This simple invoice scam appears to be a part of a much broader campaign targeting municipalities, posing as existing subcontractors.
The City of Fresno, CA recently admitted to being the victim of wire transfer fraud back in 2020. An invoice was emailed in, purporting to be from a contractor working on the construction of one of the city’s police stations. According to the local newspaper, the Fresno Bee (who obtained copies of the fraudulent email and invoice), the invoice looked correct, with only the bank details being modified. Two payments, totaling $613,737, were made and were sent to a bank in Africa. The City of Fresno’s mayor spoke recently indicating that the scam has been seen in multiple municipalities and is part of a larger effort to obtain as much money as possible.
The simplicity of this attack feels a bit brazen; it’s like walking into a hotel with nothing but a business card that says you’re CEO of a well-known company and talking your way into being given the Presidential Suite.
This fraud could have been easily stopped with simply policy and procedure – whenever banking details are changed, a phone call – using a known-good source for the specific number to call (and not the one on the email or invoice) – to verify the change is all it takes. Additionally, it’s likely that if the email containing the invoice were scrutinized, the recipient would have found some other indicators that it was not real, including the senders email address.
This type of scrutiny is a given with employees that undergo continual Security Awareness Training where they are taught to maintain a sense of vigilance, scrutinizing anything that looks out of the ordinary – which include invoices with banking detail changes.
