22 Social Engineering Red Flags

Posted on: Jun 20th, 2017

Mail Tribune reported that Southern Oregon University is just the latest victim of CEO fraud (which the FBI calls Business Email Compromise or BEC) after hackers used social engineering to trick university employees into transferring money into one of the bad guys' controlled bank accounts.

University officials announced on Wednesday that in late April, they wired $1.9 million to what they thought was Andersen Construction, a contractor they had hired to construct a pavilion and student recreation center. However, the construction company reported three days later that they never received their payment.

A recent FBI Public Service Announcement about fraudsters targeting universities and their students appears to have been issued due to the SOU case.

The FBI PSA explains how many universities are frequently engaged in large construction projects that require regular and very large electronic payments. If criminals can identify which construction companies are involved (which is normally very easy), it's a matter of sending spear phishing emails that use social engineering and spoofed emails to target individuals responsible for making payments.

The FBI describes in further detail how this type of BEC happens:

  • The scammer, posing as an established vendor, sends an e-mail to the university’s accounting office with bank account changes to be used for future payments.
  • Typically, it is an individual purporting to be from a construction company with which the university has an existing business relationship.
  • The scammer often spoofs the actual e-mail address of the company with a similar domain. For example, if the actual domain is abcbuilders.com, the scammer might register and use abcbuilders.net to send the e-mail.
  • The university sends their next payment to the scammer’s bank account, and the money is often unrecoverable by the time the university realizes they have been the victim of fraud.

Southern Oregon University spokesman, Joe Mosley, couldn't share specifics as to exactly how SOU fell prey to the fraud. The university says there is a process in place for vendors to change their bank account numbers.

“We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities,” said Mosley. “We’re not alone.”

That couldn't be more true. Last year, CEO fraud was a $5.3 billion business according to data reported to the FBI. No industry is immune to falling into cyber criminals' cross hairs. Firms like Leoni AG, a cable manufacturer, and FACC AF, an aerospace company, are among thousands of victims of the crime in 2016.

You need defense-in-depth and a human firewall as your last line of defense. Click here to access a free job-aid for your employees. It's a single page with the 22 Social Engineering Red Flags, provided by our WebShield partner, KnowB4.

Please let us know if you have any questions.