Cybercriminals commit thefts every day just with email, stealing billions of dollars every year. Yes, billions with a “B”. This is a top cybercrime threat which has been occurring for years and some businesses have not even heard of it nor done anything to protect against it.
Businesses that plan and prepare can prevent the crime. As always, this means applying good management practices to cybersecurity and technology, devoting reasonable resources to improve cyber defenses, and considering my Four Pillars of Cybersecurity.
Businesses should ask these questions now:
- Is this crime on our radar?
- Do we have measures in place to protect against it?
- Do we send or receive payment instructions by email? A common example is bank wire instructions.
- When we receive such instructions, what is our practice to confirm that the instructions are genuine before acting on them?
These email-based frauds occur when cybercriminals insert themselves into an email conversation, pretending to be someone else and sending instructions for wiring money. If the instructions are followed, the money can be stolen.
There are many varieties of this fraud, and many different names, to include:
- Business email compromise (BEC)
- CEO or CFO fraud (impersonation of an organization executive)
- Email based funds transfer frauds.
Sometimes cybercriminals blindly attempt the crime without much planning or sophistication. They impersonate one person and email another to request a funds transfer. Sometimes it is poorly done or low-dollar, such as requesting purchase of a gift card.
Other times cybercriminals have infiltrated (breached) an email system and put effort and expertise into the scheme. They view stored emails and monitor new communications as they come and go. They wait for a large transaction to approach then swoop in to misdirect the funds and steal.
The criminal laws against this conduct are clear, starting with traditional theft (larceny). While stealing this money cybercriminals may commit other crimes such as a data breach, identity theft, money laundering, and more. The laws are in place but we need to improve our criminal investigation and enforcement because this crime is rampant and often unanswered.
Businesses need to be aware of civil laws that apply to their cybersecurity, as covered generally in this prior article. An important requirement of every state (including New York and Connecticut) are the data breach reporting statutes (discussed here) and many states also have cybersecurity requirements. These email crimes can trigger breach notification duties, and traditional negligence law and contract law may apply too.
After money is stolen multiple parties will dispute who should bear the loss. A good investigation will help reveal the facts, and then the law is applied to assess responsibility.
This cybercrime theft is expensive, stressful, and time consuming for victims, and can wreck the finances of an individual or organization.
Prevention of this crime is possible, and starts with a few discrete steps:
- Employ two-factor authentication and strong passwords, especially with email systems
- Realize that others may not secure their email systems well
- Be skeptical of who is on the other end of an email
- Verify payment instructions verbally
- Verify changes to payment instructions verbally.
These steps can be part of a solid cybersecurity program to protect organizations. A program starting point can be Bandler”™s Four Pillars of Cybersecurity which includes concepts and safeguards that any person can understand, regardless of technical knowledge.
This email fraud is one of three priority cybercrime threats that businesses should protect from, the other two are data breaches and ransomware.
Businesses should continually improve their cybersecurity plan to protect the organization, safeguard customer and employee data, and comply with legal standards.
Preventing a serious cybercrime is a main goal, legal compliance is also important, and organizations can improve their efficiency as well.
John Bandler is an adjunct professor at Elisabeth Haub School of Law at Pace University who teaches about law as it intersects with cybercrime, cybersecurity and privacy. He is ”‹the principal and founder of Bandler Law Firm PLLC, a law practice that helps organizations navigate these areas.
