In technological spaces, speed and innovation are prized commodities. Unfortunately for businesses, cyber-attacks and threat actors have evolved with the times. Network security has expanded beyond the IT department to the purview of corporate executives and to the cyber & technology law landscape.
Email fraud schemes are no longer crude or obvious – “urgent” requests from supposed royals, peppered with grammar and spelling mistakes, “promising” a large sum of money have decreased. Today’s threats are significantly more sophisticated. Threat actors are strategic and patient, waiting for the most inopportune moment to unleash attacks that can appear to originate from someone you know or someone within your organization.
Email scams are increasingly successful at bypassing safeguards by targeting human and organizational weaknesses. When an incident occurs, companies face difficult questions: What is the full extent of the incident? Who is liable? What protocols were followed, or worse, missed? Will the cyber insurance provide coverage for the incident and to what extent?
Email Fraud Threats Evolve
Modern email scams are multifaceted and evolving. Attackers use layered techniques that are difficult to detect – even by seasoned professionals – and are often successful because they exploit both technological gaps and human behavior.
Common tactics include:
- Email spoofing: Altering a legitimate email address – like replacing an “l” with the numeral 1 or a zero with an “o” – to impersonate a familiar sender. These subtle changes can be easily missed by busy or distracted recipients.
- Smart tag spoofing: Forging a fraudulent email that tricks the email client into displaying a familiar name as the fraudulent email’s sender. The familiar name is merely an illusion as the fraudulent email originates from a completely different email address.
- Phishing: Realistic-looking email that prompt users to click on malicious links or disclose private information. Information obtained in phishing attacks can be used in other attacks.
- Account Takeovers: Sometimes occurring in conjunction with phishing, the threat actor gains access to a users’ account. Depending on the account’s permissions, the threat actor can monitor internal communications, add or modify accounts, and/or compromise data.
- Email forwarding exploits: After taking over a legitimate email account, the threat actor may configure inbox rules to automatically forward emails to external email addresses controlled by the threat actor, allowing the threat actor to gather information with needing to continually access the compromised email account.
- Timing-based fraud: The threat actor monitors email communications for weeks or months, waiting patiently for a prime moment to strike, seamlessly inserting fraudulent communications into existing conversations using hijacked accounts or spoofed addresses to submit fraudulent payment instructions into a time sensitive transaction.
These schemes are designed to work, and they succeed not only due to technical sophistication, but because they prey on built trust, routine, and urgency – all common traits of regular email communications. Threat actors do not need to compromise administrative accounts; threat actors need only create a believable scenario and catch someone off guard.
In many cases, the fraud is not detected until the damage is done. A single lapse, whether clicking a link or ignoring a small red flag, can result in unrecoverable financial loss and reputational damage.
Human Error and Structural Weaknesses
While the technology used for cyber-attacks is sophisticated, the greatest vulnerability for cyber-attacks remains human behavior. No system or safeguards are completely immune to users within the organization making missteps such as:
- Use of unsecured public networks at places like airports or coffee shops.
- Plugging unknown USB drives into workstations or using “gifted” devices of unknown origin (that are potentially pre-loaded with malware).
- Storing privileged, confidential files locally on workstations for convenience instead of storing files on secure, monitored networks.
Even the strongest security measures can fail due to user error. Additionally, threats from within the organization, whether a disgruntled employee, careless contractor, or insufficient training, add additional layers of complexity to security plans. Security measures can be ignored or applied inconsistently across a workforce, leaving a business exposed.
When the Breach Occurs
Breaches can be especially impactful to businesses, particularly those operating within the technology industry. In addition to outward-facing websites and applications, it is common for businesses to utilize centralized, cloud-based solutions to access and store company data. Threat actors can disable backups, corrupt or steal data, and disrupt business operations. Exposure of confidential company data, along with data loss and operation disruption, can negatively affect a business’ reputation.
