A Southern Oregon University phishing attack has demonstrated exactly why so many hackers have opted for phishing to make money. The Southern Oregon University phishing attack involved just one phishing email. The attackers pretended to be a construction company – Andersen Construction – that was erecting a pavilion and student recreation center at the University.
The attackers spoofed the email address of the construction firm and asked for all future payments be directed to a different bank account. The university then transferred the next payment of €1.9m to the new account in April 2019. The university realized the construction firm had not received the funds three days later. The FBI was made aware of the situation as soon as the fraud was discovered and attempts were made to recover the funds. The university reports that the hackers had not emptied all of the funds from their account, but a sizeable amount of the payment had been withdrawn and could not be recovered. Joe Mosley, a representative for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”
In order for a scam like this to be successful, the hackers would need to be aware that the construction project was taking place and the name of the firm that had been awarded the contract. that information is not hard to find, and universities are easy to target as they often have ongoing construction projects.
These attacks are referred to as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email requesting changes to payment information, although these scams need not involve compromising an email account. Spoofing an email account can be just as effective.
Increase in BEC Attacks Prompts FBI Alert for Universities
In this instance, the payment was massive but it is far from an isolated incident. The FBI has issued warnings to universities to be wary of attacks such as this. BEC attacks may not be nearly as common as other forms of cybercrime, but they are the leading cause of losses to cybercrime as the payments made to the attackers are often considerable. Payments are often of the order of several hundred thousand dollars or in some cases millions.
The FBI said that access to a construction firm’s email account is not required. All that is required is for the scammer to buy a similar domain to the one used by the firm. Accounts department employees should carefully check the email address in any request to change banking information or payment methods, as it is common for domains to be used that differ from the genuine domain by only one letter. for instance, an L may be used instead of an i or a zero instead of the letter O.
The Southern Oregon University phishing attack shows just how simple it can be for cybercriminals to pull off a BEC attack. Protecting against BEC attacks requires employees to be vigilant and to use extreme caution when requests are made to alter bank accounts. Such a request should always be verified by some means other than email. A telephone call to the construction firm could easily have identified this scam before any transfer was completed.