A Southern Oregon University phishing attack has demonstrated exactly why so many hackers have opted for phishing as their main source of profits.

The Southern Oregon University phishing attack involved just one phishing email. The attackers pretended to be a construction company – Andersen Construction – that was erecting a pavilion and student recreation center at the University.

The attackers spoofed the email address of the construction firm and asked for all future payments be directed to a separate bank account. The university then transferred the next payment of €1.9m to the new account in April.

The university saw that the construction firm had not received the funds three days later. The FBI was made aware of the situation as soon as the fraud was discovered and efforts are continuing to recover the funds. The university reports that the hackers have not withdrawn all of the funds from their account, although a sizeable chunk cannot be located. Joe Mosley, a representative for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”

In order for a scam like this to be successful, the hackers would need to be aware that the construction project was taking place and the name of the firm. Such data is not hard to find and universities often have construction projects operational.

These attacks are referred to as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email to a vendor. It is not known whether the vendors email account had been hacked, but that step may not be necessary to pull off a phishing attack such as this.

Increase in BEC Attacks Prompts FBI Alert for Universities

In this instance, the payment was massive but it is far from an isolated incident. Last month, the FBI published a public service announcement warning universities of attacks such as this.

The FBI warned that access to a construction firm’s email account is not required. All that is required is for the scammer to buy a similar domain to the one used by the firm. Accounts department employees may check the email address and not notice that there is a letter changed.

By the time the university saw that a payment has not been sent, the funds have already been removed from the scammer’s account and cannot be recovered. Payments are often of the order of several hundred thousand dollars.

The FBI advised SOU that there have been 78 such attacks in the past 12 months, some of which have been carried out on universities. However, all groups are in danger from these BEC scams.

The Southern Oregon University phishing attack shows just how simple it can be for cybercriminals to pull off a BEC attack. Securing against this time of scam requires employees to be vigilant and to use extreme caution when requests are made to alter bank accounts. Such a request should always be verified by some means other than email. A telephone call to the construction firm could easily have prevented this scam before any transfer was completed.