The target: Cabarrus County, a district of North Carolina in the United States
The take: $1.7 million dollars
The attack vector: A BEC, or Business Email Compromise. The attackers posed as one of the county’s contractors and requested their bank account be updated in time for the next payment. They spoofed legitimate documents including an electronic funds transfer form (EFT) and signed bank documentation. After receiving the bogus documents, Cabarrus County staff changed the vendor’s account to this new, fake one and continued with their scheduled payments.
This attack highlights the importance of security awareness campaigns that test and train employee’s abilities to spot and report suspicious emails. Additionally, controls should be in place wherever payments are processed to ensure that any requests to change payment instructions are reviewed and validated outside of an e-mail correspondence string.