Entrepreneurs and investors are jumping head first into the red-hot cannabis market, lured by the potential for massive growth and profits. Unfortunately, cybercriminals have also taken notice of the opportunity and are specifically targeting cannabis operators. Sometimes these attacks are sophisticated, but often, all that is needed to protect a business is proper training, solid processes, and a healthy dose of cybersecurity awareness.

Cannabis operators are well-versed in the various ways to physically protect and secure their businesses. This same vigilance and proactivity is also necessary when it comes to cybersecurity. Just like a business uses locks, alarms, and security cameras to monitor and protect themselves, it is important to employ the following processes to ensure sensitive information doesn’t get compromised, resulting in financial, reputational, intellectual property, and personal data losses.

A majority of cannabis operators are small businesses, which account for 43% of cyber attack targets. Additionally, 47% of small businesses had at least one cyber attack in the past year. The fallout from a cyber incident is significant as 60% of small companies go out of business within six months of a cyber attack. Therefore, it’s worrisome that 70% of small businesses are unprepared to defend themselves against cyber attacks.

Common Cyber Threats for Cannabis Operators

While there are myriad ways cyber criminals can attempt to attack a business, we’ve decided to focus on three of the most common threats. An overwhelming majority of breach incidents involve identity theft, and another third focus on account or financial access. Being aware of the types of attacks a cannabis business might encounter will also help you identify proper ways to protect your business and hopefully counter these attempted breaches.

Social Engineering & How to Respond

A whopping 98% of cyber attacks involve social engineering, which is when criminals use social dynamics to trick someone into disclosing sensitive information or transferring money. Usually these requests appear to come from someone in authority or a legitimate service provider and include a sense of urgency, fear, helpfulness, or hope.

Examples of social engineering include:

  • A text that appears to come from the CEO instructing an intern to purchase ten $100 gift cards, share the scratched off codes, text those codes back, and don’t tell anyone because those gift cards will be surprise holiday gifts for the staff;
  • A LinkedIn message that claims to be a manager stuck on a phone call and in desperate need of access to the company’s list of patient files.
screenshot of an email with various social engineering red flags highlighted

Red flags in this attempted social engineering attack include: (1) addressing the email to a generic title rather than the individual’s name; (2) using the incorrect term “hustle” rather than “fraud”; (3) nonsense phrasing; (4) misspellings; and (5) a link to download a file. Additionally, the scammers rely on a sense of fear and urgency to prompt the recipient to click the link, which undoubtedly will download malware to the computer. Image courtesy of Sullivan Wright Technologies.

The easiest way to thwart social engineering is to contact the person via a different method of communication to confirm that they sent the message that was initially received. If any red flags are raised due to the sense of pressure applied in an email to share login information for bank accounts, call the person to verify they really did ask for the information. If it seems odd that a text has requested payment in the form of gift cards, email that person or call that service provider.

Phishing & How to Respond

In addition to social engineering, phishing is a similar and popular type of cyber threat. Phishing is when criminals send mass emails to trick people into clicking on malware or disclosing sensitive information or financial account credentials. More than 90% of successful data breaches originate from phishing emails, and phone calls and texts are also popular methods of attack.

Examples of phishing attacks include:

  • A text claiming to offer shipping updates for a package;
  • A phone call supposedly from the electric company threatening to cut off service unless a bill gets paid in gift cards;
  • An email posing as DocuSign instructing the recipient to click a link to review attachments;
  • A letter in the mail which includes a bogus change of address form from USPS, which would allow an attacker to redirect mail to an address of their choosing.
screenshot of an email with phishing red flags highlighted

Red flags in this phishing attempt include: (1) a spoofed email address that is very long and complicated; (2) addressing the recipient by their email address rather than their name; (3) misspelling the corporate name and address of the entity the scammers are trying to imitate. The cyber criminals rely upon creating a sense of fear and urgency in the recipient to prompt them to click a link that will lead to malware. Image courtesy of Sullivan Wright Technologies.

Phishing often uses fake branded websites and emails that look legitimate enough to trick victims. However, red flags include misspellings, odd phrases, and web or email addresses that are very similar to the real thing but might differ by one or two characters. The best deterrent of phishing attempts is to never click links or attachments on suspicious emails. Additionally, it is recommended to visit the legitimate website of the service provider in question and/or contact them through their known customer service to verify if the message is real or not.

The Danger of Malware

Malware is malicious software that takes control of computers. This is almost always delivered through emailed links or attachments that are typically disguised as invoices or email delivery failure notices. Once opened, these programs are downloaded and installed on the computer in order to access files or the company’s network, steal login credentials for financial or social media accounts, or even take over webcams and microphones for spying purposes. Ransomware, a very disruptive form of malware that costs businesses more than $75 billion annually, encrypts file systems and data until a ransom is paid.

A Real-World Cybercrime Case Study

A high-volume cultivator recently fell victim to a socially engineered scam that lost them more than $20,000. Unbeknownst to the cultivator, scammers gained access to the company’s email account. The criminals monitored all email activity until they intercepted an email from a vendor for a sizable invoice. The scammers deleted the original invoice email and sent an altered invoice with different payment instructions to the cultivator that directed the payment to the scammer’s bank account. The fraudulent email came from an email account that looked nearly identical to the actual vendor’s email address except the “.com” at the end was changed to “.org.” Not suspecting anything, the cultivator paid the invoice using a third-party payment service (not via Abaca).

After a few weeks passed, the CEO was made aware that the vendor was claiming the invoice had not been paid. Several employees worked together to figure out what had happened. This was when they discovered the fake email account and traced the payment information in the doctored invoice to an account in South America that had already been cashed out and closed.

By the time the fraud was detected, more than a month had passed. It was too late to reverse the transaction, and, citing the terms of their service, the third-party payment platform would not help the cultivator either. The criminals cheated the business out of more than $20,000, and the cultivator still had to pay their vendor for that same amount.

Preventing This Attack

  1. Two-factor authentication on the email account would have prevented email intrusion. 
  2. Careful attention to the “from” email address would have uncovered the “.org” altered email extension. 
  3. Formal organizational processes and accurate vendor records may have uncovered the altered account number in the invoice. 
  4. Payables controls with dual-person approval may have enabled detection of the fraudulent ACH information (available on Abaca).

In Summary

In Part 1 of this cybersecurity primer, we’ve covered the most common types of cyber attacks and the devastating effects they can have on cannabis operators. To learn how to best protect your business and how to respond in the wake of a breach, read the recommended cybersecurity measures in Part 2.

All cybersecurity statistics referenced in this article can be found at https://purplesec.us/resources/cyber-security-statistics/.