North Carolina county falls for BEC scam, to the tune of $1,728,083

The North Carolina county of Cabarrus, in the US, says that it’s managed to claw back only some of the $2,504,601 it paid to a scammer posing as a contractor working on building a new high school.

The crooks used social engineering – specifically, what’s known as a Business Email Compromise (BEC) scam – to pose as Branch and Associates, which is a general contractor that’s working on building a new school for the Cabarrus County Schools District.

The scam came to light after Branch and Associates sent a courtesy notice about a missed payment on 8 January. County staff confirmed that the electronic funds transfer (EFT) had, in fact, cleared the month before.

County officials next notified the bank to which the $2.5m was transferred, Bank of America. The bank managed to freeze $776,518.40 of the $2,504,601 that remained in traceable accounts.

The scam is still under investigation by the Cabarrus County Sheriff’s Office and the FBI.

What the investigation has revealed so far: In a series of emails that began on 27 November 2018, the imposters posed as representatives of Branch and Associates in order to spear-phish employees of Cabarrus County Schools and Cabarrus County Government.

Using what looked like valid documentation and signed approvals, they sent a request to “update” Branch and Associates’ banking information. Requests to update bank account information are “routine,” the county noted in its statement about the crime, so that wouldn’t have been enough to raise any red flags.

Next, the crooks waited for the county to transfer its next vendor payment. Once the money was deposited into an account that the swindlers controlled, the funds were then funneled into a number of other accounts.

A growing threat

Ransomware might be racking up the headlines, but in the meantime, BEC scams and the amount of profits they’re netting crooks are continuing to explode. In its 2018 Internet Crime Report, the FBI said that it received 20,373 BEC/email account compromise (EAC) complaints, reflecting losses of over $1.2 billion, last year.

The scams typically involve legitimate business email accounts that have been compromised, be it through social engineering or computer intrusion, to initiate unauthorized transfers.

They’re getting increasingly sophisticated. From the FBI’s 2018 Internet Crime Report:

In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.

We saw an example of an EAC scam in the real estate sector earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia.

As far as sophistication goes, these guys have it down to an art. In one whaling attack (one that’s targeted at the biggest fish in an organization, such as a CEO or CFO) against two tech companies a few years ago, the scammer came up with forged invoices, contracts, and letters that looked like they’d been executed and signed by executives and agents of two tech companies.

The documents bore fake corporate stamps embossed with the companies’ names that were submitted to banks to corroborate the big sums that were fraudulently transmitted via wire transfer: a total of more than $100,000,000.

A twist that the FBI saw in 2018: the scammers are increasingly requesting that their victims purchase gift cards. The victims get a spoofed email, phone call or text, purportedly from somebody in authority, who asks that the victim buy multiple gift cards for either personal or business reasons.

How to keep from being fleeced

There are safeguards that businesses can take to protect against BEC, and then there are those that are good for both businesses and individuals.

As we noted when the FBI busted 74 people in a global BEC takedown in June 2018, defending against this type of fraud is complicated. It involves bolstering defenses for email servers and accounts and improved processes, such as stricter protocols for businesses to check payments.

Cabarrus County says it’s doing just that: it’s hired an accounts payable (AP) consultant and tasked her with redesigning its vendor processes and reviewing its vendor files. The county said that the consultant, Debra Richardson, is “one of the nation’s leading experts in reviewing and strengthening vendor setup and maintenance authentication techniques, internal controls and best practices to reduce the potential for fraud.”

That new vendor authentication process is now in place, and Cabarrus County says that it’s held training for staff. It’s also implemented external checks to validate data received by the county.

Don’t rely on email alone

As the FBI notes, no matter how sophisticated the fraud, there’s an easy way to thwart it: namely, don’t rely on email alone. Rather, authenticate requests to send money with face-to-face or voice-to-voice communications.

FBI Special Agent Martin Licciardo:

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.

Also, here are more tips, for both individuals and businesses:

Watch your Ps&Qs… and apostrophes.
As we saw in the case of crooks who nabbed the proceeds from that $150K home sale, the fraudster did what fraudsters often do: they made an (albeit tiny) punctuation/English usage mistake. Namely, they omitted a possessive apostrophe.

As Naked Security’s Paul Ducklin noted at the time in the comments section of that article, grammatical perfection on its own isn’t enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look askance at an email.

Watch out for weird requests.
In that case, the swindlers insisted that an electronically signed PDF, with their victim’s bank details, specifically be emailed as opposed to being sent via snail-mail. As Paul noted, that makes sense… for crooks. They wouldn’t be able to intercept a document sent via a country’s postal service, after all.

Report it.
Law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?