It has become commonplace in the real estate and construction industry to make electronic, digital, and wired payments, especially with the very large sums that are often transferred. With paper checks disappearing, cybercriminals are now targeting these industries—victimizing both payors and payees—and causing significant financial tension and reputational harm. As evidenced by a recent FBI bulletin specifically warning the construction industry, fraudsters have become increasingly sophisticated, hacking into email servers, posing as escrow agents or company employees, intercepting wire transfers before the payee or payor even realize it.
Business email compromise (BEC) is one of the most common scams to rob the construction project. The cyber criminals first start with breaching the security of potential recipient of the payment, i.e., in construction, owners pay general contractors who pay subcontractors. The cybercriminal will then secretly worm around the contractor’s server looking for the accounting-type person who is charged with monitoring invoices and payments. Then the cybercriminal will carry out a BEC where cyberthieves compromise email accounts and manipulate payors into sending wire transfers to the thieves instead of the payee, by using either a false invoice or requesting payments to a fraudulent bank account. This is done by sending a familiar looking email (i.e., changing one similar letter in the email address) telling the payor to transfer the money to different account. If the payee does not notice the slight difference in the email and follows the cyber criminals’ instruction, the money is wired to the thieves’ foreign bank account. Here, because the cyberthieves are attacking the network itself, it is extremely difficult for companies to detect the threat until the money does not show up as expected. Such schemes result in dual victimization; leaving the payee without payment, the payor possibly having to pay twice, and both parties questioning where the liability falls, causing extreme tension on what was once a strong business relationship.
It is imperative that construction and real estate industry professionals are proactive in reducing the risk of becoming victims of cybercriminals. Here are some risk management tactics:
Contract Upgrade - First and foremost, all contracts should be reviewed and upgraded to ensure inclusion of (1) exact language on how payments need to be submitted to the legitimate payee, and (2) assignment of responsibility and perhaps indemnification if this process is not followed. Most existing contract templates are woefully silent on this risk.
Insurance - Second, insurance policies need to be evaluated, as many insurance products do not cover this type of loss. Additional coverage such as social engineering fraud, network security liability, and invoice manipulation protection should be analyzed to complete a gap analysis, as many commercial crime insurance policies will not cover BEC losses. Cyber loss insurance carriers are predictably responding to the increased risk with higher premiums, larger deductibles, narrower coverage, and lower limits. Contractors should work with their internal risk manager and outside brokers to assess this coverage and risk.
Internal Process - Finally, internal procedures and security programs need to be assessed to confirm company computer security systems will be deemed commercially reasonable in the event of litigation. Where the parties’ contracts are silent, caselaw has held the party who was in the best position to prevent the cyber theft may be held responsible – which may come down to whether your computer security meets commercial standards. Moreover, a people-centric, multi-layered defense with training should be internally implemented to prevent, detect, and respond to this specific type of fraud. For example, training employees to examine new or changed wire instructions and examine business email addresses for spelling, grammar, and word usage as well as requiring telephone confirmation of payment instructions can also be helpful in mitigating risk.
A proactive approach to counteract the threat of fraudulent cyber payment is the only way to prepare for and reduce the potential cost of victimization. Updating contract clauses to specify whether the payor or payee bears the risk of loss in the case of fraudulent transfer of funds to a fake payee, identifying how to submit payment to the legitimate payee, and/or requiring a reasonable security program can help protect both parties. Additionally, analyzing current and sample insurance policies and endorsements to check for social engineering fraud, invoice manipulation, and network security coverage, as well as policy limits applying to such coverage and how the excess coverage will apply is also imperative for protection in the event your company is targeted by cybercriminals.