FBI Issues Alert of Rise in Business Email Compromise Attacks on State And Local Governments

The Federal Bureau of Investigation (FBI) in its March 17, 2021 Private Industry Notification notified state, local, tribal, and territorial (SLTT) governments about Business Email Compromise (BEC) scammers. It has been noticed that BEC attacks on SLTT government entities went up from 2018 to 2020. Losses due to these attacks vary from $10,000 to $4 million.

BEC attacks entail getting access to an email account and mailing communications impersonating the account owner with the motive to persuade the target to go ahead with a falsified transaction. The email account is frequently utilized to send out messages to the payroll section to alter employee direct deposit data or to folks authorized to carry out wire transfers, to ask for modifications to bank account information or payment options.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) got an advisory regarding the report of 19,369 BEC attacks and losses of more or less $1.9 billion. The following are a few occurrences of BEC scams:

In July 2019, a little city government lost $3 million after getting ripped off by means of a spoofed email that seemed to be from a service provider asking for a modification of their payment account.

In December 2019, the email account of a financial manager of a government agency of a US territory was attacked and employed to send out 146 communications to government agencies with information regarding financial transactions. A number of these requests were asked through email, and the scammer had intercepted and answered those emails. Altogether, $4 million was transmitted to the account of the attacker.

Aside from the financial losses, the attacks damage operational capacities of SLTT government organizations, cause reputational ruin, and can likewise bring about the loss of sensitive data for instance PII, banking data, and employment records.

BEC scammers can readily research targets and can learn SLTT operating details and information regarding vendors, suppliers, and providers from open resources. Getting access to the email accounts is simple as the email address of the target could be easily found, and phishing kits are accessible at low cost on the darknet for mining credentials.

When an email account is accessed, the scammer mimics the writing style of the account holder and usually hijacks message posts. The scam may include a number of messages where the target thinks they are conversing with the true account owner when they are speaking with the attacker.

The FBI explains that BEC scammers usually aim for SLTT government entities with poor cybersecurity standards and exploit SLTT government entities that do not offer enough training to the employees. The shift to remote employment as a result of the pandemic has furthermore made it a lot easier for the fraudsters.

In 2020, CISA held phishing simulations with SLTT government entities. Of the 152 campaigns comprising about 40,000 messages, there were approximately 5,500 unique clicks of fraudulent malicious hyperlinks. With a click rate of 13.6%, it implies security awareness training does not teach employees concerning the threat of email-based attacks and shows the importance of “defense in depth mitigations.”

The FBI advises making certain that all workers get training about security awareness, fully understand BEC attacks, and how to recognize phishing emails and fake emails. Workers need to be taught to cautiously verify email messages for advance payments, alterations to bank account data, or requests for sensitive details. Guidelines and procedures must be enforced that necessitate any bank account modification or transaction request to be confirmed by phone call utilizing a verified number, not data given in email messages.

Extra measures that ought to be considered comprise multi-factor authentication implementation on email accounts, phishing simulations, stopping auto email forwarding, tracking email Exchange servers for configuration modifications, putting banners to emails coming from outside sources, and employing email filtering solutions.

Find out about additional steps that could be enforced to stop and recognize BEC attacks in the FBI Alert.