$94K Business Email Compromise Goes Unnoticed, then Unreported

One might think that a large wire transfer from a state office would be quickly noticed. But not necessarily. A cybercriminal using BEC (business email compromise, also known as CEO Fraud) was able to steal close to $94,000 in public funds from the Massachusetts Clean Energy Center and go undetected for over a month.

Worse yet, the theft went unreported for almost eight months.

An audit found the agency wired the money on January 9th, 2017, to an account set up by cybercriminals. The theft was discovered about a month later during an audit, which traced the theft to a phishing scam.

Ultimately the Clean Energy Center was able to recover about $25,000, but it waited eight months to report the crime to its board. Both the Boston police and attorney general were notified at that time, but not the FBI.

There was also no formal criminal complaint filed. Quicker reporting, and involvement of other law enforcement agencies might have enabled not only recovery of more funds, but arrest and prosecution of the thieves. The FBI says similar scams have cost businesses billions of dollars in the past five years.

The Center is a quasi-public economic development agency that gets its funding from the State of Massachusetts’s Renewable Energy Trust Fund, itself created by the state legislature in 1998 and funded by a charge on electric ratepayers. A state audit noted that the Center did not recognize cyber threats as a risk. It also noted that the Center had no policy regarding the timely notification of security breaches and no awareness of Homeland Security guidelines for reporting cybercrimes to the FBI.

Upon discovery of the theft on February of 2017, and recognizing the serious responsibility of handling public funds, the Clean Energy Agency says it launched an immediate and comprehensive internal investigation that resulted in significant changes in policy and process.

Business email compromise phishing schemes have targeted victims in many professions and industries. They impersonate business executives requesting cash payments and transfers. They adjust their approach to maximize results.

Not only are sound policies controlling electronic fund transfers helpful in preventing BEC, but new-school, interactive security awareness training to resist this and other forms of social engineering can help any organization, public, private, or in-between. And do remind your people that bad news doesn’t improve with age.

The Boston Herald has the story   http://www.bostonherald.com/business/technology/2018/06/phishing_theft_of_93g_at_clean_energy_agency_went_unreported_for_months

Cyber-attacks are rapidly getting more sophisticated. GDR Group will help train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now and email [email protected] to request a quote for security awareness training for your organization.