Submitted via IRC for SoyCow4463
The City of Burlington, Ontario, revealed Thursday that it fell prey to "a complex phishing email" that cost the City CAD $503,000 (around USD $375,000). Few details have yet been released. "To maintain the integrity of ongoing investigations, the City will not be commenting further at this time," it announced.
Although the City describes the incident as a phishing fraud, it bears all the hallmarks of the business email compromise (BEC) genre of phishing.
"On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor," the announcement reads. "The transaction was in the form of an electronic transfer of funds made to the vendor in the amount of approximately $503,000 and was processed on May 16."
Neither the name of the member of staff nor the department he or she worked in has been revealed, although it is clear his position is of enough seniority to authorize large payments on behalf of the City.
Burlington mayor Marianne Meed Ward commented, "This was a case of online fraud with falsified documents at a level of sophistication not typically seen and we are taking the necessary steps to prevent it from happening in the future. This stresses just how important it is that we are all vigilant and recognize the signs of online fraud, phishing and other scams, and report them to the proper authorities -- so that no one becomes a victim of this type of criminal activity."
Source: https://www.securityweek.com/canadian-city-loses-500000-phishing-attack
(Score: 0, Informative) by Anonymous Coward on Saturday June 22 2019, @11:09AM (2 children)
It's obvious to most of the SN crowd, but it cannot be stressed enough: email can deliver phishing and ransomware attacks (among other nastiness).
Users are the weakest link. Training is so very, very important but it's still not enough when employees are in a rush or not paying attention. Make sure your business or municipality has stringent procedures that are in place and practice them like you would your disaster recovery drills.
(Score: 2, Insightful) by Gaaark on Saturday June 22 2019, @12:22PM (1 child)
I like this: ANOTHER city gets taken for cash, someone says more training is needed and they are modded Redundant!
Obviously not Redundant enough!, lol.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Saturday June 22 2019, @12:37PM
They should have know they would be modded "Redundant" if they knew enough to start with "It's obvious to most of the SN crowd".
(Score: 2, Interesting) by The Shire on Saturday June 22 2019, @12:33PM (2 children)
This sounds like a cya release to hide the fact that some Nigerian Prince sent the guy an email from a gmail account asking for this transfer and he fell for it. I've seen far too many incompetent morons in senior management in my life not to believe this was a fool and the cities money that were soon parted. Not releasing the persons name means he's probably the nephew of the mayor or some other crony.
(Score: 4, Informative) by deimtee on Sunday June 23 2019, @05:11AM (1 child)
It was an authorized payment to a legitimate vendor. The scam was that they changed the bank account details it was to be paid to. Probably nobody noticed until the vendor started asking for their money.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by bzipitidoo on Sunday June 23 2019, @01:58PM
He's not incorrect to doubt the intelligence and competence of people who actually think they want to run a city. Perhaps the kindest way to put it is that many local politicians' expertise is in social skills, with some business management experience. They're not going to act on potential threats, unless the public demands it. Don't want to jump at every shadow. For any problem outside their domain of knowledge, they're going to do nothing, until it's a raging fire that has to be put out.
They will have metal detectors installed at the entrances of schools and city offices, but they won't listen to warnings from IT that their 20 year or older computer systems should be upgraded, especially if they've trapped themselves into relying on a deprecated, dead end system that's going to be very painful to migrate to a replacement.
(Score: 1, Informative) by Anonymous Coward on Saturday June 22 2019, @01:19PM
Scott County Schools victim of $3.7 million scam [wkyt.com]
OR if you prefer: from Google [google.com]
Though they have said lately that they are getting the money "back".
(Score: 0) by Anonymous Coward on Sunday June 23 2019, @03:47AM (1 child)
(Score: 0) by Anonymous Coward on Saturday June 29 2019, @06:07PM
But it will buy the Dane's kids new shoes.