How to counter the growing threat from digital con artists
Martin Daks//June 17, 2019//
How to counter the growing threat from digital con artists
Martin Daks//June 17, 2019//
Scams have always plagued businesses and individuals, but the advent of the internet gave the bad guys a whole new playing field. A Summit-based law firm found that out the hard way when it was taken for nearly $300,000 in a sophisticated email ruse, typically known as a BEC, or business email compromise. The sting unfolded in early 2017, but like a lingering headache the litigation it prompted continues to unfold.
“The firm received an unsolicited email that appeared to be from KCA Deutag, a UK-based international oil and gas services company,” said Michael J. Feldman, a founding partner of OlenderFeldman LLP. “That’s not unusual. We have several hundred clients and many times existing ones refer new clients to us.”
The electronic communication involved a request for assistance in purchasing expensive equipment. “We received a retainer document, supposedly signed by the chief executive officer of KCA Deutag, and we soon engaged in some preliminary legal work worth several thousand dollars,” he added, noting that it’s not unheard of to render legal services before a retainer check is in hand, as long as the proper documents are executed. “We quickly received what appeared to be a legitimate cashier’s check [which is normally a guarantee that the funds are good] for about $487,000, deposited it into our attorney trust account at our bank, and were soon advised that the funds were available.”
Two days later the hijinks went into full gear, when the law firm received a request — supposedly from the client’s representative — to wire transfer $228,900 to a bank in Jakarta, Indonesia. The activity was supposed to be in connection with the equipment purchase, but the law firm partners were stunned when they were subsequently advised that the original “cashier’s check” had bounced, and the bank was yanking $200,000-plus from the firm’s other attorney trust accounts to cover the Indonesia wire transfer. OlenderFeldman had to make good on it out of pocket, and the firm initiated several lawsuits against its bank, which are currently playing out in court.
A few years ago, banking consultant Peter Ostrowski was selling “a unique boat, a kind of Boston whaler, when I got a call from a broker that a buyer in Finland was willing to pay top dollar for it, sight unseen.”
The request itself seemed genuine, because “this boat would be ideal to handle the fjords in Finland,” said Ostrowski, who’s managing director of Ostrowski & Co. Inc. “But I said it wouldn’t leave the warehouse until two things happened: first, I wanted a cashier’s check, drawn on a U.S. bank with a local branch; and then I called the local branch to be sure it had indeed been issued by them, and I didn’t release the boat until the funds cleared. You can make a deposit and your account can be credited, but that’s not the same as ensur-ing that the funds have cleared.”
This story, and others, suggests some commonsense precautions for businesses to take.
Verbally confirm all instructions with a known source before sending a wire transfer.
Look into some kind of cybercrime insurance coverage. But policy may be limited — or unenforceable — depending on the facts of the case.
Always scrutinize email messages, to ensure that the address is legitimate.
Wait for a check to clear before you disburse money against it.
If a deal sounds too good to be true, or if the other party wants you to rush on a wire transfer, consider passing it up.
The weakest link in any security arrangement is usually a human being. Make sure everyone’s up to speed on security and other protocols. Develop policies and procedures, then test them and ensure they’re being followed.
According to the FBI’s Internet Crime Complaint Center (IC3), “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion.” In 2018, alone, the IC3 received 20,373 BEC and E-mail Account Compromise complaints with adjusted losses of more than $1.2 billion.
Although the perpetrators of BECs — also known as CEO impersonation — use a variety of tactics to fool their victims, “a common scheme involves the criminal group gaining access to a company’s network through a spear-phishing attack and the use of malware,” according to the IC3. “Undetected, they may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of email communication and even his or her travel schedule.”
It’s tempting to ask, “How on earth did this happen, but that’s with the benefit of 20-20 hindsight,” according to Ryan J. Cooper, founding partner of the Cooper LLC law firm. “There are myriad permutations of this kind of scam, and we’ve worked with businesses as well as consumers who were victims. It’s like after you’ve lost the money, everything begins to come into focus.”
In the BEC scam, a fraudster often sends a legitimate-looking email, “but one letter may be misplaced in the email address, or they may use a ‘zero’ instead of the letter ‘o,’ ” he added. “It’s easy to get fooled.”
Feldman said that’s just what happened to his law firm. “I won’t reveal the exact misplacement, but we discovered it when we re-examined the email. The firm has since put procedures in place to try to prevent that.”
Other law firms have their own procedures. When Lindabury, McCormick, Estabrook & Cooper PC gets a sizable check, “We won’t cut a check against it until it clears our financial institution, and then we’ll wait up to another 10 days,” said Eric Levine, a firm partner and co-chair of the Cybersecurity and Data Privacy practice. “It can be an inconvenience for a client, but this way we know the money is good.”
About a year ago, Lindabury McCormick represented a bank in a significant transaction, “and a few hours before the closing we received an email asking us to change the wire transfer routing. Fortunately we attempted to verify the legitimacy of the change and discovered that it was a fake email — the corresponding attorney’s email account had been hacked. One thing to do is contact the responsible person face-to-face or by phone [using a number that you know is good, rather than a different one that may be on the emailed or faxed instructions] to verify the change.”
In fact, the OlenderFeldman firm tried to do just that when the Jakarta wire transfer request came in. “A call was placed to the legitimate CEO of KCA Deutag,” said Feldman. “But he was out of the office. A message was left, but he never returned the call.”