MacEwan University’s Epic Fail: Business Email Compromise (BEC) Claims Another Victim
There have been few attacks in the last five years that have been more success overall and on average than the phishing campaigns that have run rampant through the global email systems. The users seem to want to click, click, click, and click again on the links and images. In the newer variants, the user is directed to a URL to enter into their web browser as an additional attack vector. This may be directly noted in the email, or a PDF that is partially obscured, with the URL to venture to in order to retrieve the document intended for the user.
The corporate environment can introduce and have training on what to be wary of in these emails, forward email alerts to current scams with or without examples, posters at the offices and cafeteria stating the obvious things to look for, and unfortunately there will be a subset of users that will click or click multiple times on a phishing email. After this activity, the user may feel embarrassed or they will be ostracized and not immediately tell the InfoSec team, which only further exasperates the situation. The general format for these attacks have been general phishing or spear phishing emails. There are subtle varieties of these, modifying the target or delivery, however the intent and initial delivery methodology are mundane.
With the overall phishing campaigns, one form has been exceptionally profitable for the phishers in the last three years. The emails do have to be customized, however it merely takes on hapless finance or accounting staff member to ruin the week or quarter by relying on this. The amounts fraudulently obtained have ranged from tens of thousands of dollars to several million.
Here comes MacEwan University. On August 23rd of this year, the University detected the issue. The phishers sent a series of emails which convinced the staff to change the bank routing number from the one they had been using for one of their primary vendors. The phishers worked to take the identity of the University’s primary vendor through a series of emails. The end, detrimental result was $11.8 million in Canadian dollars of the University’s funds were transferred to a Canadian bank and subsequently to Hong Kong. This is not the smallest or largest sum fraudulently obtained via this form of attack, however it is rather significant.
One action which could have been taken to derail this fraudulent activity would have been simple communication. After the demanding emails being received notifying the person to change the bank routing number were received, a simple phone call by the University staff member to the vendor would have ceased this. Having a bank routing number change is not a normally occurring event. This generally is an anomaly, which may warrant a simple follow up act. Although the regular training, email alerts, and other cybersecurity activities do not guaranty this will be found, it certainly is a help and diminishes the pool of potential people that may be successful with. As a lesson, training is beneficial, however it is still the user that makes the choice to click. If the user has even a not significant level of concern, a simple phone call should be made.
Zorz, Z. (2017, September 1). Canadian university scammed out of $11.8 million. Retrieved from https://www.helpnetsecurity.com/2017/09/01/university-scam/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.