Portland and Ottawa Victims of Wire Fraud

DESCRIPTION

The City of Portland, Oregon announced on May 27th, 2022, that it had launched a cybersecurity investigation in relation to a fraudulent financial transaction of $1.4 million that took place in late April 2022. To date, city officials have determined that the unauthorized transaction was made using a compromised city email account. Though unrelated, a similar incident took place in Canada involving the City of Ottawa the same month. In this instance, the city reported a fraudulent transaction made on April 11 of $558,000 that was supposed to have been made to the local Salvation Army homeless shelter. The transaction was pulled off by the perpetrators shortly after they successfully compromised the Salvation Army’s systems. This is the second time that the city of Ottawa has fallen prey to this type of attack. In 2019, the city was scammed out of nearly $130,000 by a whaling scam (a type of email attack that targets high level executives or the C-suite) in which the city’s treasurer responded to an email sent from the city manager asking that a financial transaction be sent.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

Portland officials became aware of the fraudulent transaction when the perpetrator attempted another transaction involving the same account on May 17th. In the Ottawa case, a city staff member noticed an irregularity with the payment made to the shelter and immediately contacted city leaders.

CONTAINMENT (If IoCs are identified)

Immediately after discovering the transaction discrepancy, the city of Ottawa took immediate legal action to recover the money lost in the fraud scheme. They contacted the local Ottawa police as well as the bank that handled the transaction. In addition, the Salvation Army has fully cooperated with the ongoing investigation. Thanks to the quick actions of Ottawa city managers, the city was able to recover nearly all the $558,000. While the money has been recovered, the investigation into how the criminals were able to successfully pull off the scam is still under investigation. The city of Portland has not yet recovered their lost funds. An investigation involving the FBI, the U.S. Secret Service and the Portland Police Bureau remains ongoing. The city is also conducting an internal review of all its security policies and protocols to identify weaknesses and ensure that this type of incident does not occur again.

PREVENTION

Because wire fraud is so prevalent in this digital age, all organizations need to have policies and procedures in place to prevent these types of transaction scams.

  • Call verifications should be required for all large financial transactions over a set dollar amount. This should also be the case for requests by employees requesting a change to their direct deposit accounts. Calls should be made a documented number and not to numbers listed in the invoice, email, or paperwork for the transaction request.
  • A policy should be in place to authenticate all new vendor requests that need to be inputted into the financial system. This includes a call verification to a published phone number.
  • All large financial transactions should require the consent of at least two staff members and be broken into segregated steps that involve more than one staff person.
  • Most email systems today have a policy that IT can implement that identifies an email as external to the organization. This will alert a user to a basic phishing attempt in which the email appears to be that of an internal staff member but is being sent from outside the organization.
  • Multifactor authentication (MFA) should be required for all staff personnel that are involved in financial transactions. Ideally, this should be required for all employees in general when checking their email when off premise.
  • User training is essential today to ensure that all employees are educated in understanding how emails scams work. Users should learn the skills needed to identify suspicious transfer requests. Staff members should be instructed to report any suspect transaction to a higher-level manager.

Ensure your Incident Response Readiness (IRR) in the event of attack. Review your security and risk profile.