When William Darby went to work as a securities broker in October of 2018, little did he know that he was going to not only have a bad day, but ultimately a bad career.
Darby’s firm fell victim to an increasingly common form of attack — a Business E-Mail Compromise, or BEC attack. An unknown hacker hacked one of Darby’s customers and sent emails posing as those of the customer requesting that Darby effectuate three wire transfers totaling $511,870 from the customer’s account to outside bank accounts. Note that Darby’s account was actually never hacked or compromised — only that of the customer. In fact, there was nothing wrong with Darby’s security.
Darby directed his sales assistant to effectuate the wire transfers, and sign the firm’s “wire request attestation forms.” Darby also sold $525,896 of the customers securities to pay for the wire transfers.
Unfortunately, Darby also told the sales assistant that he had verbally confirmed the sales and wire transfers with the customers. He had not. He lied. As a result, the Financial Industry Regulatory Authority (FINRA) the regulator in charge of the financial services industry charged Darby with violating various securities regulations, and entered into a settlement agreement with Darby in December 2019 which included a 45 day suspension and a modest fine.
Business E-Mail Compromise
The problem with electronic communications is that we tend to trust them. For years we have told people only to open email from “people they trust.” Yet the ability to compromise, spoof, redirect or intercept e-mails means that, absent some other authentication, we cannot truly tell whether an email was actually sent from a trusted source, or whether what appears to be an email from us is, in fact, from us. This creates a false sense of security and a false sense of authentication. And it’s costing millions.
“Real” Estate Fraud
The National Association of Realtors noted a massive increase in the use of BAC as a means for forwarding and redirecting wire transfer instructions. The NAR described the scam noting that “Fraudsters will assume the identity of the title, real estate agent or closing attorney and forge the person’s email and other details about the transaction. The scammers will then send an email to the unknowing buyer and provide new wire instructions to the criminal’s bank account.” In December of 2019, the Realtor Organization itself was the victim of an email phishing spoof, where members received emails purporting to solicit donations to a GoFundMe page sponsored by NAR.
The NAR itself recommended that realtors and other associated with real estate transactions take some simple steps like verifying any changes in payment type (e.g., check deposit vs. wire) and location, to not communicate solely by e-mail, and to “set a code phrase with main contacts” so they can authenticate key people like lenders, title companies, closing attorneys and others. The problem is exacerbated by the fact that many of these companies lack sophisticated security or authentication schemes, and merely rely on e-mail for verification and validation.
In a 2016 case in Virginia, a law firm settled a case in favor of their client, and was awaiting payment from the defendant. When the payment didn’t come, they contacted the opposing counsel and found that the emailed wire transfer instructions sent from the one law firm’s yahoo account to the other had been compromised and the wire transfer instructions altered. The Court examined which parties actions failed for lack of diligence — the requestor whose emails were compromised, or the sender for failure to authenticate before they sent the funds.
Mo Money – Mo Scams
In a North Carolina case in 2018, both the FBI and Cybersecurity writer Brian Krebs had warned about spoofed emails purportedly from the company’s chief executive officer, to individuals in the human resources or accounting department asking for copies of W-2 data for all employees. When the North Carolina company fell victim to precisely such a scam, and its employees’ data leaked, the Court found that “despite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, the Defendant provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure.” In effect, they let their employees become the victims of a social engineering attack because they failed to educate their employees about how to take effective countermeasures. The Court held that “the Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.”
BEC Meet SEC
In another reported case from 2016, In re Xoom Corp. Stockholder Litig., No. 11263-VCG, 2016 Del. Ch. LEXIS 117, at *6-7 (Ch. Aug. 4, 2016) shareholders from a company called Xoom sued the officers and directors of the company, partially because the company failed to take adequate steps to identify, prevent and respond to a BEC attack. In particular, the company noted that, as a result of the BEC attack “Xoom recorded a loss of $30.8 million in the fourth quarter of 2014 in connection with the business e-mail compromise.” The company’s earnings call further noted that “the Company does not expect any material recovery.” We’re talking some big bucks here.
At the end of the day, it is essential that companies communicate through secure, authenticated channels of communication, and add verification to important communications. For example, payment instructions (including amounts and wire transfer instructions) should ALWAYS be verified through at least a second channel, and preferably one that is both secure and authenticated. The responsibility for authenticating should lie with the party seeking to initiate the transaction. We can’t just expect consumers to demand a call back to authenticate wire transfer or other instructions – if we are in the business that relies on electronic transactions, we need to insist that we authenticate – verbally, electronically, and otherwise — the critical data fields. And we need to act quickly if an anticipated payment is not received.
Banks need to flag suspicious transactions, or transactions to suspicious entities, or transactions where the payee (e.g., title company) and the account holder (some guy in Bangladesh) don’t match. Banks ask for ID when you want to cash a check, they should require something akin to that to receive a wire transfer. UCC Sections 3, 4 and 4A all require that banks or merchants act with reasonable security and authentication. With knowledge of the BEC scheme, they need to take appropriate countermeasures.
In the end, knowing your customer isn’t just about authenticating them once. It’s about establishing reliable and secure channels of communication, and training employees about how to avoid these scams. That’s true if you are a multi-billion dollar financial institution or a small real estate company in Smyrna, Georgia. And consult with knowledgeable security professionals. They’ve got your BAC.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.