California City Loses $600K in Wire Transfer Phishing Scheme
In a news conference in March of 2022, Fresno California mayor, Jerry Dyer, confirmed that the city had been a victim of a phishing scam back in 2020. The phishing attack involved two invoices from a city contractor for construction work relating to one of the Fresno police stations. The first invoice was sent in January 2020 with the follow up sent two months later. The invoices looked identical to former invoices actually sent by the contractor previously except for one detail. The bank account number had been modified. The city responded to each invoice with a wire transfer payment that together totaled $613,737. Although the fraud was committed two years ago, the attack was never publicized. It was only after a recent public records request made by a local newspaper that the mayor called a press conference to confirm the attack and explain why it had been kept secret. The Fresno City Council first learned of the incident in 2021 when the mayor’s office requested additional funds to cover the shortfall. It is believed that a city council member shared an email pertaining to the incident with the local paper.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
The attack was discovered in April of 2020 only because the contractor threatened to abandon the project and walk off the site due to lack of payment. The incident was immediately reported to the Fresno Police Department. The case was eventually handed over to the FBI in November of 2020. The FBI requested that the mayor at the time keep the incident concealed to aid the investigation. Incoming mayor Dyer was first briefed about the phishing attack just prior to taking office at the start of 2021. The FBI believes that the city of Fresno was just one of several cities that fell victim to similar attacks, possibly from the same criminals. In 2019, the city of Ocala, Florida directed $742,000 to a fake bank account after receiving a construction invoice. About the same time, the city of Naples, Florida lost $700,000 in a similar attack. Just last year, the Erie County government in Pennsylvania was fooled by a phony construction invoice for $108,000.
|CONTAINMENT (If IoCs are identified)|
The mayor’s office announced that the city has taken steps to prevent similar incidents from occurring again. A new policy requires that the city confirm all large invoices by phone. While the city did have an insurance policy to cover such types of losses, it has not opted to file a claim for the attack yet. Later in 2020, the city paid the contractor the money owed.
According to the FBI, $221 million was lost to wire transfer fraud in 2019. Fortunately, there are basic steps you can take to prevent such attacks.
Ensure your Incident Response Readiness in the event of attack. Review your security and risk profile.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.