Preparedness is imperative. When a breach occurs, the clock starts ticking on strict notification requirements at the federal and state level, particularly when health or personal data is involved. Time lost trying to identify what data a company retains and where that data is located is less time that can be spent on other aspects of the incident, potentially leading to secondary incidents, increased liability, and reputational harm.
Building a structured and tested response plan can be the difference between containment and catastrophe. Consider:
- Access control: Who has access to what? How is access and use tracked, and how long are the related logs maintained? Is penetration testing utilized?
- Data and backup integrity: What data is maintained? Is data encrypted? What is the data retention policy? What data is backed up? Where are backups stored?
- Protocol adherence: Are users educated on proper system use? Is threat testing utilized? Are disaster recovery plans in place? Are systems configured to detect anomalous activity or unauthorized access and respond quickly?
Determining Liability and Managing Risk for Wire Transfer Fraud
When funds are transferred to a threat actor, determining who is liable is rarely straightforward. Legal frameworks vary by jurisdiction, and depending on the state, one of three primary legal theories may apply:
- Breach of Contract (Minority Rule): Unless the operative contract says otherwise, the payor remains liable for payment, because the funds were not received by the payee as agreed. These jurisdictions apply strict contractual obligations with little flexibility. In these jurisdictions, the payor is liable Even if the breach was no fault of the payor.
- Agency Rule: If the payor can prove that it “reasonably believed” the threat actor was an agent of the another party involved in the transaction, liability may shift away from the payor. However, the bar for “reasonable belief” is high and often fact-specific.
- Imposter Rule (Majority Rule): Courts evaluate whether the payor exercised “ordinary care.” This is a fact-specific inquiry and can include an analysis of the parties’ internal controls and protocols, the prior course of dealing between the parties, and the specifics of the incident (e.g. communications involving the transaction, deviations from prior established protocols, warnings or suspicious activity, etc.). Liability may be split among parties or fall fully on the party that was in the best position to prevent the loss.
For in-house counsel, this requires proactive implementation and enforcement of verification process that goes beyond a passive post-incident investigation. In cyber and technology law cases, courts frequently ask: Did you have policies in place? Did you follow them? Did employees receive training to spot suspicious requests? Were prior warnings or breaches ignored?
Cyber & Technology Insurance, its Role, and its Limits
Cyber insurance is becoming a standard component of risk management. Coverage varies widely, with policies containing strict conditions and exclusions that should be examined carefully.
Risk management and legal departments should ask these key questions:
- Do we understand the limits and sub-limits of our cyber policy?
- What exclusions apply, and are we in compliance with policy conditions?
- What are the notification requirements for coverage?
In some cases, coverage can be denied if required security protocols, such as encryption, testing, or training, were not followed. If litigation could emerge after an incident, carriers may impose restrictions on how and when a claim can be made.
Cyber policies can pay for investigations, breach notification, legal defense, and indemnity, but only if coverage is not undermined by internal failures. The cyber policy should be regularly reviewed in conjunction with industry requirements, business operations, and internal risk management plans so that the cyber policy acts as intended if an incident occurs.
Vigilance is a Business Imperative
Email fraud and other cyber risks do not solely belong to the IT department as a niche issue. Email fraud and other cyber risks are growing threats to financial integrity, compliance, and client trust, requiring company-wide involvement. Courts evaluate whether an organization acted reasonably, was adequately prepared, and responded effectively.
In-house legal teams can engage with operational protocols, employee training, industry specific regulations and requirements, and cyber insurance strategies. Determining what safeguards are in place and whether those safeguards are adequate and being followed are the first steps in proactively preparing for an incident and any litigation that may follow.
By approaching cybersecurity as a legal risk with operational consequences, and not just a technical issue, companies that integrate insights and strategy into every level of cyber readiness will be the most successful in preparation and response.
Disclaimer: This material is provided for informational purposes only. It is not intended to constitute legal advice, not does it create a client-lawyer relationship between Galloway and any recipient. Recipients should consult with counsel before taking any action based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions.
