Local, state, and Federal authorities are investigating a phishing attack that victimized the city of Alamogordo, New Mexico. One of the city's procurement officers received what appeared to be a legitimate email from an agent representing the Cooperative Education Exchange (CES), a New Mexico purchasing coop.
CES and the agent are legitimate, and the city does business with both of them. The email requested that the city change CES banking information and pay outstanding invoices to the new account. The recipient was convinced—the only sign there may have been something awry was that the email used an outdated version of the CES logo.
The procurement officer forwarded the request to Alamogordo's Finance Department, which dutifully changed the information and paid the $250,000 for which the city had been invoiced. They realized they'd been scammed when they received calls from real CES representatives asking about payment. Alamogordo of course thought it had already paid.
Note the two-step process this bit of social engineering followed. First the procurement officer was scammed, and then that official unwittingly passed the CEO Fraud scam on to the Finance Department. The incident has been reported to the Office of the State Auditor, local police, and the FBI. It's unlikely the funds will be recovered. As is usual in such cases, once the transfer has been made, the money is gone. Protecting an organization against such forms of business email compromise involves a combination of sound policy and effectively designed and delivered user awareness training. New Mexico State Auditor Wayne Johnson's advice is succinct, clear, and worth repeating:
"An email seeking to alter banking information should always be a red flag. Talk to your vendors, especially when they do something out of the ordinary, like send a change in banking information. It’s important to establish personal relationships so that finance staff can talk to people already known to them. There’s no excuse for not taking that extra step to make sure to prevent the theft of a quarter of a million dollars in public money.
The city of Alamogordo may be out a quarter of a million, but there's no reason your organization needs to follow suit. Interactive, new school security awareness training can help your employees recognize this kind of social engineering and spit the hook before the phishing attack is successful. The Alamogordo Daily News has the story: https://www.alamogordonews.com/story/news/crime/2018/07/17/alamogordo-bilked-out-250-000-email-scam/794496002/