author photo
By Bruce Sussman
Tue | Jun 18, 2019 | 3:14 PM PDT

Cyber criminals successfully phished a city government employee in the Toronto suburb of Burlington, Ontario.

And the hacker's efforts were worth more than $500,000 Canadian.

Popular BEC payment instructions scam works again

The city announced this was a case of "new payment instructions" from hackers who posed as a known and trusted city vendor:

"On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor. The transaction was in the form of an electronic transfer of funds made to the vendor in the amount of approximately $503,000 and was processed on May 16."

This is an incredibly popular Business Email Compromise (BEC) tactic that we've written about in many cases.

This includes a Catholic church in the United States, which recently transferred more than a million dollars to hackers:

"On Wednesday, Marous Brothers [construction] called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed."

Unfortunately, those payments and confirmations were to a new account controlled by hackers.

Canadian city now doing what every organization should do

The most important thing we saw in the City of Burlington's statement on BEC compromise was this:

"... we put in place additional internal controls to prevent this from occurring in the future."

We've heard a thing or two about these controls and what they should be from security leaders we've interviewed at SecureWorld conferences, including in Toronto.

The biggest control is this: always pick up the phone to speak with a known contact. Confirm by voice before wiring money anywhere other than the currently set up account. 

Even an email appearing to come from the "right person" may be sent by hackers who have gained access to your email network. In fact, this is often what happens. 

And it also why a request for the right amount of money, on the correct due date, seems so believable, even though it may be a request from hackers.

And that is all we're likely to find out about the Burlington BEC scam.

"To maintain the integrity of ongoing investigations, the City will not be commenting further at this time."

But the city said enough to remind other organizations to be more vigilant against this type of cyber attack. 

[RELATED: Real Life BEC Cases and Defense Strategies]

Tags: BEC Scams,
Comments