September 29, 2020

Volume X, Number 273

September 29, 2020

Subscribe to Latest Legal News and Analysis

September 28, 2020

Subscribe to Latest Legal News and Analysis

Emails That Do Not Make Your Spidey Senses Tingle Can Lead to Huge Losses

You just received an email request from your boss who is out of the office but needs you to email him sensitive employee files because he is working on a confidential matter that cannot await his return. Or, you are a title company handling a real estate closing, and the seller just emailed you wire instructions from her personal email account directing you where to deposit proceeds from the sale of her home. Neither of these emails raises immediate suspicion because there are elements to them that sound familiar to you. You personally know the person requesting action, or the requestor demonstrates familiarity with the transaction or certain business protocols. So, you do your job. It turns out that you replied to a fraudulent email and just sent a trove of sensitive personal information out the door and wired hundreds of thousands of dollars to wrongdoers.

Business email compromise (BEC) scams are on the rise. These low-tech but socially sophisticated cyber-attacks rely on spear-phishing emails that appear to be from someone you know, often an executive or someone in senior management, requesting money or sensitive employee records. They generally request immediate action and commonly contain the terms “Urgent,” “Request,” or “Payment” in the subject line. In its April 2017 Internet Security Threat Report, the security solutions company Symantec identified BEC scams as one of the top growing cybersecurity attacks this year. These compromises have grown at an alarming rate. Between January 2015 and December 2016, there has been a 2,370% increase in BEC scams with a total combined loss of over $5 Billion in the last three years.

Cyber-attackers use social engineering to lure employees and individuals into believing that they are responding to legitimate requests. They may even hijack genuine invoices sent by real companies and only change the account number to the hacker’s account number to successfully receive payment. These attacks have been lucrative and have the potential to snare sophisticated individuals. In January 2016, the CEO of an Austrian aerospace company was involved in a BEC scam that resulted in the transfer of $47 million, which essentially wiped out most of the profits for the company that year. Cyber-attackers not only seek cash but also personal employee information. The Milwaukee Bucks fell victim to this when an employee responded to an email from someone posing as the Buck’s President and sent scammers the W-2 information for its players, which included name, address, Social Security Number, and compensation information. No industry seems to be immune to BEC scams, but they are fastest growing in the finance, insurance, and real estate space.

In the real estate arena, the scams typically involve the identification of real estate professionals (realtors/brokers/title agents) that have a high volume of incoming wire transfers. Hackers gain access, monitor the business email accounts, and intercept legitimate funds requests and transfer instructions. The hacker then modifies the instructions to direct the funds to a fraudulent account. The client then wires the funds for the real estate purchase to the fraudulent account.

The following are some best practices to protect against BEC scams:

  • Raise awareness of BEC scams within the organization or early in a transaction; a greater understanding of potential attacks raises the potential for employees and individuals to recognize when they are being targeted by fraudsters.

  • Avoid using and responding to emails from free web-based email accounts.

  • Be suspicious of requests to act quickly, secretly, or without following usual procedures.

  • Confirm any changes to wire transfer information verbally.

  • Draft a separate reply to the email sender to a known email address rather than hitting the Reply button

  • Do not give out sensitive information via email.

  • Have a second out of band communication channel to verify transactions for significant amounts of money, such as a telephone call using a previously known telephone number, or other previously agreed upon communication method that is not one suggested in the email request itself.

  • Be careful in posting information about executives or employees on social media or company websites that provides detailed job duties, hierarchical information, and out of office details such as vacation schedules; BEC scams often coincide with business travel or vacation dates.

©2020 MICHAEL BEST & FRIEDRICH LLPNational Law Review, Volume VII, Number 129


About this Author

Michelle L. Dama, Attorney, Litigation, Michael Best Law Firm

Corporate clients turn to Michelle for her experience litigating commercial and intellectual property disputes, among other matters. Michelle also serves as a member of the firm’s Class Action/Multidistrict Litigation team. She tries cases in both federal and state courts at  the trial and appellate levels.

Michelle assists a diverse group of clients, many of them long-standing, in the following areas:

  • Complex commercial disputes
  • Intellectual property and trademark litigation
  • Product liability actions
  • Consumer law,...
Adrienne Ehrhardt, Michael Best Law Firm, Corporate and Transactional Attorney

Known for giving practical and actionable legal advice, Adrienne counsels clients on the many complex aspects of privacy and data management matters.

Her extensive background includes experience with issues relating to the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and the Telephone Consumer Protection Act (TCPA), as well as privacy programs and cyber security issues.

Prior to joining Michael Best, Adrienne served as the in-house lead attorney in privacy and data protection at CUNA Mutual Group. She also served as Associate General Counsel at Land’s End, Inc., where she managed litigation, counseled the company on internal legal matters and negotiated and drafted a variety of transactional agreements. Previously, she was a member of the commercial litigation practices of two international business law firms, and began her career as a Judicial Law Clerk in United States District Court for the Northern District of Illinois.

Nancy Leary Haggerty, Land Resources, Real Estate Attorney Michael Best Law Firm

Nancy is a partner in the Land & Resources Practice Group. Her more than 30 years of experience covers a broad range of real estate law, including assisting clients in purchases, sales and leases of property, and development and zoning work; representing borrowers and lenders in real estate loans; assisting in foreclosures and workouts; advising on questions of condominium law; negotiating construction and architects' contracts; and assisting in real estate litigation.

She has worked extensively with TIF financing and municipal development...