You probably see them regularly: an email that claims to be from your employer’s IT department, or perhaps even from the maker of your email system. There’s a problem with your account, and to fix it, you have to click on a link. When you do, you’re prompted to enter your password.
But it’s fake, designed to harvest personal information like that password. It’s so common, it’s even got a name: it’s called spear phishing, and it’s the technique that allowed Russian hackers into John Podesta’s personal email in 2016. He was the U.S. Democratic Party’s campaign chair in the last election.
You keep getting those emails because, every now and then, they work. Here’s a sad little story about two law firms and $7,000 that just plain went away, and the small claims court case over the loss.
Here’s the background: two Ontario companies were in a legal tussle over $15,670 of environmental assessment services. A company had done work and hadn’t been paid. Before that case came to Ontario’s court system, the two sides settled. The company that provided the environmental work agreed to settle for $7,000.
The two law firms drew up the settlement and agreed that the money would be transferred electronically from one law firm’s bank account to the other.
Except, before the transfer was made, an email came from the account of the paralegal handling the case for the environmental firm.
It read: “Please pay to the below banking information. Bank Name: Servus Credit Union 3150 13 Ave SE, Medicine Hat, AB T1B 1E3 Canada Name: Richard Hoehn; Account number: 615029311047; Routing: 089921029; Transit: 21029-899 I can surely provide you with a paid in full document other than the settlement agreement if you wish. My daughter-in-law is having a baby as we speak and I will be leaving for Toronto tomorrow. Please provide the funds to our account provided. Thank-you.”
The email was fake, the money was quickly gone, and the two law firms went to court to fight over who was responsible.
No one really seemed to question the fact that a payment was now being made to someone unrelated to the case, living in another province.
After that, as Ontario Small Claims Deputy Judge Shane Kolford put it, “With the benefit of hindsight, reviewing the continuing email exchanges … is much like watching a train wreck.”
The email was fake, the money was quickly gone, and the two law firms went to court to fight over who was responsible.
What had happened, as can best be determined, is that a phishing attempt had obtained the paralegal’s password. That person then monitored the account until there was something worth stealing, and then reconfigured the paralegal’s email to forward messages from the other law firm to an external Gmail account, where they were deleted.
An outside IT investigator described it like this: “This combination of redirections and forwards enabled the malicious user to send a message from (the paralegal’s) account. To the recipient there would be no way of knowing that the message was illegitimate unless they questioned the instructions or activity therein. If the user replied to the message for clarification the rule was designed to intercept this message so that the malicious user could respond without (the paralegal) being aware of the conversation.”
The judge decided that the law firm that had sent the money hadn’t actually paid the other firm and would have to come up with the $7,000 all over again — because the firm that was to receive the funds wasn’t “grossly negligent” in its email system’s security.
What’s it matter to you?
Well, perhaps, because something like it could happen to you.
And there’s not much you can do about that.
Russell Wangersky’s column appears in 36 SaltWire newspapers and websites in Atlantic Canada. He can be reached at [email protected] — Twitter: @wangersky.
MORE FROM RUSSELL WANGERSKY
