Remittance Cyber Theft is an Increasing Risk for Factors
The COVID-19 pandemic has widened the opportunity for cyber criminals to steal payments — an important part of the collateral for factors and other secured lenders. Cyber security, law enforcement and insurance are not keeping up with the increasing risk. Moreover, the law is struggling to define who is responsible for the mounting losses.
BY JOHN B. HAYES
Remittance theft by cyber criminals has followed the rise of the internet and was identified before the COVID-19 pandemic as a major risk for lenders and their borrowers. In the past few months, the reduced security resulting from remote workers has dramatically increased the risk. The normal protections against crime never fully caught up to the cyber bandits using the internet to steal payments, and businesses and lenders are now being further left in the dust.
THE DANGERS OF REMITTANCE THEFT
There are four characteristics of remittance theft that make it especially dangerous:
The cash disappears quickly, usually overseas, before the theft is even discovered. Recoveries from the actual thieves almost never happen.
2. A lender cannot protect against remittance theft by securing its own email and servers. The risk comes from all parties in the payment chain, including buyers, sellers, contractors, other third-parties, as well as the lender itself. Even state-of-the-art cyber security alone will not protect against remittance theft.
3. Thieves are willing to spend weeks or months targeting a victim, which could be any party in the transaction chain. Cases show that criminals are technologically-shrewd and very patient. They will wait for a long time for the right moment to strike. These cyber criminals are frequently overseas. For example, a $50,000 remittance theft is an annoyance for most U.S. businesses, but it is more than 12 years of per capita income in Russia.
4. If recoveries are made, they are usually the result of expensive and protracted litigation between normal trading partners based on legal theories that have not caught up with the technology nor the nature of the crimes. Insurance does not cover most forms of remittance theft.
WHAT IS REMITTANCE THEFT?
Remittance theft is a crime known under several banners, including wire fraud, payment diversion, ACH diversion, account takeover and invoice fraud, among others. The FBI typically identifies this type of cybercrime as business email compromise or BEC. Remittance theft happens when the payor remits the payment to the thief instead of the proper payee. Remittance theft itself is not new, but the internet has magnified the ability of thieves to break into businesses undetected from across the globe.
HOW THE CRIME IS COMMITTED
Remittance theft occurs because the thief can trick the payor into believing they are dealing with the legitimate receiver of the payments. The deception may occur early in the payment cycle with a fraudulent invoice or later in the cycle when the payment is misdirected on a legitimate invoice. The two major methods for effecting this deception are called “occupation” and “impersonation.”
Occupation occurs when a thief steals the email login credentials of one of the parties and occupies the email system for months before striking. The theft of the email credentials frequently occurs when a user sees an authentic-looking message informing them to change their password. The “man in the middle” changes the email server’s password and confirms the change back to the real user, resulting in the thief having the credentials undetected by the user.
A small fraction of email occupations may occur because a thief has implanted malware on the computer of the target; most occur because the user inadvertently gives the thief the credentials.
The thief is then able to occupy the email server for months, collecting and analyzing email traffic and the documents attached to emails. When the thief eventually strikes, they may create very authentic looking outbound emails to other trading partners or even fake incoming emails to misdirect the payments. Improvements in email security in recent years, including multi-factor (two-stage) authentication, has helped reduce the compromise of email credentials for less-sophisticated thieves, but it has not eliminated it.
The second major method for creating deception is impersonation, which is when a thief creates a domain and email account that looks very similar to a legitimate domain but may differ by a single character or top-level domain.
Both occupation and impersonation are frequently the result of initial spear phishing campaigns targeted at accounting and procurement personnel. These targets are identified by company websites, press releases, social media, public bid and other document filings, occupation of trading partners, and more. Once the thief obtains the email address of a target and occupies one email server, they target the trading partners with precision, not only learning the appearance of emails being exchanged but the details on the type of email server that sent the message.
FORMS OF PROTECTION
It is possible to reduce the risk of remittance theft for both lenders and their collateral through a combination of technology and non-technology procedures. In fact, the non-technology means are the most important. A complete discussion of prevention, detection and remediation of the risk is beyond the scope of this article, but the highlights of each part of a risk strategy for managing remittance theft are outlined.
A lender should insist on a minimum set of technology protections, including the use of an enterprise-strength email system, a high-quality email intrusion system and a high-quality firewall with malware detection and exclusion. These technology solutions will help reduce the chance of successful spear phishing attacks and the occupation of lender and borrower email servers. However, the most secure email servers do nothing to protect against vulnerabilities of trading partners.
The most important protection comes from best-practice procedures, training of staff and constant adherence to the procedures. As discussed below, recoveries are rare. The upfront investment in procedures, training and monitoring may be more cost-effective.
For the payor, the most important procedures relate to thoroughly verifying the identity of new payees and the methods for verifying any requested change in remittance instructions. The traditional “fill out a form” or “verify with a phone call” are no longer adequate by themselves.
REMEDIATION – WHO IS RESPONSIBLE FOR REMITTANCE THEFT?
Because stolen payments are moved quickly to other accounts, frequently overseas by largely untraceable parties, recovering the loss from remittance theft is virtually impossible. The question then becomes which of the parties is responsible. Despite the large number of thefts occurring in the U.S., there are very few reported cases, apparently due to the cost of litigation in proving who was responsible and the fact that a majority of these cases settle before a judgement.
An examination of the few reported cases indicates they tend to be decided on a traditional “standard of care” basis — the party that exhibited the lower standard of care is held responsible. One leading payment cyber theft case in federal court was decided in 2018 based on this duty of care approach, relying largely on old check theft cases.
A review in the past year of the pleadings in a large number of wire fraud cases in real estate transactions provided interesting insight in the approach taken by plaintiffs in attempting to recover misdirected wires. These cases were settled prior to a judicial decision, so they are not law themselves but offer insight into the legal theories raised. Duty of care was a dominant theme, as were the related negligence claims, with breach of contract and breach of fiduciary duty frequently appearing.
The conclusions reached from the current state of the law is:
The law is still evolving and there is no clear answer on who is responsible for the loss.
These are heavily fact-based cases, which makes them time consuming and expensive to litigate. In many cases, the payor simply refuses to pay a second time and the litigation to force a payment is not economic.
Cyber theft of remittances is a large, expensive problem that is growing as cyber thieves become more sophisticated. It is a particularly dangerous crime because it can happen quickly in large sums and the chance of recovery is slight. While useful cyber security technology solutions exist and should be employed, manual procedures and continued training of employees is probably more important. Cyber theft of remittances is an evolving field that deserves the attention of every lender. •
John B. Hayes is CEO of Payment Security Corporation and an attorney in Atlanta who has represented lenders and borrowers in major capital transactions for more than 40 years. He was a founder of Peachtree Accounting and two innovative factoring companies. He is the author of a forthcoming book on capital sources for small businesses.