Business Email Compromise – Hacking, Spoofing and the Law

The main areas include fraud, identity theft, theft and negligence.  There are 3 parties involved.  A client (Seller) that has invoiced another client (Payer) for goods or services.  A 3rd party, a hacker, get access to the Seller’s email.  They reissue an invoice for $10,000 with amended bank details.  The payer then pays the latest issued invoice to the Hacker’s account. 

The Seller has not received any money, however the Payer has paid money. 

There is no question that the Hacker has committed crimes including fraud, identity theft and theft.  The question is?  Is the Payer at fault for paying to the wrong account, or is the Seller at fault for Negligence in having their systems hacked?

There is a current case: In June 2020, the Australian law firm Mills Oakley was the victim of a BEC scam. The attacker sent emails to the firm’s accounts department pretending to be the firm’s principal and requesting the transfer of a large sum of money to an overseas account. The attackers were able to bypass the firm’s security measures and the money was transferred. The firm estimates the total loss to be around AU$1.8 million.

https://www.smh.com.au/national/law-firm-accused-of-losing-1-million-of-client-s-money-in-email-scam-20200506-p54qcu.html

Some Terminology : Actors, Acts, Actions & Phishing, Vishing and Smishing

Actors are individuals or groups who are involved in a cybercrime incident. These actors can be criminals, such as hackers or fraudsters, or victims, such as businesses or individuals.

Acts are the actions taken by actors in a cybercrime incident. Criminals may attempt to gain access to a system or network, steal data, or extort money from victims. Victims may fail to properly secure their systems and networks, or fail to take steps to protect their data.

Actions are the steps taken by actors in response to a cybercrime incident.  Victims may take steps to protect their systems and networks, such as implementing two-factor authentication, using strong passwords, and having the awareness to identify (and ignore or block) suspicious emails\ calls\ SMS. It takes both criminals and victims to result in an actual incident. Criminals must take steps to gain access to a system or network, while victims must fail to take steps to protect their systems and networks. If either party fails to take the necessary steps, the incident will not occur.

Phishing is a type of social engineering attack that involves criminals sending emails that appear to be from a legitimate source, such as a bank or company, in order to obtain sensitive information from victims. The emails may contain malicious links or attachments, or the criminals may request payment or personal information. Phishing emails are often hard to detect, as they may appear to come from a legitimate source.

Vishing is a type of social engineering attack that involves criminals using voice-based messages, such as phone calls and voicemails, to obtain sensitive information from a victim. Vishing attacks are often used to steal financial information, such as credit card numbers or bank account details. Criminals may also use vishing to obtain login credentials or passwords. Vishing attacks are often carried out using automated voice messages, making them hard to detect.

SMS phishing, or smishing is a type of phishing attack that involves criminals sending text messages to victims in order to obtain sensitive information. The messages may appear to be from a legitimate source, such as a bank or company, and may contain malicious links or attachments, or request payment or personal information. SMS phishing is often hard to detect, as the messages may appear to come from a legitimate source.