A hacker managed to swindle the city of Portland, Oregon, out of $1.4 million by tricking municipal employees into wiring them the funds back in April.
The culprit pulled off the theft through a business email compromise (BEC) scheme, which involved hijacking a city employee’s email account, according to Oregon Public Broadcasting.
In May, Portland’s city government disclosed(Opens in a new window) it had lost $1.4 million in a cyber-related incident, without revealing all the details. But on Monday, OPB reported(Opens in a new window) it had obtained internal emails from the city that show the cybertheft occurred through a BEC attack.
The hacker likely kicked off the scheme by sending a phishing email, which tricked a City of Portland employee into giving up their password to their email inbox. The access then gave the hacker enough information to impersonate an official at the housing nonprofit Central City Concern, which was preparing to secure $1.4 million in local funding.
At one point, the city’s treasurer flagged the $1.4 million wire transfer as potentially fraudulent. This was because the name of the account receiving the wire transfer failed to match the Central City Concern’s own bank account name.
As a result, the city’s treasurer demanded municipal employees confirm the bank account information with someone at the nonprofit. However, the municipal employees decided to do so simply by communicating over email. In reality, the employees were speaking with the hacker impersonating the nonprofit. This led city employees to make the $1.4 million transfer anyway.
The city of Portland only discovered the email breach after the hacker tried to make a second fraudulent wire transfer weeks later. IT staff then discovered the hijacked email account had been accessed from various locations, including Texas, Germany, and Nigeria, likely with a VPN.
Recommended by Our Editors
“The City is pursuing reimbursement for as much of the stolen money as possible through cybersecurity insurance and other means, but won’t have resolution for some time,” Portland’s city government said(Opens in a new window) in June.
The incident is a reminder it’s always a good idea to personally call the recipient of a wire transfer (or meet them in person) before sending the money. The FBI estimates BEC schemes have attempted to or successfully stolen as much as $43 billion from global companies since 2016.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
