// BUSINESS INNOVATIONS //
CannaPrivacy The Cannabis Industry’s Growing Threat of Business Email Compromise By Dan Greene
Photo: iStockphoto.com/5./15 WEST
56
The cannabis industry is still a new one, full of rapid growth that includes building new teams, new vendor relationships, and new protocols. The newness and rapid growth of this budding industry represents an incredible opportunity for threat actors who execute business email compromise (BEC) attacks. Threat actors target the lack of familiarity and policies to trick cannabis industry employees, via phishing emails, into performing actions and/or divulging confidential information, including credentials and passwords. In 2019, the FBI reported over $1.7 billion in losses due to BEC campaigns, and that only represents those incidents that companies reported.
executive, in order to trick other employees or vendors into wiring payments to unknown bank accounts that are quickly drained, leaving the funds difficult to retrieve. It is part phishing, part intra-business social-engineering, utilizing situational awareness of business relationships to manipulate the movement of money.
The Threat A BEC is a specific type of phishing designed to impersonate a genuine employee, often an
Phishing schemes are so sophisticated that some of the most effective phishing tests trick nearly 100% of recipients into clicking a
Cannabis & Tech Today // Summer 2021
What makes BEC uniquely difficult to identify and report is the threat actor is often working within an authentic cannabis industry employee’s email account. Almost all successful BECs start with a phishing campaign wherein an employee is deceived into believing they should provide their username or email and password in response to a seemingly genuine email.
malicious link. Consistent use and reliance on e-mail has lulled many employees into losing sight of how quickly they can be duped. For example, a phishing test offering a free Netflix subscription as an employee perk deceived nearly 100% of its recipients. Beyond alluring phishing emails are the mundane, highly effective tricks that suggest an employee’s Microsoft Outlook account requires updating or an alert about a large number of files deleted from a shared drive. Once an employee has fallen for the initial phishing email and provided their credentials, the threat actor is able to log into that employee’s email account and begin impersonating them. It is much easier to identify a grift when it comes from an unknown individual associated with an unrecognized
