High Wickham-based Red Kite Community Housing recently announced it has lost £932,000 ($1.2 million) to a business email compromise (BEC) scam.
BEC is the leading cause of financial losses due to cybercrime. The attacks involve compromising or spoofing a corporate or vendor’s email account and using the account to send messages to individuals responsible for wire transfers. The scammers arrange fraudulent wire transfers or change the bank account information of vendors. The crimes are often discovered weeks later when the payments are queried. By that time, it is often too late to recover the stolen funds.
The Red Kite Community Housing BEC attack involved the impersonation of one of Red Kite’s suppliers. The attackers registered a domain that was virtually identical to the one used by its supplier, set up an email account on the domain, and recreated an email thread which fooled all individuals copied on the message into thinking the response was genuine.
Red Kite was aware of the threat of BEC attacks and had already implemented policies and procedures that required any account changes to be verified. However, on this occasion the two-stage process failed, and the bank account change was actioned. The scam occurred in August and attempts have been made to identify how the attack occurred to provide accurate information to law enforcement. A leading cybersecurity organization has been assisting with the investigation and law enforcement is actively investigating the case.
Red Kite is a nonprofit community housing firm and the stolen funds had been provided by tenants-owners. Red Kite said it has re-negotiated a loan deal which has made £1.1 million available to compensate tenants for the loss. Red Kite said, “We can say with certainty that, as a result of this con, we will not be changing anything we currently support or that we undertake for our community, either now or in the future.”
Red Kite said in its website notice that the incident has highlighted how “you can never drop your guard for a moment, no matter how safe you think your systems are.”
Prior to the attack, Red Kite had invested in robust cybersecurity solutions, regularly arranged third-party penetration test to assess the security of its systems, vulnerability scans were regularly conducted, and defenses were frequently reviewed to ensure they were capable of protecting against new forms of attack. In this case those measures failed to prevent the attack due to human error.
Red Kite has since audited all its systems and reviewed its payment processes to minimize the chance of weaknesses occurring in the future. Additional training has also been provided to staff.
Red Kite is far from the only company to fall victim to such an attack. Figures released by the FBI’s Internet Crime Compliant Center in September 2019 estimate global losses to BEC attacks to have exceeded $26 billion in the past three years. U.S losses in 2018 are estimated to have exceeded $1.3 billion. One of the biggest ever losses to cybercrime was reported last year by the Japanese media conglomerate, Nikkei Inc. Its BEC attack cost the company $29 million.