Business Email Compromise (BEC) Attack Steals $6 Million from Public School System

The New Haven, Connecticut, school district lost more than $6 million to cyber thieves in a Business Email Compromise (BEC) attack that was discovered only after the real vendor asked why they had not been paid.

ABC News provided details on the attack, which began in May and demonstrated a high level of patience on the part of the hackers.

1. Criminals gained access to the email account of the school system’s Chief Operating Officer (COO).
2. Using that email access, the hackers monitored communications for several weeks, identifying vendors.
3. Phony vendor emails were then sent to the COO, directing payments to bank accounts controlled by the criminals.

Losses included more than $5.9 million in fraudulent payments meant for a school bus company. The FBI was able to recover $3.6 million of the stolen money.

This BEC attack shows a level of sophistication and patience that many business owners and employees do not associate with cyber criminals. By quietly gaining access to a targeted email account and monitoring conversations, criminals were able to gather additional, personalized information they needed to successfully redirect a significant amount of money.

As I noted last month, cyber criminals are using AI to improve their BEC and pretexting attacks. While many attempts at phishing and fraud still bear reconizable signs, employers and employees must be prepared to deal with increasingly sophisticated, personalized and persuasive attacks. Remember that criminals have just one job: to steal from you and hide their ill-gotten gains before they can be recovered. Any unusual action or request from a vendor, even if it seems small, should be investigated.

Simple Tactics Will Stop Sophisticated Business Email Compromise Attacks

The hackers who targeted New Haven’s school system took their time to identify high-value vendors, at the risk of losing access to the compromised COO email account. While this demonstrates a level of sophistication that is unusual, it also proved successful, and hacker groups share their success stories as they refine their criminal strategies.

More BEC attacks like this one will occur. Organizations should follow these simple steps to avoid becoming the next victim:

1. Mandate two-factor authentication (2FA). Assume that hackers have your usernames and passwords, no matter how careful you are with them, or how frequently you change them. The only reliable way to keep criminals out of your email is to use two-factor authentication that requires you to complete an extra step via a personal device, such as a smart phone, before you can log in. Google now requires 2FA for some of its services. This should be a mandatory policy for every organization and is essential for anyone with access to financial systems or databases of personal information.
2. Monitor online use regularly. IT departments should always know who is accessing systems and from where. Sophisticated criminals may be able to cover their tracks or spoof a location, but there will still be an unusual increase in access for individual accounts. Systems should be set up to alert both the account user and the IT staff whenever a new device attempts to connect to a network or log in to an email or online service.
3. Require a second set of eyes on any changes. BEC attacks steal money and goods by diverting them to new accounts or locations. Organizations should put processes in place that mandate internal review of any changes in payment destinations, delivery schedules or delivery locations. Pay very close attention to the Sender of any email requesting a change, as criminals will create phony emails that look legitimate to try and trick their targets.
4. Mandate voice approval for any changes. When a request to use a new bank account comes up, or a client sends an email asking for a delivery to be rerouted, organizational procedures should require a phone call to that client’s point person. Do not call any number given in a suspect email. Call the number on file for the client or vendor, and ask them if they requested the change. Consider implementing a password that only you and the vendor would know as a means of authorizing any changes.
5. Limit the visibility of key staff online. Criminals regularly harvest compromised email and business accounts to identify high-value targets who they believe can access personal information or finances. Keeping the identities of key personnel concealed helps to deter this kind of targeting. For individuals who have a high level of visibility, consider setting up a second email account or logins that cannot easily be traced, while maintaining a publicly visible email. For example, a CEO named Joe Smith might have a joesmith@companyname.com email account for public use, but a very different email account, such as 712995abznow@companyname.com for official duties. Criminals will not be able to easily identify the secondary account, though this is not a foolproof solution if the hidden email is not carefully guarded.