Legal Tools for Responding to a Business Email Compromise Attack
They are on the rise.
Note: A much shorter, less detailed version of this column is available on the Leading-Edge Law Group website, www.LeadingEdgeLaw.com
Has your company recently been hit by a business email compromise (“BEC”)? BEC appears to be on the rise. Three of my law firm’s clients were recently hit within a month. This type of cybersquatting appears to be on the rise.
Here’s what happens:
BEC is a form of phishing. A bad actor registers a domain name that mimics the primary domain name used by the business targeted by the bad actor, which I call the “real company.” Call the domain name used by the real company the “real domain name” and the one registered by the bad actor the “fake domain name.”
The bad actor composes the fake domain name to make it look legitimate. Sometimes, the bad actor adds a word to the real domain name to make the fake domain name look like one that the real company might have registered for a special purpose, such as adding “careers” for use when hiring. For example, if the real domain name (and name of the real company) is Acme.com, the bad actor might register AcmeCareers.com.
Sometimes, the bad actor will register a fake domain name that substitutes letters or numbers so that it visually will appear to be the real domain name unless you look closely. For example, the bad actor might replace the letter “m” with either a double “n” (“nn”) or with two letters, “r” and “n,” which look like an “m” when written together (“rn”). Thus, a bad actor might spoof Acme.com by registering Acnne.com or Acrne.com.
Another common ploy is to substitute the wrong character between the lowercase letter “i,” the lowercase letter “l,” and the numeral “1.” Here, a bad actor might spoof Reliant.com with Re1iant.com.
Usually, with BEC, the bad actor usually does not point the fake domain name to a website. Instead, the bad actor uses it only to send phishing emails to targeted people.
The bad actor might target any of various categories of people with a variety of frauds. These are just a few of the many fraud schemes: It might target the real company's vendors or customers, such as by sending fake invoices. It might send fake emails to people who think they are applying for a job at the real company, either to obtain confidential financial information from them or to try to persuade them to spend money on something necessary to get or do the job.
This kind of fraud is increasingly more effective because of people using their smartphones to send and receive business email because the email will show only the display name and not immediately show the underlying domain name
If this hits your company, what should you do? And what could you have done to make this less likely to happen or to detect it earlier?
Below is a list of suggestions for steps you can take that mainly address the legal aspect of the situation. There are also many technological things you should do. In the interest of brevity, I’ll leave those to tech support folks.
Immediately File a Phishing Report.
Use a WHOIS search service to find the domain name registrar used to register the fake domain name.
Once you find that domain name registrar, go to its website and file a phishing report. Usually, you can make this filing by filling out an online form. Identify the fake domain name and explain what kind of phishing has occurred. Most domain name registrars will quickly suspend the fake domain name, usually within 24 hours and, sometimes, within a couple of hours.
This suspension should prevent the bad actor from using the domain name for any purpose, including email. Still, once the domain name registrar has said the domain name is suspended, send a follow-up message confirming that the domain name has been completely suspended so that it cannot be used to send email.
Request the Identity of the Bad Actor.
Ask the domain name registrar to divulge the name and contact information of the person who registered the fake domain name. This is almost always hidden by a domain name proxy service or because of the privacy practices of the domain name registrar itself. Nearly always, the domain name registrar will not give you this information. The registrar will probably say that it will provide this information only pursuant to a UDRP action (explained below) because of privacy laws. The European Union’s GDPR privacy regime makes many companies hesitant to divulge domain name registration information.
If you can get the name and contact information of the bad actor who registered the fake domain name, you can use paid services such as DomainTools.com to attempt to find out if the same bad actor also registered variations of the real domain name. That information would be useful to act against those other fake domain names. Yet, bad actors often register domain names using fake identities and use a different fake identity for every domain name they register. Thus, looking for other domain names registered by the bad actor probably won’t bear fruit.
Send a Cease-and-Desist Letter to the Bad Actor.
Get your lawyer to send such a letter. You can send it to the domain name registrar and request that it be forwarded to the domain name registrant (the bad actor). That forwarding should occur even if the domain name registrar refuses to divulge the identity of the domain name registrant. If the bad actor who registered the domain name also used a proxy service, which is a way to hide the domain name holder’s identity, the domain name registrar might direct you to that proxy service, and you would request that the proxy service forward the cease-and-desist letter to the bad actor.
