The Canadian City of Saskatoon has suffered a devastating email mishap resulting in fraudsters obtaining £645,190 by posing as a contractor.
The threat actors impersonated Blaine Dubreuil the CFO of Allan Construction, which had been contracted to work on a bridge rehabilitation project. Fraudsters contacted the city last July pretending to be the CFO resulting in the city wiring one million Canadian dollars to the hackers.
Allan Construction’s CFO Blaine Dubreuil commented in a release that “It’s very disconcerting that the perpetrator used my name and our company name to commit this crime. We have done a security assessment and are confident that our systems were not hacked or compromised.”
It appears that once the threat actor had established an erroneous line of communication with the city they requested the city change the banking information for Allan Construction. It wasn’t until August 12 that the fraud was discovered.
Working with law enforcement the city says that they have managed to recover $40,000 of the stolen cash and have ‘locked down’ a substantial amount of the remaining money.
The authorities have located over 10 bank accounts that they suspect the money is resting in and have instigated legal action to freeze these accounts by court orders.
City Manager Jeff Jorgenson commented in a release that: “Our focus at this time is on recovery of the funds. We have experts engaged from our internal auditor, the banks affected, and the Saskatoon Police Service. Additionally we have external and internal experts pouring over financial transactions and processes to do everything reasonably possible to protect the City from any further attacks.”
“As this is an ongoing investigation, the City cannot disclose further details about the fraud at this time.”
Business Email Compromise
Business email compromise (BEC) poses a serious threat to every organisation and worryingly, such attacks are getting both more sophisticated, and more financially damaging to the victims of what is also known as “whaling”.
That’s according to California-based cybersecurity firm Symantec, which has noticed a steady rise in the sophistication of such attacks, which typically marry phishing-style emails to executives, with a high degree of social engineering.
It warns that access to powerful machine learning tools mean an arsenal of audio and video manipulation tricks may soon also become part of such attacks, which are typically highly personalised to draw the attention of executives.
The financial impact is rising steadily, it found. (Symantec also pointed to the FBI’s Internet Crime Report, published earlier this year, found that BEC attacks cost business $1.3 billion in losses in 2018 – sharply up from $60 million five years earlier.)
Symantec researchers found that businesses received “an average of five BEC scam emails each month during the past 12 months. This means each business had a 17 percent chance of getting at least one BEC email per month. In the previous 12 months, an organization would have received an average of four BEC emails per month.”