Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Safeguarding Your Firm From Business Email Compromises

September 24, 2019

In a Clark Hill PLC blog post by our friend Dave Ries and Melissa Ventrone, there is some excellent guidance for law firms and other entities. As the authors note, business Email Compromise (BEC) is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes.

BEC is a scheme in which an attacker uses fraudulent email to impersonate an executive, business contact or other person to get a transfer of funds, money or sensitive information.

On July 16, 2019, the U.S. Treasury Financial Crimes Enforcement Network issued an advisory to financial institutions, which reported that BEC schemes had caused over $9 billion in losses to U.S. financial institutions and their customers since 2016. The FBI's Internet Crime Complaint Center (IC3) 2018 Internet Crime Report (April 2019) reported that IC3 received 20,373 BEC complaints in 2018, with adjusted losses of $1.2 billion. The FBI issued a Public Service Announcement in July 2018, which reported 78,617 domestic and international incidents of BEC between October 2013 and May 2018, with $12.5 billion in exposed dollar loss.

BECs often confuse people because they take multiple forms. They can involve spearphishing (fraudulent, targeted email) that appears to be from a business executive, business contact, or party to a transaction. They can also involve a fraudulent email from a legitimate email account to which a criminal has obtained access by social engineering or a computer intrusion. When BEC involves the takeover of a legitimate email account, it is called Email Account Compromise (EAC).

A common form of BEC (certainly the one that John and I see most often) is fraudulent wire transfer instructions, like a fraudulent email, appearing to be from a CEO or other senior official (COO, CFO, etc.), with instructions to immediately pay "a vendor," or appearing to be from a vendor, with new wire transfer instructions to a criminal's account. A variation is an email that appears to be from the attorney or real estate agent for a seller, with fraudulent payment instructions for the proceeds of a real estate sale or to a buyer to "hijack" the wire transfer of the payment of the purchase price. Another common example is the W-2 scheme, in which a fraudulent email, appearing to be from a corporate officer, directs an employee in payroll to send copies of W-2 tax forms to him or her by email. The information from the W-2s is then used to get refunds from fraudulent electronic tax returns. In schemes involving EAC, the fraudulent emails may be sent from legitimate accounts. These, in our experience, tend to be the most effective and lethal.

So how do you protect yourself? The authors suggest the following steps:

adopting policies and procedures (like verifying and reconfirming payment instructions or changes and information requests – other than just by email – and prompt reporting of phishing attempts and security incidents),
conducting ongoing security awareness training, including reminders,
implementing security technology (like spam filters, external email flags, and use of secure email), and
implementing incident response and prevention plans for BEC/EAC. Incident response plans should include steps like (1) notifying management, the bank, data breach counsel, the FBI and its Internet Crime Complaint Center (IC3), other law enforcement, and insurance carriers, (2) containing any compromise, by, for example, conducting a global password reset and checking for any suspicious email rules, and (3) preserving evidence.

This is a great, concise look at the definition of BEC and EAC attacks, with common examples of how they work and practical steps to defend against them. Kudos to the authors.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Safeguarding Your Firm From Business Email Compromises

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer