July 9, 2019

How should a company respond to a “business email compromise” attack?

Hypothetical:  

Your company receives an email from one of your vendors with an invoice and payment instructions.  Shortly thereafter, another email arrives modifying the payment instructions.  Your company processes the payment using the new instructions.  A few days later, your company receives a call from the vendor inquiring as to status of payment and confirming that it did not receive the payment.  A short investigation determines that your CFO’s email was compromised via a phishing attack, which allowed the hackers sufficient access to send realistic-looking emails and redirect company payments.  You have fallen victim to a “business email compromise,” an increasingly common form of cyberattack, what are your next steps?

Key Considerations:

  • What should the initial response be?  As soon as you suspect a business email compromise, you should enlist the resources of the IT department so they may begin taking immediate technical precautions to ensure the hackers cannot further disrupt your operations.  Initial steps likely will include changing the compromised account’s password, pausing external payments, and spot-checking other emails to and from the compromised account that may indicate further fraud.
  • What type of investigation should we conduct?  The immediate follow-on investigation will seek to determine the scope, cause, and impact of the compromise, including when the hackers gained access to your systems, which email was the phishing attempt, whether other email accounts were similarly affected, whether additional fraudulent payments were solicited or made, and the types of other information that may have been accessed or acquired by the hackers.
  • Whom should we involve in the investigation?  If your company has an incident plan, you should review and follow that plan as appropriate.  Generally, a business email compromise investigation should leverage all relevant organizational resources.  Certain functions are more likely to be involved.  For example, your IT or security departments may review the system logs to get a sense of the scale of the compromise.  Your accounting department may seek to verify other payments made or Accounts Payable queued for payment during the period of compromise.  Company counsel can provide advice and guidance on the scope of the investigation, begin drafting potential responses or disclosures, and ensure privilege is preserved.  Company counsel can also provide guidance as to whether and how to retain digital forensic investigators or other external experts to assist with the investigation.
  • Do we need to notify third parties?  Whether individuals or entities outside your organization need to be notified of the business email compromise depends on many factors, including the type of data exposed, whether protected data was actually acquired through the attack, whether the data was encrypted, applicable regulatory or industry requirements, and contractual obligations.  At the very least, you may need to reach out to vendors, suppliers, or customers to ensure they are on the lookout for suspicious emails.  If personal information was compromised, state or sector-specific data breach notification laws may be implicated which could require notifying individuals or regulators.  Counsel can assist with evaluating and effectively handling your breach notification obligations.
  • How can we prevent a similar phishing attack in the future?  Phishing attempts, especially those targeted at company executives and IT and accounting personnel are pervasive.  To mitigate the risk that your organization will succumb to such an attack, ensure that your employees, including senior management, receive appropriate training on cybersecurity risks, particularly in identifying and responding to phishing attacks.  Additionally, your IT and security teams should review the technical measures they have in place and consider whether additional safeguards should be implemented.