Texas School District Loses $2.3 Million In BEC Scam

Texas’s Manor Independent School District was the victim of a costly 2.3 million dollar Business Email Compromise (BEC) scam in November of 2019.

Details of the scam are still vague as the investigation continues. CNN affiliate KEYE reported there were three separate fraudulent transactions all taking place in November, according to Manor Police Department Det. Anne Lopez. 

The matter is under investigation by both the Manor Police Department and the Federal Bureau of Investigation. The Manor Police Department tweeted about the incident on January 10, 2020.

The Manor Police Department twitter post referred to the heist as a phishing email scam. The investigation is ongoing and has some strong leads.  Often there are several links in the chain of a BEC attack involving reconnaissance: “Target Generation,” “Lead Validation and Processing,” “Pre-Attack Testing,” and “BEC Attack. 

BEC scams could be thwarted by following strict procedures and verifying authenticity of the parties before wire transfers are effected. 

School Districts Are Soft Targets

The bad guys know that school districts are often soft targets hampered by thin budgets with most purchases allocated to new software and hardware upgrades, which often leaves very little left over for cybersecurity technologies and training. 

In 2019, Armor, a global security solutions provider, drove home the point that cyberthieves are indeed eying schools  very closely. They noted a substantial rise in ransomware attacks against schools (and school districts) since October 2019. “The report identified 11 new U.S. school districts (comprised of 226 schools) that have been hit by ransomware since late October.“  

BEC Scams Are Now Big Business And Growing  

As we blogged in September, the FBI's Internet Crime Complaint Center (IC3) says that Business Email Compromise (BEC) scams —aka CEO Fraud—are continuing to grow every year, with a 100% increase in the identified global exposed losses between May 2018 and July 2019.

Also, between June 2016 and July 2019, IC3 received victim complaints regarding 166,349 domestic and international incidents, with a total exposed dollar loss of over $26 billion. "One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information or Wage and Tax Statement (W-2) forms," adds IC3.

BEC scams have been reported throughout all U.S. States and in 177 countries around the world, according to IC3, with scam-related transfers having been sent to banks from roughly 140 countries.

Defensive measures against BEC scams

IC3 provides the following guidelines for employees containing both reactive measures and preventative strategies:

• Use secondary channels or two-factor authentication to verify requests for changes in account information.
• Ensure the URL in emails is associated with the business it claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Refrain from supplying login credentials or PII in response to any emails.
• Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
• Keep all software patches on and all systems updated.
• Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from.
• Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

In addition, to make sure that their employees will not fall victims to BEC attacks, companies have to implement strict vendor processes to check and authenticate payment info changes via multiple types of methods.  And as always, many of the above bullets can be achieved by new-school security awareness training.