Employees at Portland Public Schools were breathing easier this week after thwarting a business email compromise (BEC) scam that could have cost them almost $3m.
BEC is a sneaky form of attack in which a criminal impersonating a third party convinces someone at an organization to wire them money. The crook targets someone with control of the purse strings and uses what looks at first glance like a legitimate account owned by a supplier or business partner.
Sometimes, a BEC scammer might compromise the email account of a senior executive at the target company, or at their supplier, to get a better idea of how they communicate. They could even send an email directly from that account to someone with access to company funds. Sometimes, though, they can spoof an email and request the funds without hacking anything, relying entirely on social engineering.
Who, you may ask, would fall for such a thing? Lots of people apparently, including two employees at Portland Public Schools. A fraudster contacted them pretending to be from one of the institution’s construction contractors, asking them to send payment to an account. Of course, the request was illicit, and the account illegitimate. Nevertheless, the employees approved the payments, sending $2.9 million into the ether.
Luckily, Portland Schools moved quickly to stop the transaction. In a letter to employees and schools, superintendent Guadalupe Guerrero said that the banks involved froze the fraudulent funds, adding:
PPS has already begun the process to recover and fully return funds back to the district, likely within the next several days.
Guerrero didn’t reveal how Portland Public Schools found the fraud, but the institution acted quickly after it did. It immediately contacted the FBI and Portland Police, along with the Board of Education.
While employees’ quick thinking thwarted these crooks, many get away with it, which is why BEC is becoming so prevalent. According to the 2018 FBI Internet crime report, losses from BEC scams doubled in 2018, reaching $1.3 billion.
What can you do to protect yourself against the scammers? You could do worse than follow Portland Public Schools’ example. Guerrero said:
All district payment procedures and internal controls are being reviewed, additional protocols and actions have already been identified, and all district finance staff will receive mandatory, updated training this week to reinforce protocols and to ensure updated procedures are in place to prevent incidents like this from occurring.
Companies should train staff to be suspicious of requests for secrecy or pressure to take action quickly, the FBI has said. They should also put two-step verification procedures in place for wire transfer payments, and should directly confirm fund transfer requests with known individuals working for those vendors.
anonymous coward
You’re making a vast, unproven assumption that the bad guys are external to the district. If I were on the board of education, I’d insist that the two employees who approved the payment be suspended and investigated.
This type of scam doesn’t happen in a vacuum; someone either told conspirators how the district processes invoices and who to target, or the employees left that information out in the open. Districts don’t just mail checks for two million dollars; someone had to know where to set up a destination bank account that wouldn’t arouse district suspicion in an electronic funds transfer.
Paul Ducklin
Assumptions are pretty much “unproven” by definition…
…but as far as I can see, we’re not making any suggestions about where the crooks were located.
The big problem with BEC is that if the crooks have the email password of someone in the accounts payable or accounts receivable team, they don’t need an insider to teach them internal procedures – they are effectively insiders themselves, because they can learn how the system works simply by logging in daily and watching it in action for a while.
AFAIK most documented cases of BEC don’t seem to unravel as insider jobs, even when huge sums were involved.
anonymous coward
If it were just one compromised employee, I might buy the theory you suggest, in which the hacker just learned the routine and arranged the BEC. But I find it hard to believe that two fiduciaries failed to investigate such a large invoice. That’s why I think they were involved in the scam. I hope you follow up this article in six months with the outcome of any investigation.
Paul Ducklin
Well, let’s see what transpires, shall we? IIRC, we’ve written about transfers (or near-transfers) of similar amounts before in attempted BEC frauds in which insiders were not subsequently outed as having been involved.
Timothy Ervin
It was reported that their bank, Wells Fargo, tipped them off.
Nathanael Cabral
“Someone had to know where to set up a destination bank account that wouldn’t arouse district suspicion in an electronic funds transfer”
Pretty easy stuff, AC. If you know you’re targeting a school district in Portland, Oregon a quick Google search will give you a list of local banks. And if you’re familiar enough with the USA to know Chase, Wells Fargo, U.S. Bank, and Bank of the West (which all appear in said Google search) are all very large well-known regional or national banks, it’s easy to avert suspicion.
Sum Guy
If an email account was breached, the attackers would literally only need to skim older mails to know what to say, which bank to name, and who to target. Less than a day’s work for a lot of contractors who use email only for invoicing.
“Never attribute to malice that which is adequately explained by stupidity”
Not saying it *couldn’t* be an inside job, but lets see where the investigation leads before we hang people out to dry in the comments section
anonymous coward
Nath, Sum, Paul,
Replies read.