$2.3M stolen in phishing campaign that targeted Texas school district
A Texas school district is out $2.3 million after a targeted phishing campaign led to money being transferred to accounts controlled by those behind the scam.
Details are a little slim, but it’s believed that the money was stolen over three transactions and involved an employee from the Manor Independent School District being deceived into altering bank account details for a known vendor. The scam was first launched in November, with a month passing between the first and last payments.
Anne Lopez, a detective with the Manor Police Department, told a local news outlet Friday that “unfortunately they didn’t recognize the fact that the bank account information had been changed and they sent three separate transactions over the course of a month before it was recognized that it was a fraudulent bank account.” Local police along with the Federal Bureau of Investigation are said to be investigating.
The figure would be significant for many school districts but is particularly so for Manor ISD: The district only has 9,600 students and an annual budget of $90 million.
Given what is known, the attack constituted a business email compromise attack. In BEC attacks, attackers typically manipulate targets into wiring money or changing bank account details. A report in October found that there had been a 269% increase in these forms of attacks in the third quarter of 2019.
“Phishing attacks such as this are sophisticated, meticulously planned and strategically executed leaving very little time to react,” Greg Wendt, executive director of data security firm Appsian, told SiliconANGLE. “It is unfortunate that in this case the phishing scam was able to recur three times and resulted in millions lost.”
To prevent the risk of phishing scams in the future, he added, the school district must implement a custom security strategy that provides fine-grained user access control.
“By deploying adaptive multi-factor authentication, organizations are able to significantly enhance security with additional user authentication – both at login and inside an application,” he said. “Contextual controls also mitigate cyber risk by adapting policies in accordance with changing context of user access.”
Mike Reimer, chief security architect of secure access provider Pulse Secure LLC, noted that attackers are applying the same targeting expertise as advanced marketers.
“The imitations are well-executed and offer enticing messages to trick a recipient into clicking on a malicious link or share sensitive data,” Reimer said. “In this case, the scam was so convincing that someone transferred millions of dollars. Cases such as the Manor ISD attack demonstrate the need to coordinate secure controls and continue to raise employee security awareness in 2020.”
Photo: Larry D. Moore/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU