Not a week goes by without some news report of another hacking incident. The industries targeted include large retail stores, restaurants, banks, attorneys, accountants and recently in Maryland, a title company. In Montgomery County between $100,000 and $200,000 vanished when the buyers sent the money to what they believed was the correct bank for their home purchase. This occurred when the sellers’ email was hacked and their email communication regarding the purchase was monitored. The hackers then, pretending to be the sellers, sent an email from the sellers’ account instructing the buyers at the last minute to send the money to a different bank account. Neither the sellers nor buyers saw the money again.
The implications of getting hacked can be devastating to a company’s bottom line as well as their reputation. Understanding the basic steps of the hacking process can go a long way towards thwarting a hacking scheme.
In the first step, a hacker will gain access to an email system either by brute-force hacking or “phishing” a target member’s email account so the hacker can look like he or she is conversing as the target. The system may be monitored by the hacker for the possibility of a significant inflow of funds to an escrow account. In the case of a law firm, an email may be sent to the target concerning some significant settlement of a case or, in the case of a title company or realtor, a pending real estate transaction.
In the next step the hacker may “spoof” the target into believing the hacker is the client or that the would-be “client” has a lucrative legal settlement.
In the next step, the hacker may impose a sense of urgency to receive the funds from the target’s account. In a desire to please the client, the target may act hastily in disbursing funds not yet collected. In order cases, in order to induce a hesitant target to send funds before the funds have been collected, the hackers may send a fake cashier’s check, asking the target to deduct any fees or commissions and other expenses of the transaction, before forwarding the balance of the escrowed funds.
In the final step, funds are transmitted to the hacker’s account, or one set up by a collaborator, and withdrawn, generally very quickly.
What can be done to protect businesses from these hacking scams?
- Confirm and re-confirm the “reply to” email address. Often, hackers will use a reply email similar to that of the client but with one or two letters off. Or the email address may suddenly appear with a different suffix than the true email account such as “.org” as opposed to “.com”. This sets up a target to communicate with the wrong person. If told to transfer funds by email, before ever complying, you should double check the email address.
- Use “two step” authentication. In other words, if an email instruction is received regarding the transfer of funds, send a text message or, even better, use the old-fashioned telephone to reach the client and confirm the instructions.
- Go slow. Make sure the client understands that there will be no disbursement of funds from an escrow account until any funds needed to meet a disbursement are “collected”. Take reasonable steps to rebuff calls of “urgency”.
- Know the difference between “collected funds” and “available funds”. The difference between the two is important. Available funds are “spendable”, but in the banking system collected funds are “guaranteed”. So, if an email instructs that funds be wire transferred (a guaranteed form of payment in the banking system) from an escrow account, the wire may only come from “guaranteed” or collected funds. Therefore, the “collected balance” in the escrow account is far more important than the “available balance” when paying out escrow funds.
- Review incoming financial instruments closely. Make sure the incoming financial instrument is authentic. No money should ever be transferred from an account before validation of a check received to be used to cover the transfer including a cashier’s or treasurer’s check.
- Make an email account a “hard target”. Follow the usual steps in protecting important information. Don’t share financial information via email, text or phone. Change passwords frequently. Log out of your computer when away for a significant period.
- Review your cyber security and commercial insurance policies. Make sure the terms are clear to you. Email fraud is referred to as “Business Email Compromise” or “BEC”. As with all types of insurance coverage, whether BEC is covered under a policy depends on the wording of the policy. Some instances reported in the news focus upon whether the email in question is a “financial instrument”. In other words, the email must do more than provide instructions as to the sending of the funds for coverage to be effective. The email must be similar to a check or draft – a financial instrument. Knowing whether your business will be protected from financial loss and liability is crucial to an overall business plan.
PK Law’s Insurance Defense Practice can assist with matters relating to coverage for incidents involving BEC or other cybersecurity related schemes. For additional information contact email@example.com.
This information is provided for general information only. None of the information provided herein should be construed as providing legal advice or a separate attorney client relationship. Applicability of the legal principles discussed may differ substantially in individual situations. You should not act upon the information presented herein without consulting an attorney of your choice about your particular situation. While PK Law has taken reasonable efforts to insure the accuracy of this material, the accuracy cannot be guaranteed and PK Law makes no warranties or representations as to its accuracy.