Attempts and Conspiracies to Commit Criminal Fraud

SOX Section 902 makes attempts or conspiracies to commit mail fraud or wire fraud punishable the same as completing the fraud, so your program must prevent, detect, and escalate fraud planning activity, not just executed fraud. Operationalize it by hardening fraud controls, tightening third-party oversight, and running a documented investigation and escalation workflow. ¹

Key takeaways:

• Treat “attempts” and “conspiracies” as compliance-relevant events, even if no loss occurred. ¹
• Build a clear escalation path from suspicious communications and control circumvention to investigation, legal review, and discipline. ¹
• Retain evidence that shows you trained people, monitored channels, investigated alerts, and remediated control gaps. ¹

“Attempts and conspiracies” is where many fraud programs get exposed. Teams often focus on completed misconduct (loss events, restatements, confirmed wire diversion), but SOX Section 902 extends criminal exposure to the planning and coordination stage for mail and wire fraud. Practically, that means your control environment has to do more than “catch fraud after it happens.” It must surface early indicators: unusual vendor onboarding pressure, requests to bypass approvals, side-channel communications, altered bank details, fabricated support tickets, or collusion between an employee and a third party.

For a Compliance Officer, CCO, or GRC lead, the operational question is simple: can you show that your organization (1) set expectations and trained people on fraud and reporting, (2) designed controls that reduce opportunity for wire/mail fraud, (3) monitored for attempt/conspiracy signals, and (4) investigated and remediated quickly with defensible documentation?

This page translates SOX Section 902 into requirement-level actions you can assign to Finance, Security, Legal, HR, Internal Audit, and third-party risk owners, with concrete artifacts to retain and common audit hangups to avoid. ¹

Regulatory text

Text (excerpt): “Any person who attempts or conspires to commit mail fraud or wire fraud shall be subject to the same penalties as the underlying offense.” ¹

Operator interpretation (what this means for your program)

SOX Section 902 is not a “do X control” mandate. It changes the risk calculus: planning or coordinating mail/wire fraud creates criminal exposure even if the fraud fails or is interrupted. ¹

What you, as an operator, must do is run a compliance and internal control program that:

• Reduces opportunity for mail/wire fraud (segregation of duties, approvals, authenticated payment changes).
• Detects precursors (attempt signals, collusion patterns, suspicious communications).
• Escalates and investigates suspected attempts/conspiracies with a repeatable, documented process.
• Remediates gaps fast (control fixes, access changes, training updates, vendor restrictions).
  All four become part of your defensibility story if regulators, auditors, or prosecutors ask what the company did to prevent and respond. ¹

Plain-English requirement

You must be able to identify and stop fraud schemes while they are being attempted or organized, not only after money moves or statements are misstated. “Attempt” can look like initiating an unauthorized payment, crafting false invoices, or trying to change bank details. “Conspiracy” can look like coordination between employees, or between an employee and a third party, to move value through mail or electronic communications. ¹

Who it applies to (entity and operational context)

Entity scope

• Public companies (issuers) and their control environments. ¹
• Officers and directors with oversight responsibilities and influence over reporting, controls, and tone. ¹

Operational scope (where you see this risk)

• Finance and payments: AP, treasury, payroll, expense reimbursement, refunds, customer credits.
• Revenue operations: billing, credits, channel partner payments, sales incentives.
• Procurement and third-party management: onboarding, bank account updates, change orders, contract amendments.
• IT and security: email compromise pathways, identity access management, logging, case management.
• Shared services: offshore AP processing, outsourced payroll, call centers handling payment changes.
• Sensitive third parties: agents, consultants, intermediaries, or any third party that can initiate, approve, route, or validate payment instructions.

