Southern Oregon University Phishing Attack Results in Theft of $1.9 Million

A Southern Oregon University phishing attack has resulted in the theft of $1.9 million from the university’s accounts – Arguably the worst phishing attack of the year to date.

While the Southern Oregon University phishing attack stands out due to the amount of money obtained by the attackers, it is sadly just one of a large number of attacks that have affected U.S organizations this year. The scam is known as Business Email Compromise or BEC.

It involves a criminal impersonating a legitimate organization and fooling an employee into making a bank transfer to the criminals’ account. BEC attacks often result in transfers of hundreds of thousands of dollars being made. Those funds can rarely be recovered. By the time the scam is uncovered, the money has been withdrawn from the criminals’ accounts. Since the attackers are usually based overseas they are difficult to trace, let alone bring to justice.

The Southern Oregon University phishing attack involved the attackers impersonating a construction firm – Andersen Construction. The firm is legitimate and is constructing a student recreation center and pavilion. The firm receives regular large payments to cover the cost of staff and materials. In late April, an employee at Southern Oregon University received an email from the firm changing the account details for the payments. The payment of $1.9 million was made, by it never arrived in Andersen Construction’s account. The email requesting the change of bank details was sent by fraudsters.

This is quite a common occurrence and it is easy to see how the attackers conducted their campaign. It would be an easy task to find out which construction firm was completing work at the university, and straightforward to find the name and contact details of an individual in the accounts department that would likely be authorized to make the necessary changes. The scammer just needed to spoof the email address of the construction firm and rely on the recipient not questioning the change.

Southern Oregon University spokesman Joe Mosley explained that the scam is common and the university is not alone in falling for such a scam, saying “We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities.”

The incident should serve as a warning for all organizations, especially universities. Any change in bank account details or new requests for payment arriving by email should be subjected to close scrutiny and confirmed as genuine requests over the phone.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of