In mid-October, the municipal offices of the city of Ocala, Florida, received a legitimate invoice from a construction company for nearly three-quarters of $1 million, a partial payment for construction of a new terminal at the Ocala International Airport. When the city paid the invoice, however, the money went into the coffers of criminals overseas.
A massive bank hack? No. The criminals had impersonated the construction company nearly a month earlier and managed to convince a city employee to change the bank to which funds were paid, according to a report in the Ocala StarBanner. The $742,000 windfall for the criminals came after the legitimate company issued the invoice, and when the construction company notified the city five days later on Oct. 22, the money was gone.
“We take our city’s cyber security seriously and employees participate in mandatory trainings to arm them with the skills needed to identify and report these sophisticated campaigns,” Ashley Dobbs, Ocala’s marketing and communication manager, told the newspaper. “While we can’t change this outcome, we will continue to update and refine our cyber security systems and trainings to minimize future impacts.”
While ransomware continues to garner attention for its sheer disruptive power, businesses and government organizations continue to lose billions of dollars to impersonators who insert themselves into the victims’ financial workflow. Known most often as business e-mail compromise (BEC), the scam targets critical employees with phishing e-mails that specifically request they change the bank information for a particular vendor. When the company or organization pays future invoices, the funds are transferred to the fraudster’s bank account.
The number of attempts at e-mail impersonation have skyrocketed, jumping by 269%, according to messaging security firm Mimecast. In its quarterly E-mail Security Risk Report, the company found that only two-hundredths of a percent of e-mail messages involved impersonation, but that still amounted to more than 60,000 and more than double the number of messages with malware attached. In a previous survey, the company found that 85% of companies surveyed had experienced an impersonation attack in 2018.
“Businesses need to change their methodology and train users how to validate these e-mail messages,” says Josh Douglas, vice president of threat intelligence at Mimecast. “There really should be an additive layer to look for this malicious activity.”
The scheme has been lucrative for attackers. Nearly 180 countries and all 50 states have reported incidents of BEC, and reported losses have doubled in the past year, according to the FBI, which compiles statistics of compromises reported to the Internet Criminal Complaint Center (IC3). In the past three years, more than $26 billion in losses due to BEC have been reported internationally, the FBI said.
“Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds,” the agency said. “However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey.”
Ocala is just the most recent victim.
In August, the city of Naples, also in Florida, paid about $700,000 to a scammer’s bank account after fraudsters changed the bank-routing information two months earlier, according to news reports. Two months later, the Japanese newspaper conglomerate Nikkei discovered that a New York City-based employee had been fooled into sending approximately ¥3.2 billion — about $29 million — on the order of what appeared to be a Nikkei executive.
“Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the U.S. and Hong Kong,” the company stated.
Companies need to make sure they are using multiple methods of verifying requests to change bank account information, Mimecast’s Douglas says. And improving security on large transactions is not enough, as the FBI noted that payroll transactions are also a big target.
“With CEO fraud a year ago, attackers were going large-scale and going after financials,” Douglas says. “We are seeing a lot more targeted e-mails at the financial and HR teams to get a single paycheck. That piles up quickly and does not raise as many alarms in the process.”
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio