It seems that most of our clients are aware that they need to keep security in mind when they are thinking about IT and email, but It can be challenging to fully understand why security should be a top priority. This case study explores a real-world example illustrating how a few small mistakes can have big consequences.
It Started With an Innocent Looking Email
Mr. Bain was working on a real estate transaction with a realtor at Platinum Realty, LLC. An unknown hacker preformed a “man in the middle” attack, sending Mr. Bain an email that looked like it was coming from his agent. The email directed Mr. Bain to send a wire transfer to a bank account controlled by the hacker so that his deal could close. The customer had no reason to be suspicious, so he complied with the email and transferred the money. When he realized what had happened, he notified Platinum Realty but they refused to accept responsibility. At that point, Mr. Bain filed suit in the case known as Bain V. Platinum Realty, LLC.
Platinum Realty argued that no sensible person would have believed that the emails came from the realtor, but the court didn’t agree. The realtor was found guilty of negligent misrepresentation, and ordered to pay the defendant $165,000, which was 85% of the total amount that had been transferred. Why 85%? The court decided that the agent bore 85% of the responsibility for what happened, and that the remaining 15% represented Mr. Bain’s responsibility for failing to adequately verify the request before transferring funds.
The public information about the “man in the middle” attack at the center of this case doesn’t fill in all of the details, but there is some information about why Platinum Realty bore such a high percentage of the blame. It seems that the hacker was able to gain access to the realtors email account. They then reviewed all of her emails and selected a client that was most vulnerable to an attack based on their communication with the realtor They spoofed the realtors email signature and began impersonating the realtor in communications with Mr. Bain.
The attackers still haven’t been found. If you want to read the full court case, you can do that here.
What is the IT security risk to my business?
So what does this mean for your business? Imagine what a hacker might do if they had access to your business or personal email. What opportunities would they identify? What would they learn from invoices that you send and receive and from your communications with your clients? How would your clients know if someone impersonated you in an email. What would happen if they were defrauded based on your failure to put security measures in place?
Your email has a lot of valuable information, and that information holds even more value to an attacker. How confident are you in ensuring that you have it properly protected?
5 Steps to Preventing a “Man in the Middle” Email Hack
Fortunately, there are a few simple actions that you can take that will make you a much more difficult target for any attacker. Here are 5 steps that you can take immediately.
- Using a professional email – Use a professional email address that is tied to your business domain.
- a complex password – Do not use the same password on more than one site, and always use a secure password. You can use a tool like LastPass to help remember all of your complex passwords.
- Two-Factor Authentication- Always use two-factor authentication that requires you to enter a verification code to log in.
- Before transferring funds or critical information, always verify over the phone through a known phone number. Don’t use a phone number provided in the transfer request in case this is part of a hacker’s strategy. This applies to any information including wire transfers, bank account info, and other critical information.
- If you are sending the wiring instructions to a client, be sure the client knows a way to verify that information with you before the money is sent.
Conclusion
If you take those 5 steps, it is unlikely that you will be a victim of this kind of attack, and it’s even more unlikely that you would bear 85% of the blame something did happen. And we would be happy to meet if you want to find out more about all of the different kinds of attacks that businesses are facing and how you can keep your business safe.
Call us today at (844) 448-7767 to schedule a free security assessment.