How a Single Email Stole $1.9 Million from Southern Oregon University

Southern Oregon University has announced that it is the latest organization to fall victim to a business email compromise (BEC) attack after fraudsters tricked the educational establishment into transferring money into a bank account under their control. According to media reports, the university fell for the scam in late April when it wired $1.9 million into a bank account. They believed they were paying Andersen Construction, a contractor responsible for constructing a pavilion and student recreation center. But the construction company never received its payment. The incident appears to have spurred the FBI into issuing a warning about the risk to other universities in May. In their advisory, the FBI describes how many universities are often engaged in major construction projects that require regular electronic payments of at least several hundred thousand dollars. It's normally fairly easy for a criminal to identify which construction firms are involved in the projects and then use a mixture of social engineering and email spoofing to trick universities into transferring funds into the wrong bank account. In some cases, the fraudsters actually hack into the email accounts of those they are pretending to be to make their communications appear even more convincing. The FBI describes in further detail how a BEC scam works:

• The scammer, posing as an established vendor, sends an e-mail to the university’s accounting office with bank account changes to be used for future payments.
• Typically, it is an individual purporting to be from a construction company with which the university has an existing business relationship.
• The scammer often spoofs the actual e-mail address of the company with a similar domain. For example, if the actual domain is abcbuilders.com, the scammer might register and use abc-builders.com to send the e-mail.
• The university sends their next payment to the scammer’s bank account, and the money is often unrecoverable by the time the university realizes they have been the victim of fraud.

"We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities," said Southern Oregon University spokesman Joe Mosley. "We're not alone." Mosley is right. He's not alone. And it's not just educational establishments that are in the firing line of criminals committing business email compromise. Firms such as cable manufacturer Leoni and tech firm Ubiquiti Networks are among those that have lost tens of millions of dollars through similar scams. Indeed last year the FBI reported that corporations had handed over more than three billion dollars to fraudsters because of business email compromise attacks. Good advice on how to introduce best practices and reduce the chances of your organization becoming the next victim of business email compromise is contained in this FBI advisory.   Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.