The City of Griffin, Georgia, has revealed that it made two payments totalling $800,000 to scammers following a series of business email compromise attacks.
BEC campaigns are a form of a phishing attack in which the cybercriminal impersonates a high-ranking member of an organisation, such as CEO or CFO, to obtain sensitive information from the employees at the company. These credentials, often login details or financial information, are then used for nefarious purposes.
The cybercriminals often hack the high-level executive’s email account through a targeted social engineering campaign, known as “spear-phishing”. This email account is then used to send a fake email to employees, often requesting them to submit certain pieces of sensitive information through a link embedded in the email. As the email appears to be sent from such a prominent figure, employees are often quick to respond. The hacker then harvests this information for their use.
Often, BEC emails involve the hacker requesting the employees to transfer certain sums to an account controlled by the hacker. As the directive appears to be coming from a higher authority in the organisation, employees often comply without double-checking that it is a legitimate transaction.
The scammers impersonated a company called PF Moon, which provides water treatment services to the city. The hackers directed the BEC campaign to the finance department official Chuck Olmstead. Olmstead received an email that appeared to have been sent from PF Moon requesting a change to their bank account information.
Two payments were subsequently made to that account, the first on June 21, 2019, and the second on June 26, 2019. The first payment was for $581,180.51 and the second for $221,318.78.
The scam was uncovered when PF Moon contacted the city to find out what had happened to its expected payments. The investigation revealed slight differences between the genuine emails from PF Moon and the one requesting the account change. The hackers had made a great deal of effort to mimic legitimate correspondence to fool the employees.
The FBI is investigating the incident. The city has since stated it is confident the funds will be recovered. However, at the time of writing, none of the money has been traced.
Griffin City Manager Kenny L. Smith suspects the attackers had previously gained access to PF Moon systems as they knew detailed information about the company’s relationship with the city, the projects it was working on, the invoice amounts being charged, and the total cost of the project.
The City of Griffin has since implemented new policies to prevent future attacks from succeeding. These include introducing multi-factor authentication for payment changes so that any suspicious payments are immediately flagged.