Mail Tribune reported that Southern Oregon University is just the latest victim of CEO fraud (which the FBI calls Business Email Compromise or BEC) after hackers tricked university employees into transferring money into one of the bad guys-controlled bank accounts.
University officials announced on Wednesday that in late April, they wired $1.9 million to what they thought was Andersen Construction, a contractor they had hired to construct a pavilion and student recreation center. However, the construction company reported three days later that they never received their payment.
A recent FBI Public Service Announcement about fraudsters targeting universities and their students appears to have been issued due to the SOU case.
The FBI PSA explains how many universities are frequently engaged in large construction projects that require regular and very large electronic payments. If criminals can identify which construction companies are involved (which is normally very easy), it's a matter of sending spear phishing emails that use social engineering and spoofed emails to target individuals responsible for making payments.
The FBI decribes in further detail how this type of BEC happens:
- The scammer, posing as an established vendor, sends an e-mail to the university’s accounting office with bank account changes to be used for future payments.
- Typically, it is an individual purporting to be from a construction company with which the university has an existing business relationship.
- The scammer often spoofs the actual e-mail address of the company with a similar domain. For example, if the actual domain is abcbuilders.com, the scammer might register and use abcbuilders.net to send the e-mail.
- The university sends their next payment to the scammer’s bank account, and the money is often unrecoverable by the time the university realizes they have been the victim of fraud.
Southern Oregon University spokesman Joe Mosley couldn't share specifics as to exactly how SOU fell prey to the fraud. The university says there is a process in place for vendors to change their bank account numbers.
“We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities,” said Mosley. “We’re not alone.”
That couldn't be more true. Last year, CEO fraud was a $5.3 billion business according to data reported to the FBI. No industry is immune to falling into cybercriminals' crosshairs. Firms like Leoni AG, a cable manufacturer and FACC AF, an aerospace company are among thousands of victims of the crime in 2016.
SOU is cooperating with the FBI in their ongoing investigation.
Incidents like this can be prevented by training employees to spot social engineering red flags by stepping them through new-school security awareness training.
Get a quote and find out how affordable this is. You will be pleasantly surprised.