For a business of any size, a single hack could threaten the entire company. Precautionary measures can help protect you from financial calamity.

By Zachary Rosenberg, Lang & Klain, P.C.

Would you leave your office unlocked at night? Would you leave the key to your cash drawer in the drawer’s lock? Of course not. We know to keep our brick-and-mortar offices secure from would-be thieves. But what about the cyber door – the door that opens to all of your e-mails, bank and routing numbers? How confident are you that you locked that door?

Hacking is a growing problem across all industries, but contractors in particular are prime targets for computer hackers looking to make a quick buck, and even a momentary lapse can cause devastating consequences.

For many hackers, it is a low-risk, high-reward situation. One successful hack could yield a tax-free payment of tens of thousands of dollars or more, leaving the victims to foot the bill.

One common scheme works like this:

1. The hacker gains control of an e-mail account for the target company (the “hacked contractor”). This can be as simple as searching the dark web for leaked passwords, using “brute force” to guess the password, using a virus to infiltrate a computer, or sending a phishing e-mail.
2. The hacker looks through the hacked e-mail account to determine when the hacked contractor is going to receive payment from, for example, the project owner. The hacker also determines which employees at the hacked contractor are normally cc’d on e-mails regarding payment or the project in general.
3. The hacker creates a fake domain that, at a glance, looks just like the domain name for the hacked contractor. For example, if the website for the hacked contractor was hackedcontracting.com, the hacker might register the domain name “hackedcontrcating.com.” At a glance, a reader might not notice that, in the phony domain name, the “a” and “c” were transposed.
4. The hacker then sets up fake e-mail accounts with the misspelled domain. If, for example, mike@hackedcontractors.com, juan@hackedcontractors.com, and sophie@hackedcontractors.com are always cc’d on e-mails regarding the project, but the hacker has hacked only into Mike’s e-mail account, the hacker would set up e-mail accounts with the fake domain for Juan and Sophie (i.e., juan@hackedcontrcators.com, and sophie@hackedcontrcators.com).
5. Upon identifying a potential payment, the hacker sets up a series of rules in Mike’s account, just like the ones that filter out spam or send messages from certain people to specific folders in an inbox. But these rules divert messages to and from the project owner into a hidden folder that may be stored in the cloud or on an e-mail server that never syncs to Mike’s phone or computer. If he doesn’t know what to look for and doesn’t go looking for it, Mike will not know this has happened, at least not for a while.
6. The hacker then sends to the project owner an e-mail from Mike’s e-mail account stating that, perhaps for tax reasons or because the company changed banks, the hacked contractor’s payment information changed, and the payment should be made via wire transfer to a new account. The hacker will cc the fake e-mail accounts for Juan and Sophie. Glancing at the e-mail, the owner thinks everything is fine, because it seems to include all the right people (although, in reality, Juan and Sophie were not cc’d).
7. If the owner is suspicious but tries to verify the content of the e-mail by replying to it, or even sending a separate e-mail to Mike asking if he was hacked, the hacker, using the rules he set up, will intercept that message and respond that the message is legitimate. Mike has no idea that these e-mails have been exchanged. In many cases, the hacker will also change Mike’s e-mail signature block so that the phone numbers listed are redirected to the hacker. Thus, even if the owner calls Mike to verify the wire instructions, they may call the hacker, who in turn will verify the e-mail.
8. The owner will then send the payment based on the hacker’s wire instructions, and the hacker will have the money. It is extremely difficult, if not impossible, to undo the completed transfer.

A clever hacker may not even need to hack into an email account. It may be enough to simply create an email account like mike@hackedcontrcators.com and, without ever gaining access to an e-mail system, trick someone into responding. 

The entire transaction could happen in a matter of minutes, depending on how quickly the owner sends payment. However, it could take days for the victims to realize anything is wrong. Fraudsters know that banks and companies are aware of these schemes and need time for funds to clear and be moved somewhere else before the scheme is detected. In the example above, the hacker can create a fake e-mail account that looks like the owner’s e-mail address and notify the contractor that payment is coming in a week. Not suspecting anything is wrong, it is not until a week or more later that the contractor asks, “Where is the money?” and the scheme comes unraveled. By then, it’s too late for the bank to do anything. 

Who is to blame in this situation? The hacked contractor, for not taking proper precautions with its e-mail system? The owner, who fell for an e-mail directing payment to a bank account? Everyone, for not checking the spelling of e-mail addresses?

The law is unsettled, but federal courts that have looked at this issue generally undertake a lengthy and detailed analysis of who was in the best position to identify the fraud and prevent it. Depending on the circumstances, it could go either way. 

With no good answers, and time-consuming and expensive lawsuits sorting out who should have known what and when, a dispute is, at best, going to end in a settlement for pennies on the dollar, a lot of hurt feelings, and even burned bridges or devastated businesses.

Don’t be the next victim. 

Precautions

There are a number of things you can do to minimize the risks from this type of hack:

• Always use strong passwords.
• Never use the same password for more than one website or e-mail account. Some web browsers, computers, and cell phones can create and save strong passwords for you, so you do not have to remember them.
• Change your password regularly.
• Use, and require your employees to use, two-factor authentication for their e-mails.
• Be on the lookout for suspicious e-mails, and always call to verify changed payment instructions. But remember to call a phone number saved to your phone or from the signature block of an old e-mail that you know is legitimate.
• Always call to verify wire instructions that ask you to send money to a bank in a state or country other than where the project is located.
• Protect yourself with carefully drafted contracts and subcontracts to minimize your risks from these kinds of hacks.
• Draft contracts that make clear who is responsible for verifying payment instructions.
• If all else fails, require wiring instruction to be sent via certified, overnight mail. A short delay in payment is better than no payment at all.

Some of these precautions may take time and effort – but that is the point. The more work a would-be fraudster has to do, the more likely they may be to give up on you and move on to their next target. 

These good cyber habits are the 21^st-century equivalent of a good deadbolt, alarm system, and lock on the cash drawer. Extra steps to verify payment instructions and log into your computer are inconvenient, but they are far preferable to losing a payment that cannot be recovered.

With a little time and practice, following these precautions can become as routine as locking the office door and setting the alarm. 

About the Author

Zach Rosenberg is a litigation attorney at Lang & Klain, P.C., a Phoenix construction law and commercial litigation firm. He is a former judicial clerk at the Arizona Court of Appeals and practices commercial litigation and construction law.