What you actually need to do (step-by-step)

1) Define “attempt” and “conspiracy” indicators for your environment

Build a short typology that your teams can apply consistently. Example indicator categories:

• Control circumvention: requests to “just this once” bypass approvals; pressure to pay outside normal channels.
• Payment instruction manipulation: bank detail change requests, “new remittance address,” urgent wire requests.
• Collusion signals: repeated pairing of the same requester/approver/vendor; unusual approval timing; matching IP/device indicators across accounts (where available).
• Communication red flags: look‑alike domains, unusual forwarding rules, new email threads for established vendors. Document these indicators in a fraud risk memo and in your investigation playbooks so alerts are triaged the same way across teams. ¹

2) Map mail/wire fraud exposure to key processes and third parties

Create a simple matrix:

Process	Where “wire/mail fraud” can occur	Key control owners	Relevant third parties
Vendor onboarding	Fake vendors, fake addresses	Procurement, AP	Screening providers, outsourcing firm
Bank detail changes	Redirected payments	AP, Treasury	ERP provider, payment processor
Wire initiation	Unauthorized wires	Treasury	Bank portals, MSP
Invoice approvals	Collusive approvals	Budget owners	Contractors, consultants

Your goal is coverage: every payment pathway has an owner, a control, and a monitoring signal. ¹

3) Implement “attempt-stage” preventive controls

Focus on controls that stop bad instructions before execution:

• Strong payment change authentication: callback to a known number (not the email), dual validation, and independent verification.
• Segregation of duties: separate requester, approver, and payment releaser.
• Approval integrity: enforced thresholds, documented rationale for rush/exception payments, and exception approvals by a second line.
• Third-party access limits: restrict who at a third party can submit payment changes; require named individuals and MFA where possible.

Tie each control to a specific attempt signal it prevents (for example, bank change verification prevents redirection attempts). ¹

4) Build detection and triage that captures “attempt” evidence

Detection should include:

• Central intake: hotline, case portal, security mailbox, and finance escalation queue.
• Monitoring: flags for duplicate bank accounts across vendors, changes close to payout dates, and manual overrides.
• Triage rubric: severity, credibility, potential mail/wire element, and whether collusion is plausible.

Operational requirement: every credible attempt/conspiracy alert results in a logged case with documented disposition and rationale. ¹

5) Run a documented investigation and escalation workflow

Minimum workflow stages you should document:

1. Preserve evidence: email headers, chat exports, ERP audit logs, approval trails, bank portal activity, call recordings where permitted.
2. Containment: freeze vendor, pause payment, disable accounts, reset credentials.
3. Assessment: was there intent, planning, coordination, or attempted execution via mail/wire channels?
4. Escalation: route to Legal/HR/Finance leadership based on criteria; maintain privilege where appropriate.
5. Remediation: control updates, disciplinary action, third-party offboarding, training refresh.
6. Closure: lessons learned and control owner sign-off.

Make the escalation criteria explicit so frontline teams do not self-select what “counts.” ¹

6) Prove oversight: governance, reporting, and board visibility

Provide periodic reporting to executive stakeholders on:

• Attempt/conspiracy indicators encountered,
• time-to-triage and time-to-containment (track internally, you do not need to publish figures),
• control failures and remediation status,
• third-party related cases and outcomes. This is where tools like Daydream can help: centralize third-party due diligence artifacts, link third parties to payment-related control requirements, and keep investigation and remediation evidence in one audit-ready system of record.

Required evidence and artifacts to retain

Retain artifacts that show design, operation, and response:

• Fraud risk assessment updates that explicitly include attempts/conspiracies tied to mail/wire pathways. ¹
• Policies and procedures: payment authorization, vendor onboarding, bank change verification, exceptions, conflicts of interest. ¹
• Training records: completion evidence for finance/payment roles and anyone who can approve or request disbursements. ¹
• Control operation evidence: approval logs, bank change verification records, ERP audit trails, access reviews for payment systems.
• Monitoring outputs: alert queues, review checklists, and documented dispositions.
• Investigation files: case notes, preserved communications, escalation approvals, remediation tickets, and closure memos.
• Third-party records: due diligence, contract controls (audit rights, security requirements), and offboarding/lockdown actions when implicated.

