CEO fraud villian posed as a contractor
Months after a classic CEO fraud scam took Galveston County, Texas for $525,000, County Judge Mark Henry is now asking for the County Auditor and Purchasing Agent to resign.
It’s one of the easiest scams to pull off – do a little homework and identify a contractor working for a business or government with lots of money, impersonate someone from the contractor’s accounting department, and send an email to the victim organization asking for a bill to be paid. In the case of Galveston County, this is pretty much as sophisticated as it got. The scammer pretended to be working for Lucas Construction, a Houston company doing road work for the county.
Look for the red flags
And just as the CEO Fraud is relatively easy to run, it’s usually just as easy to spot – a spoofed email address, poor writing skills, and the request to use alternate banking details. These red flags should put a halt to any requests for money and, at the least, require a phone call.
It this kind of thinking that has County Judge Mark Henry calling for County Auditor Randall Rice and County Purchasing Agent Rufus Crowder to be held responsible for the fraudulent electronic payment, and for their resignations.
The scammer created email accounts to pose as both county employee and a Lucas Construction representative. Using county forms, the request to change banking details was submitted… and processed. This caused all checks written to Lucas Construction to now be electronically transferred. The County had no process for validating banking details.
Anytime there is a change to how a vendor gets paid, it needs to involve both some form of verification of the banking change and, most importantly, a phone call to a known entity at the company requesting the change.
Could have been avoided
Unfortunately, cybercriminals don’t simply stick to wire fraud; they use any social engineering tactic possible to get your users to fall victim to their scams. Users in any role within the organization are at risk of malware attacks, ransomware, cryptojacking, and, yes, banking fraud. Educating users with Security Awareness Training is an effective way to elevate their sense of risk when interacting with email and the web, causing them to scrutinize anything that looks abnormal.
There were signs that the Galveston attack was a scam; educating users to have a security-mindset and knowing what to look for could have made the difference.
—
Cyber Safety net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/judge-calls-for-county-officials-to-resign-after-falling-victim-to-a-500k-email-scam. Cyber Safety Net – keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.