The threat from business email compromise attacks has been clearly highlighted by the recently discovered BEC attack on El Paso, TX. According to the Mayor of El Paso, Oscar Leeser, city officials notified law enforcement in October that employees had fallen for phishing scams. Those scams resulted in the attackers stealing $3.2 million in funds from the city.
The BEC attack on El Paso was similar to numerous attacks that have taken place in the United States in recent years. The attacker posed as a vendor and informed the city that payment had not been received. A payment of $300,000 was sent, followed by a further payment of $2.9 million from the Camino Real Regional Mobility Authority.
The first payment was identified by the CFO after it was noticed that the money had been misdirected to a different account; however, not in time to prevent a second payment being made.
The decision was taken not to announce the BEC attack on El Paso so as not to jeopardize efforts to recover the funds. Leeser told the El Paso Times “It’s an ongoing investigation and we never wanted to jeopardize the ability to regain the taxpayers’ money and also to hamper the ability of law enforcement to be able to do their jobs.” The request not to go public was made by law enforcement, according to Leeser.
Those efforts resulted in the city of El Paso recovering $292,000 from the first fraudulent transfer, although it was only possible to recover around $2 million from the second. Attempts are still being made to recover the remaining funds.
BEC attacks on U.S organizations have increased substantially this year. The rise in attacks has prompted the FBI to issue a warning to both business and government agencies of the scams, which have so far resulted in losses of $2.3 billion being sustained.
Typically, the scams involve attackers impersonating the CEO or other high ranking company members and requesting transfers be made by account executives. Attackers also commonly impersonate vendors. All the necessary information for the attacks is gathered from the Internet – social media websites for instance – or by gaining access to company email accounts.
According to the warning issued by the FBI, “The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment.” The FBI goes on to say “Victims may also first receive “phishing” e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc). Some victims reported being a victim of various Scareware or Ransomware cyber intrusions, immediately preceding a BEC scam request.”
Organizations must exercise caution and should treat all transfer requests as suspicious if they involve new account details. Prior to transfers being made it is important to verify that the requests are legitimate. In the case of the BEC attack on El Paso, the majority of the funds have been recovered, but that is not always the possible.