By Belton Zeigler, partner, Womble Bond Dickinson
Meet Peter — a longtime employee and the backbone of your business’s day-to-day finance and accounting operations. Today he got an email from the CEO, Meredith: “Peter, I hope Joyce is doing better; I know her illness has been a strain on your family. As you know, I am traveling in Germany but need your help. I need you to make an immediate payment on the instructions of our West Coast attorneys to lock in the Cerulean deal. Please call the following lawyer for instructions. It is critical that the earnest money be paid before noon tomorrow. All the best, Meredith.”
Peter calls the number listed for the attorney, who gives him instructions for wiring $375,000 to the specified bank account.
The entire transaction is a fraud.
Months before, hackers had broken into the company’s email domains. They had monitored email traffic to and from the CEO. They had identified when and where the CEO would be traveling. They had noticed that the CEO had been working on a deal to acquire Cerulean and earnest money would be required shortly. They had identified Peter as the person who would execute instructions from the CEO for wiring money. They had learned from Peter’s email account that his wife, Joyce, was ill and that the CEO had expressed her sympathy to him in past emails. Using this information, cybercriminals carefully engineered an email request to appear to come from the CEO.
The Democratization of Cybercrime
Peter was the intended victim of business email compromise, one of the fastest growing of the new breed of cyber threat. The FBI reported that 40,000 business email compromise attempts were made in 2016 and determined that identified losses increased by 2,370 percent over the previous year. Globally, this scam has netted about $5 billion.
Business email compromise represents part of a significant shift in the cybercriminal business model — part of the new democratization of cybercrime. Small- and medium-size businesses are the heart of this new danger zone.
Until recently, cybercrime victims were dominated by big targets like Target, Home Depot, and Equifax. But cybercrime is now becoming more democratic as the focus shifts to smaller data-dependent entities who can be tricked into fraudulent banking transactions or whose data can be held hostage for payment. Business email compromise is particularly threatening to small and medium-size businesses because — absent very specific insurance coverage for this kind of loss — there is no one to look to for compensation. Increasingly, targets are real estate agents, title companies, and law firms involved in routine but high-dollar transactions.
In the case described above, if Peter had complied with the instructions fraudulently conveyed to him by the pretended lawyer on the West Coast, the bank would not have been at fault. The company would have been left holding the entire loss.
Personal Protections Against Business Email Compromise
- First, train yourself or your employees to spot the red flags (http://bit.ly/2ouPK3l) that often indicate an email is fraudulent.
- Confirm any request to wire funds or to change payment addresses through a phone call to a known individual or an individual at a known number that was obtained independently from the email chain that includes the request.
- Never click on any email attachments that are unanticipated or where there is anything unusual or suspicious about the request.
- Never use a website link that is provided in an unexpected email to update information or to check an account. Instead, go through the company’s public web address to its customer service page.
Corporate Protections Against BEC
- Ensure that there are multiple lines of defense within the firm’s information systems so that hackers who get into one part of a system cannot freely move to other parts.
- Secure the most valuable data in the area of the system that is the hardest to reach.
- Protect administrative rights with two-factor authentication.
The internet has given us freedom to navigate the world of commerce without borders and practically without restraint. But the price of freedom is risk. Cybercriminals, those who use the interconnected world to rob and steal, are increasingly turning their attention from Wall Street Goliaths to main-street businesses. Firms of all sizes should consider that risk, look for cybersecurity insurance appropriate to their operations and risk profile, train their people to be vigilant and informed, and configure their systems to withstand the democratization of cybercrime.
Belton Zeigler, a partner with Womble Bond Dickinson, has a South Carolina-based practice in cybersecurity, utility, environmental, and energy law. He is a senior member of the firm’s data management and cybersecurity team. Connect with Belton at linkedin.com/in/beltonzeigler.