Posted on 04/21/2016 at 12:00 AM by John Lande
In a news release earlier this month, the FBI warned consumers and businesses about the growing threat posed by business email compromise (BEC) scams.
This blog has previously discussed the risks posed by email ghosting—an alternative term for BEC scams. In this kind of attack, cyberattackers will either create a spoof email address that closely mirrors a real email address of a member of an organization, or infiltrate a company’s email system. In either case the cyberattacker’s goal is to send emails that convince employees to disclose confidential information or initiate a funds transfer to the cyberattacker’s bank account.
The FBI released some startling statistics about the prevalence of this kind of attack:
- Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
- From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
- This amounted to more than $2.3 billion in losses.
- Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
- In Arizona the average loss per scam is between $25,000 and $75,000.
Organizations may find that when one of these attacks causes financial loss there is no source of recovery. For example, this blog has discussed how employee conduct could prevent claims to insurers. If an employee is fooled by one of these attacks and sends money to cyberattackers an insurance carrier might not be legally obligated to reimburse the organization.
Banks may also not be required to reimburse an organization if the bank did everything it was supposed to do. This blog has extensively discussed the rules governing liability for businesses after a cyberattack. If an email ghost convinces an organization’s accountant to wire funds abroad and the accountant provides all of the required authentication information to the bank then the bank will likely not be obligated to reimburse for a cyberattack.
Email ghosting scams can take advantage of employees’ tendency to follow instructions, so it is important to make sure that every organization has developed policies and procedures that will help mitigate the risk posed by email ghosting scams. For example, organizations can require employees to confirm orders to send money with a phone call. The FBI recommends that organizations report any examples of these and other kinds of cyberattacks to the FBI’s Internet Crime Complaint Center. Organizations should identify the weak points in their hierarchy to determine whether an email ghosting scam could succeed.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.