1. Compose a summary of the case. Include how the fraud was perpetrated, the characteristics of the perpetrator(s) who committed the fraud, the role the auditor(s) had in the case, and the direct and indirect effects the incident had on the organization’s stakeholders (customers, vendors, employees, executive committee, and board of directors).
Comerica is being sued by Experi- Metal’s for a $560,000 phishing attack to their bank account. Experi- Metal, a custom auto- parts maker, was hit by phishing criminals in January 2009. The fraud was perpetrated when the bank’s vice president received a phishing email telling him to fill out online paperwork to perform scheduled maintenance. The e-mail appeared to have been sent from the bank. The email was sent from phishing criminals) Once the president sent over his credentials the attack was started. Experi- Metal accused Comerica of failing to take immediate action that could have eliminated some of the loss.
The bank processed over a million dollars in wires from the companies account. The attack was done in a matter of hours. Criminals tried to move millions of dollars to an Eastern Europe account. Comerica learned of the attack within four hours of the fraud. J.P. Morgan Chase contacted Comerica to report suspicious activity in the account. The criminals were funding money into the Chase Accounts to move it overseas to Russia and Estonia. Comerica shut down the scam but it was after the business lost money. Comerica shut down the account but still processed 15 wires after finding out about the scam. Comerica filed suit against the bank for the phishing attack and to try to recoup some of the money that was paid out through the phishing attack.
The characteristics of the perpetrator are usually people from abroad and the emails have spelling errors. The attacks come from abroad and the emails will contain misspelled and transposed letters. The attackers send out thousands of emails trying to get an individual to respond. The emails are intended to trick users into clicking on the link and entering their personal information. The email will impersonate a company such as a bank. The email will state there is a problem and need the individual to verify their information. It will include a cause of action prompting the user to respond or delete.
The direct and indirect effects on the organization’s stakeholders were the bottom line would be understated because of the lost of money. “Phishing scams deceive you into revealing your personal, banking, or financial information through links in email that refer your browser to a look- alike fake website that requests your personal, banking and/ or financial”.(Roddel, 2008, pg. 93) The board of directors would need to put something in place with the bank to make sure this doesn’t happen again. This is a lack of internal controls because the vice president should have verified the email before providing his credentials.
The direct impact is to cripple the company and its availability of funds, breach confidentiality, and safety. Phishing has a negative impact on a company’s revenue which is a direct impact on the stakeholders. The direct effect could include legal fees, and additional marketing expense to recapture lost revenues. An organization should communicate with its stakeholders when a phishing attack happens to eliminate the stakeholders losing confidence in the organization. An indirect effect to stakeholders is responding to media inquiries, and delivering messages to parties affected.
2. Suggest the fraud classification(s) the case can be categorized into (based on the data processing model). Include your rationale for the classification.
“By far the most common form of corporate identity theft used by fraudsters is ‘phishing’. Phishing involves fraudsters sending e-mails under the guise of a bank or other reputable company, which appear authentic, to customers or users of that particular company. The emails invite them to log on to the company’s website and verify their account details, including their personal identification details” (Simmons & Simmons, 2003, pg. 8). The controller of Experi-Metal’s received an email that appeared to be urgent.
The email stated the bank needed to carry out scheduled maintenance on its banking software. It instructed the controller to log in to the website via the link in the email. The email appeared to come from Comerica’s online banking site. The site asked the controller to enter a security code. The website was fraudulent and was used to get the information to process the fraudulent wires. 3. Suggest the type of controls that may have been in place at the time of the violation.
The goal of any organization is to prevent or limit the impact of phishing attacks. The company probably had an in house phishing plan in place. Corporate organizations have policies and procedures to help deter phishing attacks. This should have included training of employees to avoid a phishing attack. The controls in place at Experi-Metal probably included a preventive plan that consisted of employee training and e-mail filters. There needs to be more effective controls in place to prevent this from happening in the future. The controller should never have given his personal information out online without verifying through the bank. Management has to be made aware of the types of phishing attacks through education and an effective policy needs to be in place to cover these types of attacks. The system did not fail it was the actions of the controller which led to the phishing attack.
4. Recommend two (2) types of controls that could be implemented to prevent fraud in the future and additional steps management can take to mitigate losses. “Avoid emailing personal and financial information. If you get an unexpected email from a company or government agency asking for your personal information, contact the company or agency cited in the email, using a telephone number you know to be genuine, or start a new Internet session and type in the Web address that you know is correct” (McMillian, 2006, pg. 160). A variety of efforts aim to deter phishing through law enforcement, and automated detection. One thing that should be stressed at Experi- Metal is never follow links in an email claiming to be from a bank.
Bank institutions never ask you to verify your online banking username and password. The controller should have contacted the bank and verified the information before he entered the code. The motto is trust no email or web site. The business should have in place controls to keep this from happening going forward. Second, Experi- Metal should install a good Anti-virus and firewall protection software and adjust the settings to tighten up web security. Any customer or business that has an excessive amount of wires the bank should place a stop on the account and it needs to be verified before anymore wires are processed.
Experi-Metal could have positive pay on the account and this would eliminate any wires from being processed without their approval. Additional employee training should be offered to help employee’s be able to notice fraudulent emails. An individual should never respond to any emails asking for personal information. The bank should follow policy to protect and inform customers about fraudulent activity. 5. Judge the punishment of the crime (was it appropriate, too lenient, or too harsh) and whether the punishment would serve as a deterrent to similar acts in the future.
The court ruled in favor of Experi- Metal in the case. Comerica was held liable for over half a million dollars stolen from Experi-Metal. The punishment was not hard because Comerica failed to act in good faith when it processed over 100 wire transfers in a few hours. The bank should have stopped the wire transfers and contacted the company. A customer is holding a bank responsible to keep their money safe. Most of the money was recovered but the judge ruled in favor of Experi-Metal based on the fact the bank did not respond quick enough in stopping the wire transfers. Banks are doing a better job at spotting fraud because of this case but there is still room for improvement. This was a major case because it put pressure on banks to strengthen their security posture. The judge is holding the banks responsible to the safe keeping of a company’s money.