It all seemed so routine. For officials of both the Henderson (TX) and Boulder Valley(CO) public school districts, the email that they received from an existing construction vendor asking them to update their automated payments to new bank information was nothing seemingly out of the ordinary.
Only when vendors began to inquire about the status of payments that the districts had sent did the districts come to realize that the routine change had made themselves the victims of a scam known as a BEC, or a Business Email Compromise.
In each case, the losses ran into the hundreds of thousands of dollars before being discovered. Henderson ISD lost approximately $610,000 to the hackers and Boulder Valley Public Schools lost approximately $870,000. The fiscal hit was accompanied by reviews of and changes to their operating procedures to ensure that such a loss wouldn’t happen again in the future.
While the districts tied their losses to public transparency, with information about the vendors and the scope of work that each was involved with available on their websites, government officials said that such schemes are typically quite sophisticated and ongoing long before any request for money, in order to establish a level of trust with their victims.
Secret Service Agent Bill Mack, speaking to the Tyler Morning Telegraph, noted that “[w]e’ve seen an uptick in the number of cases…Contact is often made long before the request for money. Criminals will use a compromised network to gather information about the target. Then, appearing to be a legitimate representative of the vendor, they will often request a simple change in account numbers.”
With FBI estimates as to the annual cost of cybercrime reaching over $2 billion dollars annually, and those losses only partially recovered through either the efforts of law enforcement or insurance, it’s important to recognize the fact that as scammers and hackers expand beyond the tired trope of the 419/Nigerian Prince, they’re now targeting new avenues, such as governmental entities and private associations (perhaps even your local real estate board/association).
While professional associations have been the targets of hackers since at least 2010, according to Ed Schipul, they’re coming under increasing levels of attack.
As a professional member of an organization, we depend on their advice, counsel, and information about upcoming trends and events. We rely on the communication that we receive from them to be timely, accurate, and most importantly, not be harmful to us, professionally or personally.
Assuming that the associations themselves are taking steps to protect their cybersecurity, how do we, as members protect ourselves from hackers?
The Federal Deposit Insurance Corporation (FDIC) has tips on staying safe from hackers in an ever-connected world:
• Be suspicious if someone contacts you unexpectedly online and asks for your personal information.
• Only open emails that look like they are from people or organizations you know, and even then, be cautious if they look questionable.
• Be especially wary of emails or websites that have typos or other obvious mistakes.
• Verify the validity of a suspicious-looking email or a pop-up box before providing personal information.
• Don’t immediately open email attachments or click on links in unsolicited or suspicious-looking emails.
• Install good anti-virus software that periodically runs to search for and remove malware.
• Be diligent about using spam (junk mail) filters provided by your email provider.
• Don’t visit untrusted websites and don’t believe everything you read.
• Criminals might create fake websites and pop-ups with enticing messages intended to draw you in and download malware.
In the case of officials at the districts, one measure that was implemented in each is worth remembering in a click-and-send era; they promised to have their respective staffs pick up the phone and call the vendor when any type of banking information was requested, to verify the request before providing information.
When dealing with our associations, if we receive an email or other outreach that seems out of character for them, it’s a good reminder to call and ask them if they’d intended to send it out before we take electronic action.