August 18, 2019

August 16, 2019

Subscribe to Latest Legal News and Analysis

Phishing Lures: What To Do If You’ve Taken The Bait

Sometimes, it’s easy to know you’re being phished. There’s little chance that a bank administrator in a country you’ve never heard of really needs your help to get the unclaimed money of a deceased, rich foreigner out of the country before the corrupt government steps in to seize it. Other times, though, it’s not easy. Modern scammers don’t just phish, they spear phish. The difference is in the amount of research that goes into the scam and how narrowly the attempt is directed.

Imagine this scenario: Your company pays several invoices each month. Many come by email and include the account information to which payment can be directed. So when an invoice, shows up from a known vendor for work actually done by that vendor, no red flags go up. After you make the payment, though, either the vendor contacts you and tells you the payment was never received or another invoice arrives for the same service. A little investigation shows that the invoice you paid was from a scammer and that the money is now gone.

How could this happen? There are a couple of ways. Maybe your systems have been compromised, the real invoice was deleted before anyone saw it, and a scam email (from a similar domain name) was sent in its place. Or maybe your vendor’s systems have been compromised and what was only a draft invoice was used to create the fake email that was sent to you from the vendor’s real email account. Similar scams abound: real estate closing scams attempting to divert funds to scammers at the last minute; internal emails from “management” ordering a wire transfer or requesting employee W-2 information; targeted messages with links to infected sites hoping to install malicious software on the victim’s computer system.

Between professional social media platforms, personal social media platforms, and company websites, scammers can learn more than enough about you, your colleagues, and your company to craft a highly sophisticated, uniquely tailored scam to swindle you out of thousands, tens of thousands, or even hundreds of thousands of dollars.

Of course, an ounce of prevention is worth a pound of cure. Utilizing multi-factor authentication options, implementing internal and external verification procedures for large money transfers, training employees to recognize risks, and limiting the information available on social media platforms can go a long way toward avoiding the dangers of phishing attacks. But what can you do if you’ve fallen victim?

  1. If you’ve transferred funds by wire, time is of the essence. As soon as you realize the money has been improperly sent, you should contact your financial institution and local law enforcement or the Canadian Anti-Fraud Centre and/or the Royal Canadian Mounted Police (RCMP), (For USA: the FBI field offices can be found here: . In some instances, it may be possible to reverse the transfer, although this often is not the case. If transferred money cannot be clawed back, contact your insurance provider. (And if you do not already have an appropriate cybersecurity insurance policy in place, now is the time to get one. It is also important to understand the limitations of that policy and to know what will and will not be covered.) Depending on your policy, the loss may be covered by insurance.

  2. If you’ve transferred money or sent out sensitive information (employee T-4s or other personally identifiable information, trade secrets or intellectual property, or other confidential content), immediately identify the situation as a data security matter and implement your Incident Response Plan by notifying the appropriate people on the Incident Response Team. (If you don’t already have an IRP and designated members of an IRT, now is the time to develop both.) You will need to identify your company’s legal obligation – including state-level notification laws, law enforcement reporting obligations, regulatory reporting obligations, contractual obligations, etc. – and begin taking steps to satisfy those obligations. The retention of competent legal counsel who can serve in a breach coach capacity is critical for this phase.

  3. File a report with law enforcement. Even if law enforcement cannot track where the money or information went, reporting the incident is a good idea. In some jurisdictions, it may be required by law. It may also be the case that the perpetrators are tracked down later, and having the report on file can help substantiate that you are entitled to some of any recovery that might occur. Also, reporting the incident may draw attention to a specific industry or sector that is being targeted by scammers and could help prevent others from falling victim as well. When making this report, however, it is important to be mindful of any regulatory obligations that might be implicated by the incident and to be cautious with information that could be misconstrued in subsequent regulatory investigations. You should determine whether you are subject to reporting obligations to either the Federal or Provincial Privacy Commissioner (in Canada). Again, competent legal counsel is important at this phase.

  4. Investigate how the incident occurred. Were the perpetrators able to gain access to your network to send fraudulent emails? Were they able to glean information from social media accounts or your company website that facilitated the fraud? Did improper employee training or inadequate policies and procedures lead to the incident? This phase may require an in-depth policy review and the retention of a qualified computer forensics company.

  5. Finally, fix the problems that allowed the event to occur. This may require changing policies, changing protocols, resetting passwords, utilizing multi-factor authentication options, and implementing ongoing employee training sessions (among other efforts).

Obviously, implementing appropriate procedures in advance can help reduce the likelihood of data security incidents occurring, decrease the times investigating and responding to an incident, reduce the costs associated with a breach response, and help to identify legal rights and obligations more quickly. Proper preparation, although necessitating some up front effort and expenditures, will ultimately result in overall cost, time, and energy savings should a data security incident occur, and allow affected entities to return to normal operations as quickly and efficiently as possible.

© Copyright 2019 Dickinson Wright PLLC


About this Author

Justin Root, Dickinson Wright Law Firm, Cybersecurity and Information Privacy Attorney
Of Counsel

Clients with cybersecurity and information privacy concerns and challenges hire Justin for his experienced, tenacious, and thorough approach to data privacy and navigating an incident response. Justin’s breadth of experience, which includes service as a Special Deputy United States Marshal on the Federal Bureau of Investigation’s Cybercrime Task Force, is ever-present in his calming and clear analysis and strategic assessments of and approaches to cybersecurity and data privacy issues. As a result, Justin’s solutions-oriented approach reflects an appreciation for and is...

Sara H. Jodka, Dickinson Wright, largescale layoffs lawyer, employment reductions attorney
Of Counsel

Sara H. Jodka, Of Counsel at Dickinson Wright, dedicates her practice to working with employers to anticipate, identify, and resolve labor and employment, data privacy, related compliance issues and litigation risks in today’s ever evolving workplace. Sara devotes a significant part of her practice to proactively counseling employers in litigation prevention and overall compliance with state, federal, and administrative laws and regulations, which includes reviewing and revising employee handbooks and policies; counseling management regarding termination decisions (including largescale layoffs/reductions in force) ; performing exempt status classification audits; and training employees on key employment policies and issues, including those related to leave, privacy, discrimination, harassment and retaliation, social media, the digital workplace and others. She routinely defends employers, in both state and federal court, arising under Title VII, the Age Discrimination in Employment Act (ADEA), the Americans with Disabilities Act (ADA), the Family Medical Leave Act (FMLA), the Fair Labor Standards Act (FLSA), the Fair Credit Reporting Act (FCRA) (i.e., background checks issues) and comparable state laws. Sara also has significant experience defending employers in class and collective action disputes, including wage and hour litigation involving claims of allegedly unpaid meal/rest breaks; unpaid overtime; off-the-clock work; and exempt status misclassification.

Wendy Hulton, product regulation, attorney, Dickinson Wright, law firm

Wendy Hulton’s practice involves advising and representing clients in connection with product liability, environmental, product claim disputes and wrongful dismissal actions. Wendy has been the author of the Canadian chapter of Product Recall text for a number of years.

Wendy has over 25 years of experience in the area of product regulation. She provides advice on dietary supplements, natural health products, foods, drugs, cosmetics, medical devices and a wide range of consumer products. She is retained by clients throughout Canada, the US and...