Texas county almost lost $880,000 in phishing scam

Harris County in Houston, Texas is tightening its cybersecurity measures after falling victim to a phishing attack last year. The incident occurred in September, just after Hurricane Harvey swept the state.

A county employee received a sequence of emails from someone claiming to be an accountant with D&W Contractors, Inc, a contractor making repairs and cleaning up in the aftermath of the hurricane. The bogus emails requested payment into a new bank account for the work that had been carried out.

On October 12, a transfer of $880,000 was made, and it wasn’t until the next day that Harris County was informed that the account did not actually belong to the contractor. Fortunately, the money was recovered. An investigation has been launched to determine who is responsible.

The incident has sparked debates on cybersecurity and financial security within the county, which is the third-largest in the US. Cyber attacks are becoming more sophisticated and are taking advantage of vulnerabilities, including untrained staff. Harris County is said to be reviewing its cybersecurity controls, and has already provided staff with additional training to reduce the risk of future threats. To some, however, this is not enough.

Harris County Judge Ed Emmett said:

We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you. I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money.

This follows a report that found that 90–95% of all successful cyber attacks around the world begin with a phishing email. All organizations need to take notice and train their employees because attackers are indiscriminate. Attacks are increasing in both volume and sophistication, so now is the time to act by implementing precautionary measures.

How to protect your organization from phishing attacks

No matter how effective your spam filter is, a spoof email could bypass it, making your organization’s staff the last line of defense against fraud. It is, therefore, vital that your staff are aware of the risks of phishing emails. E-learning courses are an efficient, cost-effective method of training all your staff with minimal disruption.

To establish how vulnerable your organization is to the threat of phishing, consider our Simulated Phishing Attack. This service provides an independent assessment of employee susceptibility, and benchmarks your security awareness campaigns. It can help you to:

  • Satisfy compliance and regulatory requirements
  • Adapt future testing to areas and employees at greatest risk
  • Reduce the number of employee clicks on malicious emails

Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organization’s systems.

Find out more >>