Common exam/audit questions and hangups

• “Show me how you detect attempted payment diversion before funds move.” Expect to demonstrate monitoring rules and triage records.
• “How do you verify vendor bank changes?” Auditors look for independence and evidence of verification.
• “Where is your exception process, and who approves exceptions?” Exceptions without documentation read as control failure.
• “How do you handle suspected employee–third party collusion?” You need an HR/Legal-integrated playbook with evidence preservation steps.
• “Can you produce a complete case file for a closed alert?” Incomplete files are a recurring finding.

Frequent implementation mistakes and how to avoid them

1. Only tracking confirmed losses. Fix: track attempts as a separate event type with required case documentation. ¹
2. Informal escalations via chat. Fix: require a case record for any credible attempt indicator, even if quickly resolved.
3. Bank change controls that rely on email-only validation. Fix: independent callbacks and known-good contact data.
4. Third-party blind spots. Fix: include third parties in payment control scoping, access reviews, and incident response expectations.
5. No defined evidence preservation steps. Fix: publish a one-page evidence checklist for Security/IT/Finance before accounts are altered or data ages out.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite case outcomes. The operational implication still matters: failed fraud attempts and collusive planning create legal risk, reputational risk, and control deficiency risk if you cannot show reasonable prevention, detection, and response. ¹

Practical execution plan (30/60/90)

First 30 days (stabilize and define)

• Publish an “attempts and conspiracies” fraud typology tailored to your payment and third-party pathways. ¹
• Confirm ownership: Finance owns payment controls, Security owns monitoring/logging, Legal/HR owns investigation governance.
• Stand up a single intake and case logging mechanism for suspected attempts (can start as a controlled queue if needed).

By 60 days (implement controls and monitoring)

• Roll out bank change verification and exception approval documentation where gaps exist.
• Implement or tune monitoring for high-risk events: vendor master changes, urgent wires, manual overrides.
• Train payment-adjacent roles on red flags and mandatory escalation triggers. ¹

By 90 days (prove operation and close gaps)

• Run a tabletop exercise: simulated payment diversion attempt involving a third party; test evidence preservation and escalation. ¹
• Review closed cases for completeness; fix missing artifacts and update playbooks.
• Add board or audit committee reporting content: attempt trends, remediation status, and third-party involvement.

Frequently Asked Questions

Does SOX Section 902 require a specific written policy?

The text sets criminal liability for attempts and conspiracies; it does not prescribe a specific policy format. You still need documented procedures and evidence that your controls and investigations cover attempt-stage activity. ¹

What counts as an “attempt” if no money moved?

Operationally, treat actions taken toward mail/wire fraud as attempts: initiating unauthorized payment steps, trying to change remittance details, forging approval support, or bypassing controls. Log and investigate credible indicators even if stopped early. ¹

How do we handle suspected collusion with a third party?

Freeze the transaction path, preserve communications and system logs, and escalate through Legal/HR using a defined workflow. Then remediate: restrict access, tighten approvals, and reassess the third party’s permissions and oversight. ¹

Are our officers and directors personally in scope?

The applicability data includes officers and directors, and the statutory text applies to “any person.” Your governance and reporting should support informed oversight and timely escalation. ¹

What evidence is most persuasive in an audit?

Auditors respond to end-to-end traceability: the alert, the case record, preserved evidence, escalation notes, and remediation proof. A clean file for even a “false positive” attempt alert shows discipline and control operation. ¹

Where does Daydream fit without turning this into a tooling project?

Use Daydream to centralize third-party due diligence, link third parties to payment-related controls, and retain investigation artifacts and remediation tasks in one place. That reduces scrambling for evidence when auditors ask for case files and third-party oversight records.

Footnotes

1. Public Law 107-204