Browse Tag: email

How To Not Let Tampered Email Blow Up The Deal

Imagine it’s closing day on a sale you’ve been working on for half a year. You’re the buyer’s agent, and you’re still on duty. The instructions for money wiring arrive; your legal staff reads the email and executes the bank transfer per the instructions.

The sum is debited from the buyer’s account, but the proceeds never arrive at the seller’s account. A closer look at the email shows why: the instructions were fake. Someone — an attacker — knew the closing was today, knew the rough terms of the transfer, and knew which email to tamper with to replace the legit seller account wire transfer destination info with a criminal’s wire transfer info.

It was supposed to be a day for champagne and celebration. Instead, it’s a day for Advil and Rolaids.

Fact: Email Is Insecure

It is impossible to imagine the business world conducting itself without email. In only a single minute, users on the internet send 204 million emails. Yet, it is a fact that email is a deeply flawed business tool in one critical way: it was never designed for either security or privacy.

Email in its most basic form is plain text. When evaluating its security and privacy, consider email akin to a postcard: anybody handling a postcard has the ability to read what’s written upon it. Email traversing networks is sent overwhelmingly in plain text, very similar to a postcard: any machine (mail server) that collects or stores an email message is a repository of plain text.

An attacker who has access to a mail server’s messages will likely have the ability to perform searches, or filters, on hundreds of thousands of plain text messages, looking for interesting terms such as “account number” or “closing date” or “xxxx N. Main Street”.  From there, tampering with critical, specific emails (such as ones that are sent during closing) is enabled.

More Subtle Than Viruses And Spear Fishing

We’ve all received weird email with bogus attachments (viruses) and links leading to places we’ve never seen before (spear phishing); most of us know to not trust such messages. But an attacker that is leveraging privileged information to tamper with email that contains wire transfer instructions is relying on familiarity instead of hoping you won’t notice an alien appearance to the email.

For these reasons and more, an electronic email message that contains wire transfer instructions, even when expected, is therefore best considered suspicious, and should be avoided.

What Are The Alternatives?

Because of these inherent security and privacy weaknesses in email, commercial real estate brokerages and law firms increasingly are reserving the communication of wire transfer instructions to non-email channels such as fax or telephone calls between familiars. While not perfectly secure, using voice or fax calls to communicate these details greatly heightens the required commitment and difficulty level on the part of an attacker.  No longer are simple text searches enough – and that alone improves the bottom line on security and privacy.

Of course, never ever take anything you read here at The Source as legal advice — and always retain qualified legal and technical counsel.

The kind of counselors, for example, who don’t just assume internet email is secure and trustworthy.

 

You’ve Got Mail (But Who Really Sent It?): The Risks Of Online Financial Transactions

Still running your brokerage or property management business on an AOL email account? Law blog JDSupra Business Advisor has something to say about that decision. In an April 27th post “AOL, Dropbox, And The Big Uh-Oh,” a story is told by data security-focused attorney Drew Sorrell concerning the purchase of a New York apartment, and how it went wrong during a trip down the intertubes. (Despite the headline, Dropbox is not involved in the story.)

A New York couple brought suit against their former law firm because it used an America Onlineaccount to transact firm business.  If you are my age you probably remember that AOL and “You’ve got mail!” were the future—back in 1990.  Well, now AOL is culturally a relic of the past and occasionally I still run across someone who is using an AOL account for their email.  Usually, I silently judge them as technological dinosaurs (don’t tell me you don’t do the same thing).

Well, it turns out that this law firm and its AOL account were being used to help a couple purchase a $19.4 million cooperative apartment in Manhattan. Hackers had breached the firm’s AOL account and were monitoring its email traffic.  The hackers then used the account to pose as the attorney working on the deal to direct the clients/couple to deposit $1.9 million by wire transfer into a hacker-controlled account. The hackers were kind enough to send the buyers/clients a receipt for the funds. 

Once the fraud was detected the couple was able to recover all but $196,200 (plenty enough to still ruin my day).  While this is a brand new suit, it should be warning enough. So, what are the lessons learned here?

As a business technology observer, I’d offer that there’s nothing very special about AOL email addresses when it comes to risk of data security – committing millions of dollars of transactions over insecure email can go badly wrong no matter what service you use.

While you can read the entirety of the post and the lessons learned, let me interject with the usual disclaimer: Take nothing you read at The Source blog or really, at any blog, as legal advice.  Always, always, always get advice from qualified real estate counsel.

Source: AOL, Dropbox and the Big “uh-oh” | Lowndes, Drosdick, Doster, Kantor & Reed, P.A. – JDSupra

Photo credit: BusinessInsider