The City of Burlington, Ontario, revealed Thursday that it fell prey to “a complex phishing email” that cost the City CAD $503,000 (around USD $375,000). Few details have yet been released. “To maintain the integrity of ongoing investigations, the City will not be commenting further at this time,” it announced.
Although the City describes the incident as a phishing fraud, it bears all the hallmarks of the business email compromise (BEC) genre of phishing.
“On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor,” the announcement reads. “The transaction was in the form of an electronic transfer of funds made to the vendor in the amount of approximately $503,000 and was processed on May 16.”
Neither the name of the member of staff nor the department he or she worked in has been revealed, although it is clear his position is of enough seniority to authorize large payments on behalf of the City.
Burlington mayor Marianne Meed Ward commented, “This was a case of online fraud with falsified documents at a level of sophistication not typically seen and we are taking the necessary steps to prevent it from happening in the future. This stresses just how important it is that we are all vigilant and recognize the signs of online fraud, phishing and other scams, and report them to the proper authorities — so that no one becomes a victim of this type of criminal activity.”
“Humans remain the weakest link in any organization,” commented Ilia Kolochenko, founder and CEO of ImmuniWeb. “Properly implemented security controls can reduce the risk of human error but not eliminate it. Worse, cybercriminals will now purposely target smaller organizations that cannot afford to invest in their cybersecurity. Organizations of all sizes should continuously invest in their human capital via security training and security awareness seminars.”
Municipalities have, for this very reason, become prime targets for cybercriminals over the last few years. It is tempting for politicians to spend available funds on something visible to the people rather than unseen cybersecurity defenses. In the long run, this is a false economy. The City of Atlanta declined to pay a ransom of around $50,000 in March 2018 — but subsequently had to pay $2.7 million to contractors to help recovery; and later estimated that it would need a total of $9.5 million.
BEC is a major and growing threat to organizations of all sizes. Criminals forge or take over email accounts to send authentic-looking emails to senior management, requesting (usually, urgently) that funds be wired to a fake bank account. In April this year, the latest U.S. Internet Crime Report from the FBI revealed that there were more than 20,000 victims of BEC and email account compromise (EAC) during 2018 — with a total loss of $1.298 billion.
Nevertheless, despite the frequency of BEC attacks, the Burlington fraud is one of the largest single reported frauds to date. Between 2013 and 2015, a Lithuanian citizen used BEC against Facebook and Google employees, and stole in excess of $100 million. In this case, most of the money was recovered, and the perpetrator was arrested in March 2017.
BEC is expected to increase. In most cases, it is high return and low risk for the attacker. At the time of the publication of this year’s Verizon DBIR, Alex Pinto, head of Verizon security research, told SecurityWeek, “why bother hacking companies when we can just email the CFO and get him to send us money?”