Something phish-y is going on here: A teaching case on business email compromise

Abstract

This case utilizes a real-world example of a U.S. public company that fell victim to a Business Email Compromise (BEC) scheme in which an employee inadvertently wired millions of dollars to fraudulent accounts based upon email instructions purportedly sent by a company executive and external legal counsel. This is a timely issue to examine given its rising prevalence and magnitude in the corporate world. The case allows students to examine a topic (phishing techniques and email scams) that they are likely to be familiar with on a conceptual level, through the lens of internal controls and external auditing. Examining the case information, SEC filings, and auditing guidance, students will gain an understanding of internal control issues related to BEC and critically think of ways to remediate or implement controls to reduce cybersecurity risk, as well as consider the external auditor’s growing responsibilities related to technology and its associated risks.