North Texas federal authorities recently arrested a Nigerian man who faces charges for scamming several north Texas companies by use of spear phishing email scams.  The man faces 30 years in jail.[1]

Spear phishing scams are the latest type cyber-attack and are costing businesses millions, if not billions, of dollars worldwide.  It is a very complex and sophisticated form of cyber-attack in which a hacker impersonates a high-ranking company executive and sends an email to a company employee with access to company accounts and power to make payments.  The email address used by the hacker is often extremely similar to the “real” email address of the company executive, containing one or two small letter variations.  For example, the hacker may send the email purportedly from a company executive from an email address reading name@abccompamy.com or name@abcconpany.com, where in reality the “real” email account is name@abccompany.com.  In the email, the hacker asks the employee to wire transfer money to an account, often asking for thousands of dollars.

It is evident that hackers study their prey, and they do so very carefully.  Signature lines are a match or near match of the actual signature line of the company executive.  The content of the email may provide good reasons why that the payment must be accomplished immediately, putting the employee at pressure to immediately complete the instructions purportedly sent from a top company executive.

Part of the success of these scams could be credited to the vast amount of publicly available information accessible online.  In company websites, Facebook, LinkedIn, Twitter, Instagram, and other social and internet networks companies give hackers access to detailed personal and business information of the company and its employees.  For instance, company websites often indicate name and contact information of C-Level executives, tipping hackers to the actual email address of the company executive.  LinkedIn may provide further information, such as identity of accountants, secretaries and others in the company.   Facebook and Twitter may tip off the hackers when a company executive posts about being on a “trip,” which gives the hacker an opportunity to send the fake email while the company executive is not physically in the office.

In light of the rushed request, the importance suggested in the email, and other factors, the employee makes the payment.

It is estimated that these spear phishing scams have costed U.S. businesses $470 million dollars and the number of victims increased 270% in 2015[2].

What To Do If You Become a Victim

  • If detected quickly enough immediately contact your bank and ask for a stop on the wire.
  • Contact the receiving bank and request that the account be frozen.  If discovered quickly enough you may still have time to reverse the wire.
  • Contact local state and federal law enforcement and report the scam.
  • If the company’s system was breached, determine whether data breach regulations trigger a duty to notify customers.
  • Determine depth of breach, and whether any customers have received emails from the fake email account.  You may have to take steps to protect the company’s goodwill with customers.
  • Determine whether available insurance covers the loss.

Steps To Avoid Becoming a Victim

  • Establish clear and secure wire transfer protocols.
  • Train employees about cyber-security tendencies and potential threats.
  • Train employees about use of social media.
  • Conduct a review of your internet presence and determine whether information should be removed, modified, or deleted to provide only information that is necessary.
  • Have appropriate confidentiality agreements with parties that have access to company banking information, including employees and consultants.
  • Conduct regular system penetration tests and audits, and stay informed on the evolution of cyber threats.

[1]  Kevin Krause, Nigerian Charged in Sophisticated Email Scam is in Custody in Dallas, The Dallas Morning News, Jan. 1, 2016, last visited at http://www.dallasnews.com/news/crime/headlines/20160101-nigerian-charged-in-sophisticated-email-scam-is-in-custody-in-dallas.ece

[2]   Federal Bureau of Investigation, Business Email Compromise: An Emerging Global Threat, Aug. 28, 2015, last visited at https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise

Awards and Highlights

SuperLawyer InternationalLaw badge-lawyerdistinction JourneyAwards RadioLuz GDHCC