Phishing scam costs Texas School district more than $600,000

A phishing scam cost Texas’ Henderson Independent School District (HISD) more than $600,000. On September 26, 2018, the HISD sent an electronic payment to pay for construction work. However, the payment never went to the construction company. The school district became the victim of a BEC (business email compromise) attack, as the payment went to a fake account. The incident is being investigated by the local police and the U.S. Secret Service.

What is a BEC?

A BEC is a form of phishing, one of the oldest hacking methods used by cyber criminals. Phishing attempts to trick people into divulging sensitive information that can compromise their (or their organization’s) security. Moreover, successful phishing attacks deliver an enormous return on investment, which has motivated criminals to create increasingly sophisticated and creative phishing ‘lures’.

As a result of the attack, Keith Boles, superintendent at the HISD, said, “We have suspended all ACH payments to vendors and will simply reimburse them through checks.”

U.S. law enforcement on phishing scams

“We’ve seen an uptick in the number of cases here in East Texas,” said Special Agent Bill Mack, U.S. Secret Service. “Contact is often made long before the request for money. Criminals will use a compromised network to gather information about the target.  Then, appearing to be a legitimate representative of the vendor, they will often request a simple change in account numbers.”

According to the FBI, over the past five years, there have been 78,617 domestic and international BEC incidents, costing $12,536,948,299.

Don’t become a victim of a phishing attack

Protecting your organization needn’t be expensive or complicated and IT Governance USA offers courses to help learn how to avoid an attack:

• Phishing Staff Awareness Course:

  This course will help you and your team understand how phishing attacks work, the tactics that cyber criminals employ, and easy ways to spot and avoid a phishing campaign

• Phishing and Ransomware – Human patch e-learning course:

  This ten-minute course provides employees with an introduction to phishing and ransomware, and what they need to be aware of to help prevent attacks.