Kitchener Food Bank Loses $1m in BEC Scam
A Kitchener food bank was defrauded of nearly $ 1 million following a classic Business Email Compromise (BEC) attack
Philabundance is the largest hunger relief organization in the region and receives donations in the tens of millions every year.
The completion of a new $ 12 million communal kitchen was underway earlier this year. At this point, an invoice was sent from a supplier to the construction company.
However, the email was actually forged by attackers and the $ 923,533 was lost, according to The Kitchener Inquirer. To make matters worse, the company had to find the same amount to pay the legitimate supplier.
It seems like the nonprofit has been hit by a classic BEC scam where attackers compromise an employee’s email account and then silently monitor the messages sent back and forth.
They then step in to send a fake invoice from a legitimate supplier at the time it was expected to arrive, so as not to raise an alarm with the victim organization. Certain emails are deleted to hide their traces.
The FBI issued a warning last week that organizations should turn off automatic e-mail forwarding to external addresses, as these rules are often used by attackers to send messages from compromised inboxes to their own.
In some cases, web and desktop email clients are not synchronized by IT administrators, so security teams cannot see when remote workers or attackers are making rule changes.
According to the FBI, BEC grossed $ 1.8 billion in scammers in 2019, more than half of the total of $ 3.5 billion for all reported cybercrimes.
Colin Bastable, CEO of Lucy Security, argued that supplier payment guidelines should be updated to limit the number of people authorized to do so and to require additional approvals from senior managers and the supplier himself for large sums of money.
“The Philabundance attack checks every box of a successful BEC scam: in-depth research to identify the target, social engineering exploits to penetrate the network, creating a fake invoice from a known email address, and asking for funds to be sent to a Fake transfer to bank account, “he said.
“BEC scams cleverly play with two obvious human vulnerabilities: an employee’s vulnerability to social engineering and their undeniable reliance on the chain of command. The best way to prevent these types of attacks is to conduct regular security training for employees and establish specific business and financial guidelines for corporate payments. “