Photo by Element5 Digital on Unsplash
Written by Insecurity of Everything: A Cybersecurity & Business Column, Kate Fazzini and John Shegerian
It’s back to school season and many of you may be relieved that this year feels a little more like “back to normal” than during the prior pandemic years. Still, a handful of school districts across the country will have to deal with a different kind of disruption due to cyberattacks. These damaging and, frankly, annoying incidents provide lessons well beyond the education world.
In one recent case, a Pennsylvania school district lost $13 million in state funds following a series of fraudulent wires, referred to by the FBI as a business email compromise. The funds were inbound to the Chester Upland School District from the state of Pennsylvania, and included numerous payments over two years from 2020 to 2021.
The attack style was simple and familiar: a fraudster was able to access the school district’s email system, and using a fake identity disguised as a school official send the Pennsylvania State Treasury Department a new bank account number, which linked to a bank account held by scammers. (According to reports, investigators have been able to recover about $10 million of the lost funds).
This type of cyberattack is low-tech and has been around for a long time. In another common iteration of the scheme, a fake “employee” calls his or her human resources department and asks to change bank account details, netting the employee’s next paycheck. In another, an attorney’s email may be spoofed to trick a business owner into wiring a payment to a fake offshore account.
In all of these cases, a few basic human errors and an absence of the right monitoring technology can mean significant losses, sometimes in small, difficult-to-notice installments over a long period of time. Like the Chester Upland school district, there have been numerous cases of businesses and agencies that have been victim to multiple wire frauds over a long period. In one case, a now-defunct commodities broker in New York was fined by the Commodities Futures Trading Commission for failing to supervise its fund administrator for a period of 21 days, leading to the loss of a significant portion of its investment portfolio to wire fraud.
There are several lessons to take away from the district’s back-to-school nightmare, as well as these other victims: first, companies should evaluate and manage how they handle payments closely, and create opportunities for finance staff to recognize the signs of business email compromise early in the compromise process, before transferring money is an issue. Most of us are aware that we have different parties and technologies involved in managing money movement, today, and in each step of the process, there is opportunity for a breakdown in security and commensurate fraud.
Second, a third-party oversight program that evaluates relationships with large suppliers, partners and technology providers for security risks and compromise. In the school district’s case, the state government and its payments technology providers could have received additional audits, and in the broker’s case, its fund administrator should have had clearer designated oversight.
Finally, training employees about wire fraud as a separate and distinct problem alongside the more general topic of “security awareness” can be helpful. From a triage point-of-view, wire fraud should be a top concern for all businesses because of the potential for losing large sums of cash instantly, as opposed to other types of compromise that don’t directly involve money and therefore don’t immediately harm operations. Training employees to clearly see that a transaction has the hallmarks of email compromise can save your business a lot of money and heartache.
Kate Fazzini is Director of Security Operations and Engineering at Ziff Davis; an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.
John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s book, The Insecurity of Everything.