A Philadelphia food bank has been scammed out of nearly $1m following a classic business email compromise (BEC) attack, it has emerged.
Philabundance is the region’s largest hunger-relief organization and receives tens of millions of dollars in donations every year.
Earlier this year, it was in the process of completing a new $12m community kitchen, which is when it was sent an invoice by what managers thought was a construction company supplier.
However, the email was in fact spoofed by attackers and the $923,533 was lost, according to The Philadelphia Inquirer. To make matters worse, the firm then had to find the same amount to pay the legitimate supplier.
It appears as if the non-profit was hit by a classic BEC scam, where attackers compromise an employee’s email account and then silently monitor messages sent back and forth.
They then step in to send a spoofed invoice from a legitimate supplier at the time one was expected to come in, so as not to raise an alarm at the victim organization. Certain emails are deleted to hide their tracks.
The FBI issued a warning last week that organizations should switch off automatic email forwarding to external addresses, as these rules are often deployed by attackers to send messages from compromised inboxes to their own.
It added that in some cases, web and desktop email clients are not synced by IT administrators, meaning security teams can’t see when remote workers, or attackers, make rule changes.
BEC made scammers $1.8bn in 2019, over half the $3.5bn total for all reported cybercrime, according to the FBI.
Colin Bastable, CEO of Lucy Security, argued that policies for supplier payments should be updated to limit the number of individuals authorized to make them, and to require additional authorizations from senior managers and the supplier itself for large sums.
“The Philabundance attack checks all the boxes of a successful BEC scam: in-depth research to identify the target, social engineering exploits to penetrate the network, creation of a fake invoice from a known email address and the request to wire funds to a phony bank account,” he said.
“BEC scams cleverly play on two glaring human vulnerabilities: an employee’s susceptibility to social engineering, and their unquestioning trust in the chain of command. The best way to help prevent these types of attacks is to provide regular security training for employees, and establish specific business and financial policies for company payments.”