We’re changing our banking information, said the sham email purporting to be from a construction company working on an international airport in the Florida city of Ocala.
The message pretended to come from Ausley Construction, a bona fide firm that’s working on the $6.1m project of constructing a new terminal at the 17,500-square foot Ocala International Airport – and included the proper form to change the routing and account number, plus a copy of a voided check from the account.
It was all right and proper-looking, as are the most sophisticated Business Email Compromise (BEC) scams, and, of course, utterly bogus.
The spearphishing email worked. As reported by local paper Ocala Star Banner, the city is now $742,376.73 lighter.
According to reports from Ocala Mayor Kent Guinn and the Ocala Police Department, in September, a city senior accounting specialist got the phishing email in September. The next month, Ausley Construction submitted a legitimate invoice for nearly $250K.
The next day, on 18 October, the city paid the invoice. Ausley never saw that money, though. On 22 October, the firm let the city know that it was still waiting to be paid, and that’s when the fraud came to light.
A growing money-making racket
BEC scams like this one, and the amount of profits they’re netting crooks, are exploding. In its 2018 Internet Crime Report, the FBI said that it received 20,373 BEC/email account compromise (EAC) complaints last year, reflecting losses of over $1.2 billion.
In August 2019, a county in the US state of North Carolina fell hard in a BEC scam – as in, $1,728,083 worth of hard – that was similar to the Ocala ripoff. It, too, paid a “contractor” posing as a legitimate firm building a new school for the Cabarrus County Schools District.
Then, a few months ago, Portland Public Schools escaped a $2.9m BEC scam by the skin of its teeth. The transaction was already in the works, but the banks involved managed to freeze the funds in time.
These scams typically involve legitimate business email accounts that have been compromised, be it through social engineering or computer intrusion, to initiate unauthorized transfers.
The FBI says BEC scammers are becoming increasingly sophisticated. From the FBI’s 2018 Internet Crime Report:
In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations.
Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.
These guys have it down pat. In one whaling attack (one that’s targeted at the biggest fish in an organization, such as a CEO or CFO) against two tech companies a few years ago, the scammer came up with forged invoices, contracts, and letters that looked like they’d been executed and signed by executives and agents of the tech companies.
The documents bore fake corporate stamps embossed with the companies’ names that were submitted to banks to corroborate the big sums that were fraudulently transmitted via wire transfer: a total of more than $100,000,000.
In the Ocala scam, the crooks used a former Ausley worker’s name in their spearphishing email. The former Ausley employee told police that they weren’t the one who sent that message, though. In fact, the email address showed a tiny difference that would have marked it as illegitimate, but only to employees who are a) paranoid and/or b) eagle-eyed. Namely, instead of
@ausleyconstruction.com, the email address had an extra “s” at the end, as in,
@ausleyconstructions.com. According to the police report, the fake address was created on 1 September 2019.
Officials have reportedly filed a claim with the city’s insurance provider for the loss and are reviewing their internal policies to avoid falling victim to a repeat scam.
How DO you avoid falling victim?
Ocala officials might want to take a page from the similarly fleeced North Carolina county of Cabarrus. In the wake of getting victimized, it hired an accounts payable (AP) consultant and tasked her with redesigning its vendor processes and reviewing its vendor files in order to harden its vendor setup and maintenance authentication techniques, internal controls and best practices, in order to reduce the potential for fraud.
Then, the county trained staff, and it implemented external checks to validate incoming data.
Those, in fact, are among the safeguards we passed along after the FBI busted 74 people in a global BEC takedown in June 2018.
As we said at the time, defending against this type of fraud is complicated. It involves bolstering defenses for email servers and accounts and improved processes, such as stricter protocols for businesses to check payments.
Some of the key ways that individuals, businesses and government agencies can avoid getting taken to the cleaners:
Don’t rely on email alone
As the FBI notes, no matter how sophisticated the fraud, there’s an easy way to thwart it: namely, don’t rely on email alone. FBI Special Agent Martin Licciardo:
The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.
Also, here are more tips, for both individuals and businesses:
1. Watch your Ps&Qs… and apostrophes
As we saw in the case of crooks who nabbed the proceeds from a $150K home sale, the fraudster did what fraudsters often do: they made a punctuation/English usage mistake (albeit a tiny one). Namely, they omitted a possessive apostrophe.
As Naked Security’s Paul Ducklin noted at the time in the comments section of that article, grammatical perfection on its own isn’t enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look closer.
2. Watch out for weird requests
In the real estate case, the swindlers insisted that an electronically signed PDF, with their victim’s bank details, specifically be emailed as opposed to being sent via snail-mail. As Paul noted, that makes sense… for crooks. They wouldn’t be able to intercept a document sent via a country’s postal service, after all.
3. Report it
Law enforcement agencies can’t fight what they don’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.
In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read the Sophos News article Would you fall for a BEC attack?