Online: | |
Visits: | |
Stories: |
Story Views | |
Now: | |
Last Hour: | |
Last 24 Hours: | |
Total: |
In a news release earlier this month, the FBI warned consumers and businesses about the growing threat posed by business email compromise (BEC) scams.
This blog has previously discussed the risks posed by email ghosting—an alternative term for BEC scams. In this kind of attack, cyberattackers will either create a spoof email address that closely mirrors a real email address of a member of an organization, or infiltrate a company’s email system. In either case the cyberattacker’s goal is to send emails that convince employees to disclose confidential information or initiate a funds transfer to the cyberattacker’s bank account.
The FBI released some startling statistics about the prevalence of this kind of attack:
Organizations may find that when one of these attacks causes financial loss there is no source of recovery. For example, this blog has discussed how employee conduct could prevent claims to insurers. If an employee is fooled by one of these attacks and sends money to cyberattackers an insurance carrier might not be legally obligated to reimburse the organization.
Banks may also not be required to reimburse an organization if the bank did everything it was supposed to do. This blog has extensively discussed the rules governing liability for businesses after a cyberattack. If an email ghost convinces an organization’s accountant to wire funds abroad and the accountant provides all of the required authentication information to the bank then the bank will likely not be obligated to reimburse for a cyberattack.
Email ghosting scams can take advantage of employees’ tendency to follow instructions, so it is important to make sure that every organization has developed policies and procedures that will help mitigate the risk posed by email ghosting scams. For example, organizations can require employees to confirm orders to send money with a phone call. The FBI recommends that organizations report any examples of these and other kinds of cyberattacks to the FBI’s Internet Crime Complaint Center. Organizations should identify the weak points in their hierarchy to determine whether an email ghosting scam could succeed.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.