Quick thinking by Portland Public Schools stops $2.9m BEC scam

Employees at Portland Public Schools were breathing easier this week after thwarting a business email compromise (BEC) scam that could have cost them almost $3m.

BEC is a sneaky form of attack in which a criminal impersonating a third party convinces someone at an organization to wire them money. The crook targets someone with control of the purse strings and uses what looks at first glance like a legitimate account owned by a supplier or business partner.

Sometimes, a BEC scammer might compromise the email account of a senior executive at the target company, or at their supplier, to get a better idea of how they communicate. They could even send an email directly from that account to someone with access to company funds. Sometimes, though, they can spoof an email and request the funds without hacking anything, relying entirely on social engineering.

Who, you may ask, would fall for such a thing? Lots of people apparently, including two employees at Portland Public Schools. A fraudster contacted them pretending to be from one of the institution’s construction contractors, asking them to send payment to an account. Of course, the request was illicit, and the account illegitimate. Nevertheless, the employees approved the payments, sending $2.9 million into the ether.

Luckily, Portland Schools moved quickly to stop the transaction. In a letter to employees and schools, superintendent Guadalupe Guerrero said that the banks involved froze the fraudulent funds, adding:

PPS has already begun the process to recover and fully return funds back to the district, likely within the next several days.

Guerrero didn’t reveal how Portland Public Schools found the fraud, but the institution acted quickly after it did. It immediately contacted the FBI and Portland Police, along with the Board of Education.

While employees’ quick thinking thwarted these crooks, many get away with it, which is why BEC is becoming so prevalent. According to the 2018 FBI Internet crime report, losses from BEC scams doubled in 2018, reaching $1.3 billion.

What can you do to protect yourself against the scammers? You could do worse than follow Portland Public Schools’ example. Guerrero said:

All district payment procedures and internal controls are being reviewed, additional protocols and actions have already been identified, and all district finance staff will receive mandatory, updated training this week to reinforce protocols and to ensure updated procedures are in place to prevent incidents like this from occurring.

Companies should train staff to be suspicious of requests for secrecy or pressure to take action quickly, the FBI has said. They should also put two-step verification procedures in place for wire transfer payments, and should directly confirm fund transfer requests with known individuals working for those vendors.