Henderson Independent School District fell victim to a business email compromise attack on September 26 when crooks managed to trick Henderson's staff to send $609,615 to a fraudulent account, as reported by The Henderson News.
The money transfer in the form of a direct electronic bank payment (also known as Automated Clearing House or ACH) was initiated by the district staff on September 26 to an account allegedly controlled by RPR Construction Company Inc, a renovation and construction contractor for Chamberlain Elementary School.
Subsequently, HISD's staff found out on October 1 that all the funds were transferred to a fraudulent account not belonging to their business partner and got in touch with the Henderson Police Department and the US Secret Service to further investigate the incident.
Special Agent Martin Licciardo, an organized crime investigator at FBI’s Washington Field Office, said that "BEC is a serious threat on a global scale. And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims."
Moreover, according to Special Agent Bill Mack “We’ve seen an uptick in the number of cases here in East Texas. Contact is often made long before the request for money. Criminals will use a compromised network to gather information about the target. Then, appearing to be a legitimate representative of the vendor, they will often request a simple change in account numbers.”
Henderson ISD suspended all Automated Clearing House payments after the attack and is now reviewing all district protocols and systems
Following the business email compromise attack, HISD's Superintendent Keith Boles stated that all ACH payments had been suspended and all business partners will be paid using checks until the district's systems and protocols will be thoroughly reviewed.
In the aftermath of the event, HISD's district business office director of finance resigned on Wednesday and the district is now in search of a new director.
According to an analysis by Digital Shadows $12 billion have been stolen following Business Email Compromise (BEC) and Email Account Compromise (EAC) attacks during the last five years.
As mitigation measures against such attacks organizations need to make sure that wire transfers can only be performed using manual controls, to configure Internet-facing storage devices and cloud accounts very carefully, to provide BEC training for all company staff, as well as to closely monitor for exposed e-mail credentials.