Your company could sustain huge losses due to the compromise of an employee e-mail account. Seemingly legitimate communications and requests may actually be signs of a fraudster attempting to commit a scam called Business E-Mail Compromise (BEC).
How does this scam work? The goal of this type of scam is to compromise business e-mail accounts and trick employees or other individuals into wiring funds to scammers’ accounts. Criminals utilize various techniques to compromise accounts including Phishing: this is when a perpetrator utilizes e-mails, text messages, or phone calls to dupe an individual into revealing sensitive information. A fraudster may send an e-mail with a link to a recognizable—but fake—website that prompts the recipient to enter her credentials; Spoofing: this is when a fraudster creates a fake, albeit similar, e-mail account to impersonate an individual and deceive others; and Malware: this is malicious software that a fraudster employs to infiltrate a system and collect information, intercept communications, or steal credentials. An actor will often convince an individual to click on a link or download an attachment containing the malware program. With the advance of technology, hacking via malware is much easier than you may think; many malware kits are point-and-shoot and cost as little as $50.
If an e-mail account is compromised through hacking, a sophisticated con artist could lay dormant for weeks and evaluate a company’s vendors, buyers, accounting information, travel schedules, and communication styles. The actor may target and impersonate a company officer, such as the CEO, and send urgent wire transfer requests to employees. The actor may also wait for a business deal to develop and then jump into the conversation to redirect payments. To keep his scheme and communications concealed from the hacked individual, a scammer may implement forwarding rules to redirect the victim’s incoming e-mails to a spoofed e-mail account or a hidden folder within the compromised account. Utilizing a technique called Man in the Middle, a scammer may even go beyond the traditional BEC scam; he may brazenly inject himself in between a victim and her bank during an online session to intercept credentials and personally perform wire transfers. Regardless of strong authentication measures, such as one-time-password tokens, criminals can still intercept data and access accounts. They continue to find weaknesses and, “the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims,” said Martin Licciardo, Special Agent stationed at the FBI’s Washington Field Office.
In the aftermath of the crime, parties often become involved in protracted liability disputes. In many cases, the authorities are unable to apprehend the criminal or the stolen funds, and the remaining parties are left to fight amongst themselves. So, which party is liable for losses? Determining blame is not so easy.
Banks are usually the first party to blame; they’re trusted as experts and expected to safeguard sensitive financial accounts. The Federal Financial Institutions Examination Council (FFIEC) and Uniform Commercial Code (UCC) have set forth requirements and guidelines for banks in order to protect customers from being bilked out of their money, but some aspects are codified using vague language such as “commercially reasonable security procedures.” Banks can offer various security options such as secure token technology, out-of-band authentication (calling to verify), dual customer authorization, and behavior/anomaly monitoring; however, customers often decline multiple—sometimes inconvenient—security options, and not all of the security measures are required in order to pass a UCC commercially reasonable test or abide by FFIEC layered security guidelines. The ambiguous language of the requirements and guidelines can limit banks’ liability for pecuniary losses; moreover, pursuant to the UCC, banks are responsible for wire transfers conducted by an unauthorized individual who did not obtain the access credentials from the customer, but what about an authorized employee who was tricked into sending a wire transfer or a hacker who stole the access credentials from the customer? This is a harder question to answer.
A buyer can often be the real loser in the debacle. If the fraudster tricked a buyer into crediting the wrong account, courts could deem the buyer to be in breach of contract and demand the buyer to (re)pay the seller in full. Moreover, if the buyer failed to call the seller to verify the wire transfer request—especially when payments are routinely provided via checks—or did not secure company e-mail systems or flag suspicious requests, many of which are in the form of broken English, the buyer could be held liable for losses.
A seller may also fall into financial trouble. If goods were transferred before receiving payment, the seller may suffer from cash flow issues. Additionally, if the seller failed to secure company e-mail systems and flag irregular requests or suspicious decreases in buyer e-mail correspondence, the seller could be held liable for losses.
The insurance companies may be considered a safety net, but they may not offer a guarantee. Crime and computer fraud policies may not cover specific attacks like BEC, and if they do, they may not offer the coverage that a business needs. Courts have addressed this matter, but rulings are split across the country; one court even went so far as to rule that BEC was not covered by forgery, computer fraud, or funds transfer fraud provisions.
If you are insured by a specific cyber crime policy, it is imperative to know the limitations and exclusions of your coverage. “First-party” coverage may protect your business from losses directly related to system damage, monetary losses, and other costs associated with recovering from a cyber incident; however, what about “third-party” coverage? You would be prudent to thoroughly review and consider the available coverage for “third-party” claims. If an attacker infiltrates systems containing sensitive customer information, vendor information, or proprietary industry secrets, you may be heading toward your own mini-Equifax predicament.
Unfortunately, this scam is not going away anytime soon, and in fact, the FBI reported that between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses, and between 2013-2016, known loses for BEC totaled over $5 billion worldwide. In 2016, Virginia ranked among the top ten states for cyber crime victim count and top five for overall monetary losses—BEC accounting for $7,140,527 of the total losses. These staggering numbers herald a growing and grave threat to businesses. Additionally, criminals have been known to use this scam to hijack real estate and court settlement transactions.
Stay vigilant, and if your business does fall victim to BEC fraud, immediately alert the authorities and consider seeking an attorney. Mahdavi, Bacon, Halfhill & Young, PLLC is prepared to help and has experience in insurance coverage review, insurance coverage defense, litigation, and BEC cyber crimes•
The First Steps Toward Protection
No technique or technology is completely secure, but creating a layered wall around your business can help prevent and deter scammers.
Employee awareness training is a crucial aspect of any cyber security umbrella. Employees need to be aware of crimes like BEC as well as the related infiltration techniques.
If your business does not currently have layered security or an IT consultant, here are a few tips to start creating a security wall:
1) Hire an experienced IT consultant. If your company’s resources allow for professional assistance, work with a consultant to discuss vulnerabilities, expectations, and needs.
2) Begin implementing a DIY strategy. Adding a few simple security measures can help protect against cyber attacks. Consider a few options below:
- Anti-malware/Anti-spyware software can help detect and reduce malicious or spoof e-mails.
- Virtual Private Network (VPN) software can securely encrypt outbound/inbound data in a cost-effective way. Recently detected security breaches, like the KRACK vulnerability (which allows criminals to intercept and interpret data within Wi-Fi networks, even without the network password), increase the need for VPN software.
- Require dual-approval for any wire transfer request and limit the number of employees with approval authority.
- Require out-of-band authentication to verify wire transfer requests.
- Reply to e-mails by using “Forward,” instead of “Reply,” and manually select the recipient’s e-mail address.