The cannabis industry is still new, full of speed growth which includes creating new equipment, new vendor relationships, and new protocols. The novelty and rapid growth of this growing industry represents an incredible opportunity for threat actors to execute corporate email engagement (BEC) attacks.
Threat perpetrators point to the unfamiliarity and politics of deceiving employees in the cannabis industry, through fishing emails, to take action and / or disclose confidential information, including credentials and passwords.
In 2019, the FBI reported more than $ 1.7 billion in losses due to BEC campaigns, and this only represents those incidents that companies reported.
The threat
A BEC is a specific type of fishing designed to impersonate a genuine employee, often an executive, in order to trick other employees or sellers into making payments to unknown bank accounts that are quickly depleted, so that funds they are difficult to recover.
It is partly phishing, partly intra – corporate social engineering, using situational awareness of business relationships to manipulate the movement of money.
What makes BEC uniquely difficult to identify and report is that the threat actor often works within the email account of a genuine employee of the cannabis industry.
Almost all successful BECs start with a fishing campaign in which an employee tricks himself into believing that he should provide his username or email and password in response to a seemingly genuine email.
Fishing schemes are so sophisticated that some of the most effective fishing trials trick almost 100% of recipients into clicking on a malicious link.
Constant use and trust in e-mail has caused many employees to lose sight of how quickly they can be fooled. For example, a fishing trial that offered a free subscription to Netflix to the benefit of employees fooled almost 100% of its recipients.
Beyond the catchy fishing emails, there are the mundane and very effective tricks that suggest that an employee’s Microsoft Outlook account requires an update or alert on a large number of deleted files from a shared drive.
Once an employee has fallen in love with the initial fishing email and provided their credentials, the threat actor can log in to that employee’s email account and begin impersonating them.
It is much easier to identify abuse when it comes from an unknown person associated with an unrecognized business, but it is much more difficult to discern the accounts payable from a colleague or family provider, the contact is not the one who says which is when one receives a message. from your genuine email address.
The Redirection
Once the fishing attempt is successful and the threat actor has logged in with an authentic email account, the actor begins exploring. This often includes collecting old invoices and researching which employees, vendors, or customers are the best targets for a BEC scheme.
One of the preferred tactics is to identify a new CFO or provider, any party who is unfamiliar with routine practices or is not sophisticated enough to have the proper controls in place to avoid redirecting payment to the actor’s account. the threat.
Threats then set up rules within the email account, making emails sent and received virtually invisible to the real cannabis employee while they continue to use their account. These rules can redirect emails to a third-party email address or discreetly send them to standard folders that are, and often aren’t used, in all email accounts, such as RSS feeds or conversation history. Outlook.
These steps can allow a threatening actor to reside within an account for weeks or months, effectively redirecting undetected payments. Often, due to the delay between the invoice and payment, it may take several months and the lost payment dates before the redirection of funds is identified.
Falling is often a matter of scoring to determine which side of a redirected payment is to blame. A cannabis industry seller is asking for payment for services rendered, while the dispensary argues that it only followed the updated payment instructions they received in an email from the seller. The seller argues that these emails do not exist; as the threat actor has suppressed them, they are still awaiting payment for their service.
The dispensary initiates a forensic investigation and takes a non-compliance lawyer to determine with certainty that his email account was not subject to unauthorized access by a threatening plaintiff. And the situation is growing: in costs, in business disruptions, in damage to reputation and in resources.
State compliance requirements incorporated in the BEC
In addition to the overly common battle that ensues between two victims of a BEC described above, there are data breaches compliance laws to be addressed after the discovery of a BEC.
As if the cannabis industry did not have enough laws to track it, it is important to note that when an unauthorized actor is in the email account of a cannabis employee, it can be considered by law that access or download information that qualifies as personal information under applicable terms. data breach notification laws.
Each state has a data breach notification law, which requires specific responses from an affected cannabis company, including potential notification to affected individuals, notification to attorneys general, and the offer of credit control services to those affected.
These laws, as well as many contracts, require a seller to warn their business customers about this situation. The result is a double-edged sword: there is a cost to investigating and responding to a BEC and an even higher cost to ignore this legal liability just so that this decision results in litigation or regulatory investigation.
What next?
Every day there is new and well-known news about cannabis. New contracts have been made, new mergers have been completed, new relationships have been established and new markets have been opened. As a result, it is an increasingly fertile ground for BEC attacks.
There are a myriad of important steps that sophisticated industry members can take, from prevention, such as multifactor authentication, to mitigation, such as implementing a sound record-keeping policy and a security protocol. change of payment.
Experienced technical and legal advice should be provided to assist in the process of navigating the laws and security enhancements applicable to companies when assessing regulatory requirements and technical warranties, especially after detection. a business email commitment. ⁇
