The Federal Bureau of Investigation (FBI) has issued a warning to state, local, tribal, and territorial (SLTT) governments in the United States about Business Email Compromise (BEC) scams. Losses to BEC attacks increased by 5% to more than $1.8 billion in 2020 and between 2018 and 2020, SLTT government entities have been targeted.
BEC attacks involve the use of a compromise email account to send messages to individuals with authority to make wire transfers to convince them to make fraudulent transfers to attacker-controlled accounts. According to the recent FBI Private Industry Notification, losses to BEC attacks ranged from $10,000 to more than $4 million between November 2018 and September 2020.
One attack in September 2020 involved a genuine vendor’s email account being compromised and used to arrange for bank account details to be changed, which led to a $1.6 million payment being sent to an attacker-controlled account. A scam in December 2019 saw a SLTT government financial coordinator’s email account compromised. During that individual’s holiday leave, the attackers sent instructions to 146 government entities requesting changes to payment details and $4 million in fraudulent payments were made to the attacker’s account. In this case, when messages were sent querying the bank account changes, the attacker was able to intercept and reply to the messages and confirm the bank account change was legitimate.
The pandemic has forced SLTT governments to transition to a largely remote workforce, and remote workers have been targeted by BEC actors using social engineering and phishing attacks to gain access to their credentials for use in the BEC scams. Vendor and supplier email accounts are also commonly used in these scams. In addition to arranging fraudulent wire transfers, the attackers harvest credentials to alter employee payroll direct deposit information.
It is easy for the attackers to find out information about SLTT government entities and their contractor and vendor relationships from public sources, which allows them to tailor attacks to victims and create convincing scams impersonating trusted partners and vendors. Malicious cyber tools such as phishing kits are used for harvesting credentials these are readily available from dark net sources, which means threat actors require little technical experience to conduct their attacks.
The FBI warns that BEC actors likely identify SLTTs with inadequate cybersecurity protocols and target them, as these attacks require the least amount of effort. In 2020, CISA conducted phishing campaign assessments on SLTT entities to determine susceptibility to phishing attacks and out of 40,000 test emails sent, 5,500 emails were clicked. The high click rate suggests there have been multiple failures in security awareness training and the 13.6% click rate highlights the need for defense in depth mitigations against these attacks.
The FBI recommends educating employees about BEC scams, providing training on phishing email identification, and ensuring any changes to bank account information are verified with a telephone call to a known telephone number, not using any contact information supplied in email communications. The use of compromised email accounts in these scams is commonplace, but email addresses can also be spoofed so sender information needs to be carefully checked. Often slight changes are made to email addresses to make them appear that they have come from a genuine source.
Further mitigations for SLTT governments and information technology administrators can be found in the FBI Private Industry Notification.