Who Me? How to Be Careful About Online Fraud and Steps to Avoid It

March 22, 2024

Avoiding Cybercrime and Online Fraud

A recent movie, the Beekeeper (1), opens with a scene out of a horror movie. An elderly woman, who is otherwise sophisticated, is lured into an on-line cybersecurity scam where all of her bank accounts are cleaned out. The cybercriminal uses well-worn techniques to scam her – not asking for bank or other personal information – but acting as if they are trying to help her stop malware from erasing her hard drive. If you think this can only happen to the unsophisticated, you might want to check out the recent article in the New Yorker by Charlotte Cowles (2). In this article she details how even a sophisticated reporter can be duped into handing over $50,000 to an online scammer.

In the business world, there are a number of cybercrimes that are being perpetrated. One of the most common is where an employee – usually in the finance department – receives an email allegedly from an executive to wire money to some account for a supposed transaction. The executive is usually not available for confirming the wire – or the employee fails to think to confirm with the executive – and the wire goes out to a cybercriminal’s account. Another common internet scam is where an employee receives an e-mail purporting to be from an existing vendor that requests a change to the bank instructions on where to send the vendor’s payment. Yet another scam, especially prevalent in the real estate industry, is an email purporting to be from a seller of real estate to an escrow firm detailing where to send payment in connection with the sale of real estate. In many cases, the cybercriminals have used social engineering to get a name, email address, and other personal information and have spoofed an email address. In certain situations, they have even spoofed telephone numbers to make calls appear to be legitimate. If the cybercriminals have actually hacked into an email system they may even use the real person’s email to send the fraudulent e-mail. In many cases, legal recourse may be limited. In the first place, the cybercriminals will quickly move the money out of any account it is sent to, making it beyond the reach of the bank to claw the money back – even if the victim is aware of the crime in time to try and reverse the transaction. Moreover, financial institutions will take the position that they were unaware of the crime and the transfer was made by the victim (3). While insurance may help to cover losses, this assumes that a loss exceeds the deductible for the policy.

Steps to Take to Avoid Being the Victim of Cybercrime

What can companies do to avoid being the victims of cybercrime?

First: Educate all employees of the risk of cybercrime. This training should include examples of typical cybercrimes – esp. those that are perpetuated through phone, email and messaging. Employees should not ever engage in any transaction out of the ordinary without confirming – through independent means – the transaction. Employees who have the ability to originate electronic financial transactions should treat each one that is out of the ordinary as requiring two factor authentication – e.g., requiring communications with the possible payor through at least one or two different mechanisms other than the medium in which the request was made – usually through communication originated by the employee (not the cybercriminal). For example, calling the executive or the vendor using numbers that the employee already has for the executive or vendor. They should not call the number listed in the email itself as the cybercriminal may have used its own phone number. Also, employees should view with skepticism any calls purporting to be from the government, their bank, credit card companies, or even vendors. It is easy for scammers to spoof any telephone number to have it come up on caller id as an institution such as a bank. Also, employees should treat all requests for a change in who an employee may communicate with also as a potential red flag. The employee should communicate with the person who they have been in regular contact via a second method to authenticate the change.

Second: After putting training in place, companies should also periodically test whether employees are following their training. This could consist of emails being sent which spoof existing employees asking for wire transfers and requests from vendors for changed wire instructions. The object would not be for punishment, but to reinforce the training and compliance.

Third: Companies should consider adding an email extension to their email server that prominently notifies the recipient when an email is from outside the company’s email. While this will not stop a cybercriminal which has hacked the company’s email system, it will help deter the vast majority of email scams which originate outside the company’s email system.

Fourth: If a company finds itself the victim of cybercrime it should immediately try to reverse the transaction. Depending on how quickly the cybercrime is uncovered, there may be a possibility that the transaction can be reversed or some of the money recovered.

Fifth: A company will want to consider whether the loss is covered by their existing insurance policy. Some insurance policies may cover fraud or cybercrime – even if they are not cyber insurance policies. A company which regularly engages in electronic financial transactions of significant amounts may want to consider buying insurance against cybercrime.

Sixth: A company experiencing a loss will want to report the crime to the appropriate authorities – which in many cases will be the FBI. Finally, the company will want to consult with its attorneys to see if there are any claims that can be brought against other parties. For example, if a vendor’s system was hacked which lead to payments being redirected to the cybercriminals, the company may want to raise the breach as a defense against the company seeking payment.

While these steps will not completely eliminate all possibility that a company may be the victim of cybercrime, they will help make it less likely and reduce the amount of the loss if it occurs.

(1) The Beekeeper, Directed by David Ayer, Miramax, 2024.

(2) Charlotte Cowles, The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger I never thought I was the kind of person to fall for a scam, New Yorker, last viewed, February 20, 2024, https://www.thecut.com/article/amazon-scam-call-ftc-arrest-warrants.html

(3) This is not limited to wire transfers. Some popular app based payment systems, such as Zelle are also being used by cybercriminals. Zelle last year instituted a policy which allows for recovery in certain circumstances.

For more information on cybersecurity, see our Technology Law Services and Industry Focused Legal Solutions pages.

This post is as of the posting date stated above. Klemchuk PLLC assumes no duty to update this post or post about any subsequent developments having a bearing on this post. This post has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company. © 2024 Klemchuk PLLC