Boardman Molded Products is an Ohio-based manufacturing company who has filed a lawsuit against Involta, MSP (their Managed Services Provider) after a phishing attack. Based on reports, access was gained to one of Boardman’s internal email accounts and used to send phony invoices for payments to fake accounts, totaling over $1.7M in just 9 days.
Boardman’s suits claims professional negligence and malpractice, citing Involta’s offer to let the company “focus on innovation and business tasks” and allow Involta to protect them. The initial report of the incident was also classified as a “medium” priority with the ticket closed the following day when Involta claimed to have verified that there was not a breach. Involta responded that Boardman did not have sufficient security policies for payments, which led to their accounting team wiring them money to Hong Kong and Cambodia without verifying the invoices that were sent to them from the business owner’s email.
This case should be watched carefully by both the organizations who rely on 3rd parties to help protect them and those of us who provide protection. In the meantime, use the biggest lesson from this story— if your organization transfers funds electronically, you are at risk of a phishing attack. Make sure you have a verification process for the legitimacy of the request that includes verifying the source of the request through other means (such as a phone call), verifying the account info that they money will be sent to, and make sure you have resources at the ready to help you determine if you have been breached and what steps to take to minimize your damages.