Arlington, Massachusetts, a town of about 40,000, recently awoke to a huge cyber crime problem— Business Email Compromise (BEC). Jim Feeney, Arlington’s town manager, described the crime in detail to his citizens.
In September of 2023, Town employees received legitimate emails from a known vendor working on the Arlington High School Building Project to discuss issues with payment processing. Unbeknownst to the Town, threat actors had already compromised a certain employee account and monitored emails.
They seized the opportunity to impersonate the vendor with an email domain that appeared genuine, requesting a change in their payment method from check to electronic funds transfer (EFT), a common method used by municipalities for ongoing payments. The scam was aided by fabricating and subsequently deleting emails from employee accounts, as well as creating inbox rules to manage and hide incoming messages.
Once the payment method was established, a series of four monthly payments were made. The monthly payments were diverted until the vendor reported not receiving payments in February 2024.
The damage? More than $445,000. During the subsequent investigations, the town’s bank recovered only $3,308, about 6% of Arlington’s loss. Insurance claims are ongoing. Arlington is not an isolated case, either. In 2023, the FBI’s Internet Crime Complaint Center received 21,489 (BEC) complaints, with losses totaling over $2.9 billion.
What can you do to prevent your organization from becoming victims of the Business Email Compromise?
Regularly train all staff to recognize and report BEC scams. Watch out for:
- Unexpected requests for fund transfers, especially to new accounts.
- Sudden changes in payment instructions.
- Unusual secrecy or urgency in email communication.
- Email addresses that look slightly off, often by one letter or character.
- Misspellings and grammatical errors in emails.
Verify Requests
- Always verify fund transfer requests through a secondary channel, like a phone call to a known number for the requestor.
Email Security
- Use advanced email security systems that detect and block malicious emails.
Multi-Factor Authentication (MFA)
Use MFA for ALL email accounts for added security.
Monitor Accounts
- Review account activity regularly for unauthorized access or transactions.
Update Software
- All software, especially email and browsers, should regularly update with the latest security patches.
If you do suspect a Business Email Compromise attack, take the following steps:
Report Immediately
- Notify your IT department and bank as soon as you suspect an email compromise.
Contain and Investigate
- Change passwords, review account activity, and investigate the extent of the breach.
Notify Affected Parties
- Inform any customers, employees, or partners who may be affected.
Law Enforcement
- Report the incident to local law enforcement and cyber crime units.
Most of all,,, Stay vigilant!
Do you prioritize your organization’s safety and security? Allow Commonwealth Sentinel to be your partner in risk reduction and ensuring the well-being of all. Our comprehensive services range from software and hardware solutions to training and policy implementation. Click here to set up a free cyber security consultation or contact us at (502) 320-9885 to learn more about how we can help you achieve peace of mind.