Cyberattacks: The Limitations of Law Enforcement’s Reach

Many people who have been victims of email compromise scams have found that investigating involves a complex array of local, state, and federal agencies.

Cyberattacks: The Limitations of Law Enforcement’s Reach (And How It Can Harm Your Business)

Throughout 2020 and 2021, it has seemed as though we are constantly hearing about yet another cyberattack. In all the chatter, including the Colonial Pipeline attack and an attack on a meatpacking plant that left many wondering, there would be a shortage in the meat supply chain, there’s one attack that may have gone unnoticed: an attack on One Treasure Island, a nonprofit dedicated to restore the island in San Francisco Bay and provide a location for low-income and formerly homeless individuals.

Beginning in late December 2020, hackers gained access to the One Treasure Island accounts and began to siphon away money. Over the course of the next month, these criminals continued to siphon money out of the account–to the tune of $650,000 by the time all was said and done. The company did not discover the devastating loss until January 27, when it was discovered that the intended recipient of that money, a member organization planning to create affordable housing projects on the island, had not received the first installment of the money as intended.

“It was absolutely devastating,” shares Sherry Williams, the One Treasure Island executive director.

How Hackers Broke Into One Treasure Island

The One Treasure Island attack was facilitated with a relatively low-tech hacking technique: hackers broke into the email system used by the organization’s third-party bookkeeper and steadily inserted themselves into existing email chains. With email addresses similar to the ones on file for the organization, no one took note of the new additions. They were then able to use the information obtained from this email chain to break into the organization’s accounts and drain them.

The hackers managed to pose as Ms. Williams, the executive director of One Treasure Island, in an email to the member account that was expecting the delivery of those funds. They indicated that the funds would be delayed, but that the project should continue as intended shortly. This prevented any red flags from going off for the member organization. Then, they took the legitimate invoice sent out by that company and changed the routing number on it to a bank account in Odessa, Texas: one that went straight to them, rather than to the charitable cause.

They then proceeded to send out two more invoices using that routing information. Ms. Williams, on receiving those invoices, assumed they came from the legitimate organization already vetted by One Treasure Island and sent the money straight to the organization through wire transfer. She notes that nothing seemed odd about the email communications: no red flags, odd errors, or even obviously strange email addresses caught her attention, so she assumed the invoices were legitimate.

Once she discovered the problem, Ms. Williams reported the crime immediately to the IC3 department, the nonprofit’s bank in San Francisco, and the branch of the bank in Texas where the money was sent. Unfortunately, because of the comparatively low amount involved–the IC3 usually pursues cases that account for at least half a million dollars, and where the leads are clearly there to follow–the FBI has declined to follow through on the attack. Unfortunately, local police in Odessa could cover only what had taken place in their jurisdiction. While the Odessa police department could help them recover approximately $37,000 from the frozen account belonging to the criminals, it could do little for the larger sum missing from the account. Ms. Williams, after consulting with local police, went home discouraged.

The Email-Compromise Attack Challenge

Email compromise attacks often do not see the same degree of awareness and attention that bigger attacks, like ransomware, do. Nevertheless, they are one of the most expensive categories of crime reported to the FBI Internet Crime Complaint Center, or IC3, each year. In 2020, losses due to those attacks climbed to around $1.87 billion, a steady increase over the $1.78 billion lost in 2019. Like other types of cybercrimes, email compromise attacks have been on the rise over the past year and a half, as an increasing number of people

Unfortunately, investigating these cases has also become increasingly challenging. Many people who have been victims of email compromise scams have found that investigating involves a complex array of local, state, and federal agencies. Jurisdiction can be challenging, and the efforts taken by one organization may not necessarily be supported by the others. Evidence can quickly go astray–and, as in the One Treasure Island case, relatively minor losses may be ignored in favor of the larger, multimillion-dollar losses that take place each day.

Protecting Your Business

With the vast array of options for cybercrime hitting the market today, it’s little wonder that many businesses are struggling to find better protection. Can you protect against fraud and cybercrime? Unfortunately, it’s almost impossible to fully protect against these types of challenges–especially when many people, reluctant to be the ones to admit they faced fraud and that the criminals won, may refuse to step forward and admit the losses they have faced. However, there are some steps that you can take to protect your business against these challenges.

  • Have a safety plan in place that dictates who you should report cyber crimes to. The FBI and other law enforcement organizations can achieve more if they can act fast to investigate and protect against further fraud.
  • Make sure your employees are familiar with how to recognize potential spoof emails, from double-checking email addresses to look at the language used in emails. In some cases, those can serve as valuable indicators of a potential attack.
  • Follow up on suspicions with more traditional communications, if needed. You may want to use a Zoom call, a telephone call, or even a face-to-face meeting to confirm that any funds transferred have gone where they’re supposed to and that you aren’t missing anything.

Cybercrime can prove devastating for many businesses. We can help you judge your business’s vulnerability and help provide some of the protection you need to keep you safe. Contact us today to learn more.