A cease-and-desist letter is unlikely to intimidate the bad actor. Yet, when the bad actor sees that the fake domain name has been suspended and that legal counsel is on the case, the bad actor might move on to targeting another company. Also, the real company will want to show that it took all reasonable steps to stop the fraud because that could affect the extent of its liability to people who fell for the fraud.
Consider Filing a UDRP Action.
“UDRP” stands for “Uniform Domain-Name Dispute-Resolution Policy.” It is an arbitration process established by the Internet Corporation for Assigned Names and Numbers (“ICANN”) to recover domain names from cybersquatters.
Explaining how a UDRP works is a long topic for another day. In a nutshell, you can use it to freeze the domain name immediately, attempt to find the identity of the domain name registrant (again, probably fake), and recover the domain name. This process can take a couple of months and cost several thousand dollars in legal fees. This step may not be cost-effective if you have successfully suspended the domain name with a phishing report to the domain name registrar.
Yet, recovering the domain name could be part of demonstrating that you have done all you could to stop the fraud, again for liability-protection purposes. If the BEC has been particularly damaging, strongly consider filing a URRP action.
Instead of a UDRP action, you also could file a lawsuit in federal court under the Anti-Cybersquatting Protection Act. This procedure allows you to recover the domain name and seek the identity of the domain name registrant. The advantage to this procedure is you can also sue for damages against the domain name registrant, with an option of recovering up to $100,000 per fake domain name in “statutory damages” in lieu of proving actual damages. But litigating in federal court is expensive, and if you get a money judgment, chances are you’ll never collect from the bad actor. You probably won’t even find the real identity of the bad actor, and that person is likely overseas.
Notify People.
Use email notices and warnings on your website and perhaps social media accounts to warn the affected audience about the fraud.
Notify Relevant Insurance Carriers.
Notify relevant ones such as a cyber insurance carrier. You may not have coverage, depending upon the type of insurance you carry. You also might decide not to make a claim. But if you don’t give notice soon after the incident, you might lose your ability to make a claim by waiting too long.
Backorder the Fake Domain Name.
Do so through a service that specializes in attempting to obtain domain names when they become unregistered, such as Snapnames. Your goal is to recover the domain name and hold it.
File a Complaint with the FBI’s Internet Crime Complaint Center (“IC3”).
It’s not clear if the FBI does much with these complaints, but filing a complaint is quick and easy, it might help, and it’s another way of showing that you did all you could to address the situation.
Things You Should Be Doing Now.
Finally, there are things you should do long before BEC occurs, to put your company in a stronger position when an attack occurs:
Do Employee Training. Conduct regular employee training on how to recognize phishing emails, verify sender information, and report suspicious activities. In addition to helping to prevent or limit any attack, it’s another step in attempting to limit your liability by showing that you tried to prevent the problem.
Federally Register Your Trademarks. Most likely, the primary domain name used by your company for its website and email is a version of the company name, such as Acme.com. If that is the case, having a federally registered trademark might help you when asking for a domain name registrar to suspend a domain name used in phishing, and it will strengthen your case if you file a UDRP action to take away the domain name.
Conduct Trademark Infringement Watching and Policing. This program typically includes receiving reports on recently registered domain names similar to your trademark and primary domain name. When you find problematic domain names, you can attempt to send warning communications to the domain name registrant to let them know their actions have been seen. You also can warn appropriate stakeholders in your company so they can be on the lookout for fraud and can consider sending warnings to others based on the nature of the threat. Also, there are online services that purport to specialize in monitoring and attacking problematic domain name registrations and phishing. We have not yet tested those services, so we cannot vouch for them.
* * *
The critical thing is to act quickly when a BEC incident happens. If you take a “wait and see” approach, you create the argument that your delay allowed the problem to worsen, which could increase your company’s liability.
Published on November 10, 2024
by John B. Farmer
© 2024 Leading-Edge Law Group, PLC. All rights reserved.