Police and FBI have launched an investigation into an email phishing scam that cost a school district millions of dollars. The scam began when one of the district’s construction vendor’s emails became compromised; these types of attacks are typically called “vendor email compromise” or “business email compromise”. Phishing emails were periodically sent out to teachers and faculty at different dates and times from the vendor’s actual email address. Once the hacker gained access to the email system, they were able to change the payment account routing numbers for the transactions. There were three separate transactions that had already occurred before the fraud was detected ; by then the district was already duped out of several million dollars.
- Never respond to or click on links provided in emails without confirming the source.
- Never click on or download any attachments coming from an unknown email address.
- Always hover over links in an email to ensure the URL is legitimate.
- If the email is from a vendor, make sure the address matches any emails you may have received from them in the past.
- Verify the person you are emailing is who they say they are. You can do this either by composing a separate email to that person or calling them directly to confirm that the email was legitimate.
How was the fraud detected?