still, this basic approach succeeds surprisingly often in hoodwinking financial firms. More than one-half the broker-dealers surveyed by the SEC reported receiving fraudulent emails seeking funds. One-quarter of these companies actually complied, transferring thousands of dollars of investors’ cash to online grifters.
Although the SEC requires that firms maintain written cybersecurity policies, the specifics aren’t well-defined. When queried as to particular mandates that financial firms must follow, an SEC representative pointed to a recent requirement on identity theft and a consumer-privacy regulation passed in 2000.
However, the attacks companies face today extend far beyond the identity theft that enabled the Scoular scam. This week alone, the top executive at Sony Pictures Entertainment stepped down because of the fallout from a massive hack last November, and health insurer Anthem Inc. reported that data associated with millions of its customers had been compromised.
Although far simpler than these attacks, the swindle that hit Scoular wasn’t child’s play. A supposed lawyer in on the deal actually answered the phone number provided in an email. The FBI traced participants’ Internet Protocol addresses to Israel, Paris and Moscow. And despite some grammatical lapses, the scammers made convincing overtures to legal propriety. As the first email instructed: “Please only communicate with me through this email, in order for us not to infringe SEC regulations.”
Subsequent messages insisted the accountant stay tight-lipped. “Leaks could endanger the contract’s execution, in addition to its intrinsic value.”
Deloitte & Touche’s Bhat argued that, looking forward, the industry needs to acknowledge systemic vulnerabilities. “While the focus may still be on financial crime, over time we need to look at disruption from systemic challenges,” he said.
Scoular representative Tara Gurney told International Business Times, “Though the event is regrettable, and it is a large sum of money, it hasn’t affected our ability to conduct business as usual.” In a written statement, CEO Elsea said, “We are very confident that our internal controls and the interbank systems we utilize are advanced and secure.”
In one of the final emails to the accountant, the correspondent included a note of praise, “Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly.”