One of our Washington cannabis clients recently learned that its employee was the target of a cybersecurity attack. The employee, who was following instructions via a messaging app, wired money to an individual at the request of who he believed to be an owner of the company. That was not the case! The employee had fallen victim to a cybersecurity attack. Our client has asked us to publish this post as a public service announcement to other cannabis businesses.
These attacks are becoming more and more prevalent as we continue to communicate online. In this case, the employee was a victim of “phishing,” which is a scheme where a fraudster impersonates another person to induce individuals to reveal information or, in this case, send money. Other cybercrimes include data breaches, where hackers obtain sensitive information by breaching a company’s secured files and then use that information for identiy theft, blackmail, or to commit other crimes. Cybercriminals can operate across the globe meaning that anyone online can quickly become a target. Marijuana businesses in Washington State (and elsewhere) need to be aware of the risk of cyber attacks as we enter a new decade.
No industry is safe from the threat of a cyber-attack or other security incidents relating to technology. However, nefarious online fraudsters may see a unique opportunity in the marijuana industry. Marijuana businesses generally have a lack of access to traditional financial services and therefore deal with a lot of cash. By way of example, compare a restaurant to a marijuana business. A restaurant is inevitably going to deal with cash. Diners may pay an entire bill using cash or may leave a cash tip after charging their meal. But, it’s unlikely that a restaurant’s owner will pay its employees and vendors in cash. Most restaurants also don’t require that their customers pay only in cash.
Now consider a standard marijuana business. Washington’s recreational marijuana market is one of the oldest in the country and many marijuana businesses in Washington can obtain a checking account. However, marijuana retailers are generally operating on a “cash-only” business model as credit card companies like Visa and Mastercard will not process transactions that involve the sale of federally illegal substance. That means retailers often have large amounts of cash to deal with each day. Some of that cash may go directly to pay producers and processors for products on the retailer’s shelves. Regardless of the type of license, many marijuana businesses often have large amounts of cash at hand. It is therefore not unheard of for an employee of a marijuana business to field requests that involve wiring cash to a given account or otherwise undertake a transaction that might seem odd in any other industry. Lack of access to financial services has made the unusual normal in the marijuana industry.
Cybercriminals may also be drawn to marijuana businesses due to the illicit nature of marijuana under federal law. As we’ve written probably a million times, marijuana is illegal under federal law. That makes reporting cybersecurity events more challenging due to the risk of self-incrimination. A marijuana business may not want to “make waves” by reporting to federal agencies like the Department of Justice (DOJ) or the Federal Bureau of Investigation (FBI). However, it’s worth noting that the FBI has sought out tips relating to corruption in the cannabis industry. Nevertheless, federal prohibition does, at the very least, complicate the ability of marijuana businesses to report cybercrime. Those concerns are not as pronounced if reporting to local law enforcement in states that have legalized marijuana.
If you’re concerned about scams, here is a nonexhaustive list of steps that you can take to mitigate cybersecurity risks before they happen:
Adopt or update a policy where employees are to obtain confirmation by phone before sending money to any person outside of the usual course of business. This doesn’t mean that a person needs to check in before paying a known vendor, but would prevent an employee from wiring money based solely on messages or email.
Check usernames and email addresses
If I email someone, my name will show up as “Daniel Shortt” and my email will read “email@example.com.” Someone who was impersonating me could list their name as “Daniel Shortt” even if their email address was “ScammyMcScammerson@fraud.net.” The same concept is true with usernames. On twitter, my name is “Daniel Shortt” and my handle is @dshortt90. A fraudster could change his or her name to Daniel Shortt with a handle of @dshort90. This is even trickier as my handle is very close to the fraudster’s (my name has two t’s at the end). Employees should be on the lookout for these fake emails and usernames.
Implement a protocol for reporting security events
If you’ve been targeted once chances are you’ll be targeted again, perhaps in a more sophisticated manner. You want to be able to get the news out without exposing your others to security threats. Forwarding an email to another worker just increases the risk of that person clicking on a link to install malware or engaging with a fraudster. Establishing protocols to send screenshots of suspicious messages or forward them to a designated fraud account are some examples of dealing with this issue.
Audit your existing security procedures
This can be done in house or by hiring a consultant or attorney. If you don’t have a security protocol in place, that’s an even bigger reason to audit your company’s operations. That way you can identify risks before they happen.
Protect your passwords and other sensitive information
You may want to require that your employees use multi-step authentication software when signing into company accounts. This usually requires that a person confirm their login on a separate device such as a smartphone app or link sent via text. Make sure your employees are not sending passwords through email or messaging services. Passwords should also be complex and changed regularly.
If you do fall victim to a cybersecurity attack make sure to respond quickly and notify others in your organization about the threat. You should also reach out to your organization’s lawyer or in-house counsel to discuss next steps, which may include reporting to law enforcement.