Mergers and acquisitions can build your company’s value overnight, but business email compromise (BEC) and data breaches can tear it down just as quickly. Too often, M&A announcements are followed by waves of BEC attacks against the companies involved, or by news that the target company was the victim of a data breach. To get the most value from a merger or acquisition, you need to know how to safeguard your email and your data during the process.
The global value of M&As hit $3.8 billion in 2018—higher than in recent years—and that number is expected to grow once again in 2019 as businesses look to expand their market share and financial activity. Unfortunately, email fraud is big business too. Since 2013, BEC attacks have cost US public companies more than $5 billion. Spear phishing attacks on companies rose by 70% in 2018, and BEC and spoofing attacks rose by 250%. These attacks are on the rise because they’re effective. In our work with Fortune 500 companies in a range of industries, we know they often see a spike in spear phishing and email spoof attacks during the M&A process.
Why do M&As draw so much attention from criminals? In general, attackers strive to take advantage of the surge in valuable data that exchanges hands during the merger or acquisition process. That data can be as complex as trade secrets or as simple as executive and vendor email addresses—if there’s a market for it, thieves will go after it.
And these attacks succeed because of the situation. Many people involved with a merger or acquisition will overlook small inconsistencies in emails since things across the company are changing and new people are joining the conversation. By exploiting those changes and the pressure—real or perceived—to make the transition go as smoothly as possible, BEC scammers trick employees into making payments and sharing sensitive information.
The attacks take varying forms, often depending on the situation and who the criminal is targeting. One popular tactic is to spoof an executive’s email address to send lower-level employees an urgent request for information to complete a deal. The SEC says emails like this often urge the recipient to keep the request a secret, and they sometimes say the request falls under government rules. Faced with a request that appears to come from the CEO or CFO, an employee who wishes to make a good impression on their new manager may comply with the request before taking the time to verify the identity of the sender.
Another tactic is to spoof an executive or vendor email address and send a time-sensitive request for a payment or wire transfer. Even if something seems off about the email, the recipient may chalk it up to the M&A process and comply to keep things moving along. No one wants to be the wrench in the gears, especially when the major changes are happening across the entire organization.
Unfortunately, the security risks associated with mergers and acquisitions do not end when the deal is complete. In fact, they can start before the deal is planned and last for years after it closes. That’s because too few parent companies complete thorough security due diligence on the companies they buy. In fact, 78% of dealmakers say there’s not enough cybersecurity vetting before M&As. Without due diligence around cybersecurity, you can end up buying problems that cause financial losses, brand damage, legal entanglements, and loss of trust.
BEC and phishing scams are expensive. The SEC found that in 2017, US public firms lost $675 million to BEC attacks—more than they lost to any other kind of cyberfraud that year. For a mid-size organization, a single successful phishing attack can lead to losses of $1.6 million. And that’s before you factor in how security breaches can damage a company’s market value. Verizon’s purchase of Yahoo was held up after Yahoo disclosed two major data breaches late in 2016. In 2017, Verizon paid $350 million less for Yahoo than the initial offer, and spelled out post-breach legal responsibilities before closing the deal.
Let’s contrast Verizon’s delay and re-negotiation with Marriott’s recent data breach situation. Marriott acquired Starwood in 2016, but didn’t learn until recently that Starwood’s customer data had been breached since 2014. Now, breach-related losses may drive up the original $13.6 billion cost of Marriott’s purchase. One of the class-action lawsuits filed on behalf of affected Starwood guests seeks more than $12 billion in damages. Then there’s $912 million in fines Marriott may have to pay under the EU’s GDPR law. Marriott’s stock price dropped by more than 5% when the breach was disclosed on November 30 and it has still not recovered—more than a month later. The situation perfectly illustrates Forrester’s advice that when it comes to cybersecurity due diligence, companies can “pay early or pay often.”
As for the guests whose personal data was stolen, investigators say it may now be in the hands of Chinese intelligence agencies. Why? Possibly to track, recruit, or blackmail business executives and other high-value targets, thereby creating new security liabilities.
Due diligence and solid email security protocols protect the value your merger or acquisition creates. Identity-based email security also gives you peace of mind during the complex M&A process, allowing you and your employees to trust every message in your inbox—even as you’re bringing systems and teams together for the first time.
No matter which approach you take, it’s vital to secure your digital communications prior to entering a merger or acquisition agreement. Cybercriminals can and will take advantage of organizations that are in transition, and companies are increasingly susceptible to email attacks as they begin merging their systems and their people. Make sure you’re prepared against advanced email threats to protect both companies from financial losses, brand damage, and legal entanglements.
To learn more about how Agari can help your organization navigate email security during the M&A process, download “How to Conquer Targeted Email Threats: SANS Review of Agari Advanced Threat Protection.”