Hacked Off: Contractors Are Common Targets of E-Mail Hackers Seeking to Snag Payments

For a business of any size, a single hack could threaten the entire company. Precautionary measures can help protect you from financial calamity.
By Zach Rosenberg

Hacking is a growing problem across all industries, but contractors in particular are prime targets for computer hackers looking to make a quick buck.
For many hackers it is a low-risk, high-reward situation, as one successful hack could yield a tax-free payment of tens of thousands of dollars, leaving the victims to foot the bill.
One common scheme works like this:

  1. The hacker gains control of an e-mail account for the target company (the “hacked contractor”). This can be as simple as searching the dark web for leaked passwords, using “brute force” to guess the password, using a virus in infiltrate a computer, or sending a phishing e-mail.
  2. The hacker looks through the hacked e-mail account to determine when the hacked contractor is going to receive payment from, for example, the project owner. The hacker also determines which employees at the hacked contractor are normally cc’d on e-mails regarding payment or the project in general.
  3. The hacker creates a fake domain that, at a glance, looks just like the domain name for the hacked contractor. For example, if the website for the hacked contractor was hackedcontracting.com, the hacker might register the domain name “hackedcontrcating.com.” At a glance, a reader might not notice that, in the phony domain name, the “a” and “c” were transposed.
  4. The hacker then sets up fake e-mail accounts with the misspelled domain. If, for example, mike@hackedcontractors.com, juan@hackedcontractors.com, and sophie@hackedcontractors.com are always cc’d on e-mails regarding the project, but the hacker has hacked only into Mike’s e-mail account, the hacker would set up e-mail accounts with the fake domain for Juan and Sophie (i.e., juan@hackedcontrcators.com, and sophie@hackedcontrcators.com).
  5. Upon identifying a potential payment, the hacker sets up a series of rules in Mike’s account, just like the ones that filter out spam or send messages from certain people to specific folders in an inbox. But these rules divert messages to and from the project owner into a hidden folder that may be stored in the cloud or on an e-mail server that never syncs to Mike’s phone or computer. If he didn’t know what to look for and doesn’t go looking for it, Mike will not know this has happened, at least not for a while.
  6. The hacker then sends to the project owner an e-mail from Mike’s e-mail account stating that, perhaps for tax reasons or because the company changed banks, the hacked contractor’s payment information changed, and the payment should be made via wire transfer to a new account. The hacker will cc the fake e-mail accounts for Juan and Sophie. Glancing at the e-mail, the owner thinks everything is fine, because it seems to include all the right people (although, in reality, Juan and Sophie were not cc’d).
  7. If the owner is suspicious but tries to verify the content of the e-mail by replying to it, or even sending a separate e-mail to Mike asking if he was hacked, the hacker, using the rules he set up, will intercept that message and respond that the message is legitimate. Mike has no idea that these e-mails have been exchanged. In many cases, the hacker will also change Mike’s e-mail signature block so that the phone numbers listed are redirected to the hacker. Thus, even if the owner calls Mike to verify the wire instructions, they may call the hacker, who in turn will verify the e-mail.
  8. The owner will then send the payment based on the hacker’s wire instructions, and the hacker will have the money. It is extremely difficult, if not impossible, to undo the completed transfer.

The entire transaction could happen in a matter of minutes, depending on how quickly the owner sends payment. However, it could take days for the victims to realize anything is wrong. The scheme may not be discovered until Mike realizes that he has not received any e-mails about the project for several days (because the hacker’s rules are intercepting them all) or payment is late, and he tries to find out why.
Who is to blame in this situation? The hacked contractor for not taking proper precautions with its e-mail system? The owner who fell for an e-mail directing payment to a bank account? The law is unsettled, but federal courts that have looked at this issue generally undertake a lengthy and detailed analysis of who was in the best position to identify the fraud and prevent it. Depending on the circumstances, it could go either way.

There are a number of things you can do to minimize the risks from this type of hack:
• Always use strong passwords.
• Never use the same password for more than one website or e-mail account. Some web browsers, computers, and cell phones can create and save strong passwords for you, so you do not have to remember them.
• Change your password regularly.
• Require your employees to use two-factor authentication for their e-mails.
• Be on the lookout for suspicious e-mails, and always call to verify changed payment instructions. But remember to call a phone number saved to your phone or from the signature block of an old e-mail that you know was legitimate.
• Always call to verify wire instructions that ask you to send money to a bank in a state or country other than where the project is located.
• Protect yourself with carefully drafted contracts and subcontracts to minimize your risks from these kinds of hacks.

A Note to Attorneys. This scheme has succeeded across many industries and professions. Attorneys should be aware that it has been used to intercept settlement payments and could be used to intercept or divert payments from a firm’s accounts, including the trust account.

Zach Rosenberg and Jamie Hanson are litigation and construction attorneys at Lang & Klain, P.C., in Scottsdale (480-534-4900).