The Legal Examiner Affiliate Network The Legal Examiner The Legal Examiner The Legal Examiner search instagram avvo phone envelope checkmark mail-reply spinner error close The Legal Examiner The Legal Examiner The Legal Examiner

Hackers, email fraud increase security woes for companies

The use of email fraud has become so rampant that two years ago the Securities and Exchange Commission issued guidance saying if a public company doesn’t guard against phishing attacks it can be a violation of the 1934 Securities Act.

It is not just publicly held companies that are at risk. The national law firm of Holland & Knight was sued recently for failing to prevent the transfer of more than $3 million to a fraudulent account in Hong Kong. The firm is charged in the suit with failing to take the appropriate steps to verify the transfer before it was too late.

This is a worldwide issue and growing, experts say. News from the U.S. to New Zealand and the United Kingdom have numerous reports of companies falling prey to fraudsters who infiltrate their email systems posing as vendors or clients to steal massive amounts of money.

In the suit against Holland & Knight, two foundations claim the firm received an email from a fraudster posing as the entity set to purchase stock from the foundations. Instead of calling to verify the transfer, the firm sent an email to verify, which was intercepted by the fraudster, informing Holland & Knight that its bank account number had changed and asking it, instead, to wire the money to a Hong Kong account.

“The fraudster sent Holland & Knight new documents that included information on the new account, held under a slightly different name, Hong Kong Wemakos Furniture Trading Co. Limited,” the American Bar Association Journal reported.

Two foundations selling the stock — Sorenson Impact Foundation and the James Sorenson Family Foundation, a nonprofit trust in Utah — sued. The foundations had hired the firm to document the stock acquisition and carry out a merger plan related to its sale.

The suit states Holland & Knight and the transfer agent, a second defendant, should have been on notice that the accounts were not legitimate, given inconsistencies in the documents.

The defendants should have been aware that international wire transfers to China can be a fraud risk, according to the suit.

The foundations charge breach of fiduciary duty and breach of contract.

RELATED: Avoid becoming a victim

RELATED: Remote workers and trade secrets: More care needed than ever

Attorney Joshua Mooney, an expert in this field and chair of the cyber law practice group for White and Williams in Philadelphia, said all too often in a case like this, the lawyer is contacted once the mistake has been made.

Joshua Mooney

“Unfortunately, I come in after the damage is done,” said Mooney, who also serves as his firm’s chief privacy officer.  “There are different ways companies and law firms included, can protect themselves.

“Whenever a company employee or attorney is given a request to wire transfer money, they should use multifactor authentication. It is basically a manner in which you confirm the legitimacy of the request,” Mooney said. “You get an email from a client asking you to wire $2 million from such and such account. Ask yourself if this was expected or out of the ordinary. Even if expected, hackers will monitor the email. What I advise my clients and certainly the attorneys in our firm is to pick up the phone and, using the contact information you have independent of the email, call up your client and confirm the instruction.”

Never use contact information contained in the email, he said.

Mooney said he suspects in the Holland & Knight case that a hacker could have gotten into an account, then changed the mailbox rules where any email received from the lawyer’s account would automatically be forwarded to the hacker and automatically go into the client’s delete box.

If a company suspects a hack like this has occurred, they should immediately contact the FBI, Mooney said. “By contacting the FBI within 24 hours, you actually have a good shot at getting some of that money back.”

Protect your company from email fraud

This type of email fraud is sometimes referred to as a social engineering attack. In such cases, an attacker “uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems,” the U.S. Cybersecurity & Infrastructure Security Agency states on its website. “An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.”

By asking questions, the attacker may be able to piece together enough information to infiltrate an organization’s network. The attacker may contact more than one employee to gather enough information to add to their credibility.

Companies should set up policies and procedures where if any client or vendor asks to have money wired to a new account or a previously unused account that the employee who is ultimately in charge of that wire independently confirms the authenticity of the request and to do so by a different means of communication, Mooney said.

Everyone who works for the company should read that policy annually and acknowledge it, he said. If a company still ends up in court, that proves it had policies in place to guard against hacking.

“Companies should train employees on various cyber security risks,” Mooney said. “This type of loss is a very big loss.”

Also, he said, companies should get insurance to cover losses that result from these hacks, though most of the policies have low maximum payouts. And some insurance companies will not cover cyber hacks at all.