Marijuana MSO MariMed loses $646,000 in ‘sophisticated’ email fraud

Be at the forefront of cannabis and psychedelics science and innovation. Register by March 14 & Save $100 on tickets to The Emerald Conference by MJBiz Science, April 1-3 in San Diego.


Image of multiple skull and crossbones with blue tinting hovering above red circuitry

(Image by Skórzewiak/stock.adobe.com)

Multistate marijuana operator MariMed mistakenly transferred hundreds of thousands of dollars to a “fraudulent recipient” after receiving a “forged email,” according to the company’s latest quarterly filing with U.S. securities regulators.

The fraud revelation comes shortly after the Massachusetts-based MSO’s chief financial officer resigned without explanation, although it is unclear whether the two events are linked.

MariMed, which operates in five states, confirmed to MJBizDaily that the lost sum totaled $646,000.

“We have nothing further to share other than that our expectation is we will recover lost funds either from the bank or through our cybersecurity insurance policy,” MariMed Chief Communications Officer Howard Schacter said in an emailed statement to MJBizDaily.

“This was a very sophisticated, global fraud that we believe took months of planning and we have been working with the FBI and local police during their investigations,” he continued.

“This should serve as a cautionary tale to any company, including those like MariMed that operate at the highest standard of financial discipline and governance.”

Money remains unrecovered

The transfer was related to a term-loan payment, according to MariMed’s 10-Q form for the quarter ended Sept. 30.

The money was sent to a Chase Bank account “provided in a forged email we received,” the filing noted.

It appears that MariMed scrambled to stop the transfer.

At first, Chase Bank told MariMed that the cannabis MSO “had identified the problem before the payment was delivered” and the transfer was on hold as the bank investigated.

“That investigation is still ongoing, and the bank has since indicated that the funds were delivered to the fraudulent recipient’s account,” MariMed wrote in its quarterly filing.

“We are awaiting receipt of a formal response from the bank with the results of its investigation and continue to pursue all channels through our bank to recover these funds.”

MariMed has also filed a claim under its corporate cybersecurity insurance.

The company, which accounted for the $646,000 sum as an expense in its financials, said it “will reverse the expense” if the money is recovered from the bank or from the insurance claim.

“We have implemented additional safeguards to protect ourselves from future fraudulent activity,” MariMed’s filing said.

Former MariMed CFO Susan Villare resigned effective Oct. 31, not long before the company reported third-quarter earnings.

MariMed’s Nov. 3 news release announcing Villare’s resignation offered no details or commentary regarding her departure.

The company declined to answer an MJBizDaily question regarding whether Villare’s resignation was related to the email fraud incident.

MJBizDaily reached out to Villare for comment and is still awaiting a response.

Criminals ‘exploit the weakest link’

Joseph Steinberg is a New York-based cybersecurity expert and author who reviewed MariMed’s filing.

“These are not simplistic attacks where some random criminal sent out 10 million phishing emails,” Steinberg said.

“In most cases, these things are going to involve reconnaissance, planning, strategic targeting, using information – perhaps multiple steps by the fraudster, perhaps multiple emails, maybe even phone calls by the fraudster.”

Steinberg noted that he couldn’t comment on MariMed’s specific case without knowing more details.

However, he painted a picture of corporate cybercrime that’s much more complex than simple phishing scams.

“People have the tendency, sometimes, to say, ‘Oh, somebody got phished,’ and oversimplify it as if this were all an error by one party – it’s often not the case,” he said.

“Sometimes there are cases where banks have processed transactions that they shouldn’t have processed, (where) there were glaring red flags.

“Sometimes there are situations where the information came from the legitimate party,” Steinberg continued.

“There are cases where stuff is even confirmed over the phone, and there’s fraud involved in the phone calls.”

Fraudsters can breach a company’s cybersecurity indirectly by targeting third parties, Steinberg warned.

“Criminals know how to exploit the weakest link in the chain,” he said.

“If you’re a sizable business and you’re doing a lot of business, and you’ve got real money that can be stolen, criminals may try to get into you by leveraging mistakes or security weaknesses at a third party with whom you’re doing business – so you have to protect yourself, also, against those types of risks.”

Solomon Israel can be reached at solomon.israel@mjbizdaily.com.