University loses $1.9M in single phishing email scam

Are phishing scams one of the things that keep you up at night? Might it be because you know how easy it is to lose almost $2 million, or how easy it would be for a user to compromise all the security measures you have in place?

As it turns out, Southern Oregon University found out just how painful a phishing scam can be after a user was duped into wiring money into the wrong bank account – to the tune of $1.9 million.

The accounts payable department was sent an email asking to update the bank account they had on file for a contractor that was doing some work at the school, finishing up a pavilion and student recreation center on the campus. The user did their job, updating the account information, so when the next payment was sent to the contractor it should have gone to the new account.

Except the email was a fake, and the people who sent it were scammers posing as the contractor. The university was only made aware when the contractor notified them it hadn’t been paid for its work.

At that point, IT was able to recognize the email account was a dupe, but it was too late to recover the almost $2 million lost. After the incident, the FBI got involved, sharing that the university was one of 78 other victims of a similar attack.

The method of attack is usually the same, with the hackers figuring out who the school is doing business with or had done business with in the past. Then they send an email to whoever is in charge of accounts payable asking to update the account that’s on file. The email address is very similar to the legitimate business’ email, either including a hyphen or extra word somewhere.

It’s close enough to fool almost 80 universities’ pay departments.

This type of attack isn’t unique to just schools either. Also make sure users have a list of verified email accounts on file, and that other emails are either flagged or don’t make it to users’ inboxes at all. Make sure the server the email is being sent from is the same as before, in the event the company did update its email system.

And as always, asking for more proof and verification can’t hurt. After all, the cost of not double-checking could be the next $2 million mistake.

  • This phishing scam could be avoided, and there with a simple installation of a chrome extension called ScamBlockPlus