The cannabis industry is still a nascent industry, full of fast grow This includes building new teams, new supplier relationships and new agreements. The novelty and rapid growth of this nascent industry presents a unique opportunity for threat actors to execute business email compromise (BEC) attacks.
Threat actors target a lack of familiarity and policies to trick cannabis industry employees through phishing emails to execute actions and/or reveal confidential information, including credentials and password.
In 2019, the FBI reported more than $1.7 billion in losses due to BEC activities, and this represents only those incidents reported by companies.
BEC is a specific type of phishing designed to impersonate a real employee (usually an executive) in order to trick other employees or suppliers into wire-transferring payments to an unknown bank account that drains quickly, making it difficult to get the funds back.
It’s part phishing, part social engineering within the enterprise, exploiting Business relationships to manipulate the flow of money.
The only thing that makes BEC difficult to identify and report is that threat actors often work in the email accounts of real cannabis industry employees.
Nearly all successful BECs begin with a phishing campaign, in which employees are tricked into believing that they should provide their username or email and password in response to what appears to be a genuine email.
Phishing schemes are so sophisticated that some of the most effective phishing tests trick nearly 100% of recipients into clicking on malicious links.
Continued use and reliance on email blinds many employees to the speed at which they can be tricked. For example, a phishing test that offered free Netflix subscriptions as an employee benefit fooled nearly 100 percent of recipients.
In addition to the catchy phishing emails, there are some common, effective tricks that indicate that an employee’s Microsoft Outlook account needs to be updated or to be alerted about a large number of files deleted from a shared drive.
Once an employee was lured by the initial phishing email and provided their credentials, the threat actor was able to log into that employee’s email account and start impersonating them.
It is much easier to identify spoofing from an unknown individual associated with an unidentified business, but much harder to identify that the accounts payable contact of a colleague or familiar supplier is not who they say they are when they receive the message from their real email address.
Once the phishing attempt is successful and the attacker is logged in with a real email account, the attacker will start exploring. This usually involves collecting old invoices and researching which employees, suppliers or customers are the best targets for a BEC program.
A favorite tactic is to identify new CFOs or new vendors, any party unfamiliar with conventional practices or unlikely to be mature enough to have appropriate controls in place to prevent payments being redirected to threatening actor accounts.
Threat actors then set up rules in email accounts that make emails sent and received virtually invisible to real cannabis employees while they continue to use their accounts. These rules might redirect email to a third email address, or push email discretely to standard folders found in each email account and not normally used, such as RSS feeds or conversations in Outlook history record.
These steps can keep attackers in the account for weeks or months, effectively redirecting undetected payments. Often, due to the time lag between invoice and payment, it can take months and missed payment dates before funds redirection is determined.
The consequence is usually an accusation event that determines which party of the redirected payment is at fault. A cannabis industry supplier demanded payment for services provided, and the dispensary argued that they were simply following the latest payment instructions they received in the supplier’s email. The vendor argues that such emails don’t exist — because they’ve been deleted by the threat actors, who still want to pay for their services.
The pharmacy launched a forensic investigation and hired offending attorneys to determine that their email accounts were not subject to unauthorized access by the threat actors. And the situation escalates — costs, business disruption, reputational damage and resources.
State compliance requirements built into BEC
In addition to the usual battles between the aforementioned BEC victims, there are also data breaches obey Laws to be resolved after a BEC is discovered.
As if the cannabis industry does not have enough laws to track, it must be taken into account that when unauthorized actors are in a cannabis employee’s email account, they may be considered by law to access or download information that qualifies as personal information that complies with applicable conditions. Data Breach Notification Act.
Each state has a data breach notification law under which affected cannabis companies are required to respond specifically, including potentially notifying affected individuals, notifying the attorney general, and providing credit monitoring services to affected individuals.
These laws, as well as many contracts, require suppliers to give notice to their commercial customers in such situations. The result is a double-edged sword—investigating and responding to a BEC comes with a price, and ignoring this legal responsibility to cause the decision to lead to a lawsuit or regulatory investigation is even more costly.
Every day in cannabis brings new, well-publicized developments. Hire new employees, complete new mergers, forge new relationships, and open up new markets. As such, it is increasingly fertile ground for BEC attacks.
Veteran members of the industry can take countless important steps—from preventive measures (like multi-factor authentication) to mitigation measures (like implementing strong record retention policies and payment change protocols).
Experienced technical and legal advisors should be hired to assist in understanding legal and security improvements applicable to the enterprise, to assess regulatory requirements and technical safeguards, especially after a corporate email breach is detected. ?