Oregon urban school district Portland Public Schools is on track to recover roughly $2.9 million wired by district employees to a BEC scammer, after discovering the fraudulent transactions before the money left the fraudster's accounts.
Portland Public Schools is a PK-12 urban school district in Portland, Oregon, with over 49,000 students enrolled in 81 schools, and one of the largest ones in the Pacific Northwest.
BEC (also known as EAC, short for Email Account Compromise) fraud schemes are scams through which fraudsters attempt to trick one or more employees of a targeted organization into wiring them money.
These attacks are successful because the crooks pose as entities the organization's staff trusts like the company's CEO or a trusted business partner, with the legitimate bank accounts being surreptitiously swapped with attacker-controlled ones.
The failed BEC fraud scheme
"When we were made aware of this transaction on Friday, we immediately called the FBI—an internet crimes process we follow—and notified our board of education and we began an investigation to understand the origin of the transaction and how and why the transaction was processed by Portland Public Schools," according to Claire Hertz, Business & Operations Deputy Superintendent for the school district.
The funds are supposed to be returned to the school district's bank accounts as Herz also details, with the banks involved having "frozen the approximately $2.9 million in district funds that were transferred to a fraudulent account" and "confirmation from the bank and FBI that everything is in place to make that happen" having been already received.
The two district employees who were responsible for approving the wire transfer which delivered the funds into the fraudster's accounts are now both on paid administrative leave as detailed in a letter sent by Superintendent Guadalupe Guerrero to all the staff and the School Communities.
All district payment procedures and internal controls are being reviewed, additional protocols and actions have already been identified, and all district finance staff will receive mandatory, updated training this week to reinforce protocols and to ensure updated procedures are in place to prevent incidents like this from occurring. We have conducted an initial review of previous transactions, as well as a review of vendor account management and fund transfer protocols. In addition, we have updated our fraud awareness training materials. - Superintendent Guerrero
However, the employees are not under suspicion of being involved in fraud scheme since "A preliminary investigation tells us the fraud was perpetrated from outside sources and at this point we don’t see any district employee engaged in criminal activity,” as Hertz also said.
All district financial department staff will have to attend mandatory fraud prevention training before being allowed to authorize any payments.
"All of this is being followed by a full, independent, external investigation involving outside experts from the fields of online security, financial processes and controls, and workplace fraud," says Guerrero's letter.
"Additionally, the district’s external auditor will independently review our financial controls and vendor management protocols."
BleepingComputer has reached out to the Portland Public Schools for comment but had not heard back at the time of this publication.
BEC fraud schemes are highly profitable
BEC scams are a highly prevalent fraud scheme these days, with new such incidents making the news almost on a daily basis. Fortunately, some of the victims manage to recover some of the stolen funds by freezing them if they're not moved out of traceable accounts by the scammers.
For instance, the City of Saskatoon just got scammed out of $1.04 million and is in the process of recovering most of it according to city manager Jeff Jorgenson, while Cabarrus County in North Carolina lost $1,728,082.60 in July after sending $2.5 million to scammers.
However, others were not so fortunate, with the City of Griffin, Georgia, having lost roughly $800,000 and the Saint Ambrose Catholic Parish $1.75 million in similar attacks coordinated by scammers who moved the stolen funds before they got traced by the authorities.
While some lucky victims manage to walk away from BEC scam incidents unscathed, these type of fraudsters were behind the highest reported total losses during 2018 for both individuals and companies.
BEC victims lost over $1,2 billion during last year according to an Internet Crime report published on April 2019 by FBI's Internet Crime Complaint Center (IC3).
"Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector," IC3's report explains.
BEC scammer activity has seen a staggering 476% growth between Q4 2017 and Q4 2018, with the total number of BEC attacks targeting organizations increasing by 226% QoQ per a report Proofpoint released in January.
The Financial Crimes Enforcement Network (FinCEN) also published a report in July stating that BEC SAR (short for suspicious activity reports) filings grew from a $110 million per month average in 2016 to more than $301 million per month in 2018.
To prevent their employees getting scammed in BEC attacks, organizations have to put in place strict vendor processes to examine and authenticate any payment info changes using multiple types of processes, including but not limited to direct phone calls and/or face-to-face meetings when any changes to payment information are being spotted.
H/T Brett Callow
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now