Many people spend most of their day in front of a computer or looking at their smartphones, accessing personal or business email. Scammers exploit this through phishing attacks — emails the recipient believes comes from a valid/trusted source that asks them to open a link or an attachment, or go to a website and enter personal information.
“In every case, the scammers prey on people’s good nature, their fears, or anything that will cause them to essentially grab the apple that scammers are dangling in front of them,” says Robert R. Kracht, a principal at McCarthy, Lebit, Crystal & Liffman Co., LPA.
Smart Business spoke with Kracht about phishing attacks — how they’re perpetrated, what legal recourse companies have to recoup damages and how to mitigate their success.
What is a phishing attack?
Phishing attacks tend to fall within three categories, ranging from low-level of sophistication to very sophisticated scams.
In one approach, a spoof email — one that looks legit but is fraudulent — is sent with the intent of getting the recipient to go to a website and enter personal data that the scammer can then use to gain access to other personal or business accounts.
In a second approach, a scammer sends someone a check and asks them to deposit it into their personal or business account. The recipient is told to take a transaction fee for themselves and then wire the balance of the funds to the scammer.
The check, however valid-looking, is worthless. The scammer is hoping that the recipient will deposit the check and remit the balance via wire to the scammer before waiting for the check to clear their bank.
In another approach, scammers enter into a person’s home or company network by getting the recipient to open an email attachment. Once in, scammers can search and obtain personal and financial data that they can then sell or use to withdraw funds or buy goods or services.
How can organizations recover losses incurred from a successful attack?
Attacks are commonly perpetrated by persons outside of the United States ,where their identities and location are difficult or impossible to trace. Even if the transaction can be traced back to the source, if the theft was accomplished by wiring funds to banks outside the U.S., the scammers can avoid any clawback attempts by initiating further wire transfers to multiple banks in other countries.
Speed in detection and quick notification of the FBI may be the best means of tracing back to the source.
When a wire transfer between two companies is initiated because of a phishing attack, are there legal damages that either company can pursue against one another?
Yes. If a phishing attack causes damages in connection with a transaction between two or more companies, the party or parties that sustain losses as a result of that event can seek recourse from any source available.
That can include other parties to the transaction, their own business insurance policies, any outside network consultants that installed or maintain the company network, and, of course, the scammer(s). In Ohio, the party that is in the better position to prevent the loss will bear the loss.
In the matters that I have been involved in, I am not aware that any of the affected companies placed blame on any officer or employee of the company. In the end, the employees are just victims of very elaborate schemes that are designed to deceive.
How can an organization insulate itself against successful phishing attacks?
Educate all employees so that they know how to recognize a phishing attempt. Limit the number of people who can authorize transactions via company credit cards, or who can authorize the issuance of payments by wire. Also, require confirmation other than internal emails that the person who requested a wire transfer made the request.
Consider the retention of cybersecurity companies that will install software to monitor networks for cybersecurity threats. Companies also should review their existing commercial insurance to see if they have cybersecurity coverage, which could help them recover some or all of the damages incurred if they’re the victim of a breach.
Insights Legal Affairs is brought to you by McCarthy, Lebit, Crystal & Liffman