Through a sophisticated and increasingly common scam called “Business Email Compromise,” Evaldas Rimasaukas, a Lithuanian national, recently tricked Google and Facebook employees into wiring $122 million dollars to fraudulent bank accounts.
First, Rimasaukus registered a company in Lithuania with the same name as Quantas, a computer hardware company out of China that does legitimate business every year with Google and Facebook. Rimasaukas then opened bank accounts associated with his fictional company and sent emails to Google and Facebook employees that appeared to be from employees of Quantas, followed by invoices and wiring instructions to the fake accounts. The emails and invoices sufficiently mimicked previous Quantas invoices – enough to fool the Google and Facebook employees – that they complied with the requests. Once the funds were wired, Rimasaukas quickly siphoned them to various accounts around the world.
How could this happen to two such large and presumably well-run companies? Both Google and Facebook were using manual controls in their ERP system – manual controls that could not prevent major fraud. When Rimasaukas created fake bank accounts for his fake company, he made sure that the account numbers were close enough to actual Quantas account numbers that the differences were difficult to detect without close inspection. He counted on the accounting department using manual controls and being overwhelmed by work.
Had the process involved sufficient controls, the fraud would have been detected immediately and prevented. A great strength of automated controls is that they work well for small companies and can scale to companies as large as Facebook or Google. Not only do automated controls reduce time spent on conducting and supervising financial processes, but they also eliminate human error.
Automated controls have several additional benefits beyond employee time and error prevention. They ensure that processes are better defined, they enable companies to measure important quality metrics for their processes, and they help process owners improve them. They also reduce the time and costs of audits because auditors can test the controls which can materially reduce the substantive testing (sampling) requirements.
Process Auditor from Security Weaver provides an imbedded continuous control monitoring platform that supports custom control and risk management requirements. It offers an extensive template library of over 130 controls with a workbench to change existing controls or develop new ones. Process Auditor functions across both complex and heterogeneous environments and allows companies to leverage their existing expertise in ABAP and Java technologies. As it supports environments from SAP R/3 to SAP S/4 HANA, there is no need to buy, deploy, manage, or secure a separate database.
Visit http://www.securityweaver.com/solutions/continuous-controls/process-auditor/ for more information on how Process Auditor can strengthen your controls environment and prevent business losses.
By the way, how much of the $122 million did Facebook and Google recover? Less than $50 million. Bummer. If only there had been $300K in the budget for automated controls a couple of years ago.