Florida city sends $742K to fraudsters as it bites the BEC hook
We’re changing our banking information, said the sham email purporting to be from a construction company working on an international airport in the Florida city of Ocala.
The message pretended to come from Ausley Construction, a bona fide firm that’s working on the $6.1m project of constructing a new terminal at the 17,500-square foot Ocala International Airport – and included the proper form to change the routing and account number, plus a copy of a voided check from the account.
It was all right and proper-looking, as are the most sophisticated Business Email Compromise (BEC) scams, and, of course, utterly bogus.
The spearphishing email worked. As reported by local paper Ocala Star Banner, the city is now $742,376.73 lighter.
According to reports from Ocala Mayor Kent Guinn and the Ocala Police Department, in September, a city senior accounting specialist got the phishing email in September. The next month, Ausley Construction submitted a legitimate invoice for nearly $250K.
The next day, on 18 October, the city paid the invoice. Ausley never saw that money, though. On 22 October, the firm let the city know that it was still waiting to be paid, and that’s when the fraud came to light.
A growing money-making racket
BEC scams like this one, and the amount of profits they’re netting crooks, are exploding. In its 2018 Internet Crime Report, the FBI said that it received 20,373 BEC/email account compromise (EAC) complaints last year, reflecting losses of over $1.2 billion.
In August 2019, a county in the US state of North Carolina fell hard in a BEC scam – as in, $1,728,083 worth of hard – that was similar to the Ocala ripoff. It, too, paid a “contractor” posing as a legitimate firm building a new school for the Cabarrus County Schools District.
Then, a few months ago, Portland Public Schools escaped a $2.9m BEC scam by the skin of its teeth. The transaction was already in the works, but the banks involved managed to freeze the funds in time.
These scams typically involve legitimate business email accounts that have been compromised, be it through social engineering or computer intrusion, to initiate unauthorized transfers.
The FBI says BEC scammers are becoming increasingly sophisticated. From the FBI’s 2018 Internet Crime Report:
In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations.
Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.
These guys have it down pat. In one whaling attack (one that’s targeted at the biggest fish in an organization, such as a CEO or CFO) against two tech companies a few years ago, the scammer came up with forged invoices, contracts, and letters that looked like they’d been executed and signed by executives and agents of the tech companies.
The documents bore fake corporate stamps embossed with the companies’ names that were submitted to banks to corroborate the big sums that were fraudulently transmitted via wire transfer: a total of more than $100,000,000.
In the Ocala scam, the crooks used a former Ausley worker’s name in their spearphishing email. The former Ausley employee told police that they weren’t the one who sent that message, though. In fact, the email address showed a tiny difference that would have marked it as illegitimate, but only to employees who are a) paranoid and/or b) eagle-eyed. Namely, instead of
@ausleyconstruction.com, the email address had an extra “s” at the end, as in,
@ausleyconstructions.com. According to the police report, the fake address was created on 1 September 2019.
Officials have reportedly filed a claim with the city’s insurance provider for the loss and are reviewing their internal policies to avoid falling victim to a repeat scam.