The cannabis industry is still a new one, full of rapid growth that includes building new teams, new vendor relationships, and new protocols. The newness and rapid growth of this budding industry represents an incredible opportunity for threat actors who execute business email compromise (BEC) attacks.
Threat actors target the lack of familiarity and policies to trick cannabis industry employees, via phishing emails, into performing actions and/or divulging confidential information, including credentials and passwords.
In 2019, the FBI reported over $1.7 billion in losses due to BEC campaigns, and that only represents those incidents that companies reported.
A BEC is a specific type of phishing designed to impersonate a genuine employee, often an executive, in order to trick other employees or vendors into wiring payments to unknown bank accounts that are quickly drained, leaving the funds difficult to retrieve.
It is part phishing, part intra-business social-engineering, utilizing situational awareness of business relationships to manipulate the movement of money.
What makes BEC uniquely difficult to identify and report is the threat actor is often working within an authentic cannabis industry employee’s email account.
Almost all successful BECs start with a phishing campaign wherein an employee is deceived into believing they should provide their username or email and password in response to a seemingly genuine email.
Phishing schemes are so sophisticated that some of the most effective phishing tests trick nearly 100% of recipients into clicking a malicious link.
Consistent use and reliance on e-mail has lulled many employees into losing sight of how quickly they can be duped. For example, a phishing test offering a free Netflix subscription as an employee perk deceived nearly 100% of its recipients.
Beyond alluring phishing emails are the mundane, highly effective tricks that suggest an employee’s Microsoft Outlook account requires updating or an alert about a large number of files deleted from a shared drive.
Once an employee has fallen for the initial phishing email and provided their credentials, the threat actor is able to log into that employee’s email account and begin impersonating them.
It is much easier to identify a grift when it comes from an unknown individual associated with an unrecognized business, but it is a much tougher feat to discern a colleague or familiar vendor’s accounts payable contact is not who they say they are when one receives a message from their genuine email address.
Once the phishing attempt is successful and the threat actor is logged in with an authentic email account, the actor begins exploring. This often includes collecting old invoices and researching which employees, vendors, or customers are the best targets for a BEC scheme.
A favorite tactic is to identify a new CFO or a new vendor, any party that is unfamiliar with routine practices or unlikely to be sophisticated enough to have appropriate controls in place to prevent redirection of payment to the threat actor’s account.
Threat actors then set up rules within the email account, making sent and received emails virtually invisible to the authentic cannabis employee as they continue to use their account. These rules may redirect emails to a third email address or discretely push the email to standard folders found, and often unutilized, in every email account, such as RSS Feeds or Conversation History in Outlook.
These steps can allow a threat actor to dwell within an account for weeks, or months, effectively redirecting payments undetected. Often, because of the lag in time between invoice and payment, it can take multiple months and missed payment dates before the redirection of funds is identified.
The fall-out is often a finger-pointing affair of determining which side of a redirected payment is at fault. A cannabis industry vendor demands payment for services provided while the dispensary argues that they were only following the updated payment directions they received in an email from the vendor. The vendor argues no such emails exist – because the emails have been deleted by the threat actor, they still expect payment for their service.
The dispensary initiates a forensic investigation and brings in breach counsel to determine with certainty that their email account was not subject to unauthorized access by a threat actor. And the situation escalates – in costs, in business disruption, in reputational harm, and in resources.
State Compliance Requirements Built Into BEC
Besides the all-too-common battle that results between two parties victimized by a BEC depicted above, there are data breach compliance laws to address after the discovery of a BEC.
As if the cannabis industry did not have enough laws to keep track of, it is imperative to consider that when an unauthorized actor is in a cannabis employee’s email account they may be considered under law as accessing or downloading information that qualifies as personal information under applicable data breach notification laws.
Every state has a data breach notification law, under which specific responses are required of an impacted cannabis company, including potentially notifying affected individuals, notifying Attorneys General, and offering credit monitoring services to affected individuals.
These laws, as well as many contracts, require a vendor to provide notice to their business clients in such a situation. The result is a double-edged sword — there is a cost to investigating and responding to a BEC and an even heavier cost to ignoring this legal responsibility only to have that decision result in litigation or a regulatory investigation.
Every day in cannabis there are new, well-publicized developments. New hires made, new mergers finalized, new relationships forged, and new markets opened. As a result, it is an increasingly fertile ground for BEC attacks.
There is a myriad of important steps sophisticated members of the industry can take – from preventative, like multi-factor authentication, to mitigating, such as implementing a strong record retention policy and payment-change protocol.
Experienced technical and legal counsel should be retained to assist in the process of navigating the laws and security improvements applicable to businesses in evaluating regulatory requirements and technical safeguards, especially after detecting a business email compromise. ϖ