October 20, 2007

E-Mail Fraud: Not Just For Nigeria Any More

Most Internet users have grown sophisticated enough to know that former princes in Nigeria don't realy need their assistance to transfer funds to the United States. They sympathize with those correspondents who have just been diagnosed with terminal illnesses but resist the widely-broadcast plea to become executors of their estates -- with the odd requirement to place large amounts of cash in escrow first. With a few exceptions, including a minister's wife who wound up murdering her husband after blowing $14,000 on an e-mail scam, Americans know better than to fall prey to the scamsters.

Unfortunately, that doesn't apply to corporations. Minnesota-based Supervalu sent millions of dollars into fraudulent accounts because of an e-mail scam that the supermarket chain never bothered to confirm:

Supervalu Inc., the Eden Prairie-based grocer, fell prey to an e-mail scam this year, sending more than $10 million to two fraudulent bank accounts, according to federal court filings.

The company discovered the ruse soon after it began and reported it to police, who coordinated with the FBI to recover the money from banks in Arkansas and Miami Beach, Fla., before it could be withdrawn, according to a pair of forfeiture cases filed under seal earlier this year. They were filed in U.S. District Court for the District of Idaho.

The company said it received two e-mails -- one from someone purporting to be an employee of American Greetings Corp. and another from someone claiming to be with Frito-Lay, according to the documents. Both e-mails claimed that the companies wanted payments sent to new bank account numbers.

Supervalu sent more than $6.5 million in nine payments between Feb. 28 and March 6 to the phony American Greetings account at HSBC Bank in Miami Beach. The company also sent nearly $3.6 million during the same period to the phony Frito-Lay account in Arkansas. The recovered money has since been claimed by Supervalu, American Greetings and Frito-Lay. A federal judge will decide who gets it.

I wonder what their Sarbanes-Oxley compliance records look like. Someone gets new bank account numbers for millions of dollars of transfers and doesn't bother to check with the vendors to confirm the change? The scamsters must have laughed all the way to the bank, even if they didn't get there in time.

The Sarbanes-Oxley requirements put in place by Congress directly address this very point in corporate accounting. It forces publicly-held corporations to develop reporting systems and operating procedures that minimize risk of internal and external fraud. At least, that's its purpose, but as we can see, it has about as much meaning as an ISO 9000 certification. All the burdensome SOX machinery does is demonstrate that a company can write procedures and test them, but it doesn't eliminate fraud or stupidity.

In the meantime, expect plenty of e-mails from Nigerian princes and terminal aristocrats to make their way to the Supervalu domain. It seems that they have discovered a fresh market in naivete.


TrackBack URL for this entry:

Please note that unverified Disqus users will have comments held in moderation. Please visit Disqus to register and verify your account. Comments from verified users will appear immediately.