Fradulent Email: Business Email Compromise Attack Costs Southern Oregon University $2M
Southern Oregon University lost nearly $2 million in funds intended for a contractor after administrators fell for a fraudulent email.
The $1.9 million that was intended to pay for a construction project on the school’s McNeal Pavilion and Student Recreation Center instead was sent to scammers who posed as the contractors and tricked the school administrators.
Read: Phishing Scams: FBI Says Businesses Have Lost $5 Billion In Phishing, Social Engineering Attacks
The school said the payment was wired in April to what administrators believed was the construction company that worked on the project. Days after the payment was sent, Andersen Construction reported it hadn’t been paid.
Instead, the money was sent to an account controlled by scammers rather than Andersen Construction. Details are scarce, but it’s believed the business email compromise (BEC) attack was carried out by attackers who created a fraudulent email account and posed as the construction company.
Local, state and federal authorities were notified of the fraud, and the FBI opened an investigation to help the university recover any losses.
SOU spokesman Joe Mosley told the (Medford) Mail Tribune at least some of the funds sent from the school are still in the bank account involved in the fraud, but it’s unclear how much. “It’s certainly a substantial amount,” Mosley told the newspaper. “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”
Read: Google Docs Phishing Scam: Email Attack Hijacks User Accounts By Posing As Google Docs
Aso unclear is when the school will be able to recover the remaining funds, or how much of the total payment has been lost entirely. The school’s insurance policy may cover some of the loss.
While SOU is a noteworthy victim, it certainly isn’t the first to fall for a BEC attack.
The FBI sent a message to universities in May warning: “Many universities are frequently engaged in large construction projects, which require regular electronic payments of at least several hundred thousand dollars. It is relatively easy for a criminal to identify the construction companies involved in these projects and use social engineering and e-mail spoofing to commit this type of fraud. As a result of the nature and large size of these payments to a construction company, losses are significant.”
FBI statistics released earlier this year show there have been 40,203 BEC attacks reported in the last three years, resulting in businesses losing more than $5.3 billion. Attacks have increased exponentially in the last two years, with a 2,370 percent increase in identified losses taking place from January 2015 to December 2016.
Scams have been reported in all 50 U.S. states and 130 other countries. More than $750 million was stolen from businesses around the world in the final six months of 2016 alone.
© Copyright IBTimes 2024. All rights reserved.