Scammers were successful in tricking employees of the City of Saskatoon, Canada into sending a little over $1 million to an attacker-controlled account. The city fell victim to the business email compromise (BEC) when attackers impersonated the Chief Financial Officer of Allen Construction, a contracting firm, by taking legitimate invoices and changing the account receivable to the attacker’s accounts. These documents were targeting employees of the city’s financial department who authorize payments. The issue was found on August 12th and authorities were notified. Currently, most of the funds have traced to 10-15 different accounts that were seized by court order. It is estimated that the city will recover most, but not all, of the stolen funds. BEC scams will continue to target organizations and have caused over $1.2 billion in losses in the US alone. Most BEC scams are carried out by groups of attackers and not a single individual. One BEC group started as a single person operation to a gang of over 35 members. There are multitudes of these groups across the world.
Users who receive emails stating that payment details have changed should verify that these are legitimate through phone calls of emails sent to the contact person of the organization requesting payment. Organizations should provide training on basic cybersecurity training that is updated on a routine basis.