A non-profit community housing collective has been swindled out of more than $1.2 million in a business email compromise (BEC) campaign.
Red Kite Community Housing, a coop housing association in High Wycombe, U.K. (outside of London) announced in a recent website notice that £932,000 of the money paid into its coffers by tenant-owners was transferred to cybercrooks thanks to a convincing domain-spoofing effort.
The attackers set up an imposter website and fake – but convincing – email addresses purporting to be known suppliers to Red Kite.
“They managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow up to an existing conversation,” the organization explained. It added that the group has safeguards in place against BEC in the form of a “two-stage process to verify changes to payments and accounts” – but, a human mistake was somehow made along the way.
Further details weren’t given in deference to an ongoing law enforcement investigation, but Red Kite said that the attack was “different and it has brought home to us that you can never drop your guard for a moment, no matter how safe you think your systems are.”
The attack happened in August, after which Red Kite notified its members, and engaged an outside cyber-forensics firm, local police and the Regulator of Social Housing (RSH). In the aftermath, it has upgraded its security posture by investing in a complete audit and review of its payment processes and systems, as well as additional security measures such as staff training.
Law enforcement is “on the trail of the criminals,” according to Red Kite. And meanwhile, it has renegotiated a financial deal that frees up £1.1 million that will help compensate tenants for the loss.
“Thus, we can say with certainty that, as a result of this con, we will not be changing anything we currently support or that we undertake for our community, either now or in the future,” according to the notice. “As a community organization [sic] that has built a track record of saving our residents over £33 million in the first five years, and almost another £30 million on our long-term business plan, it is absolutely galling to lose a [pound], let alone the sum involved in this crime.”
Red Kite isn’t alone in falling victim to such scams and losing large amounts of cash. The Manor Independent School District in the Austin, Texas area lost $2.3 million, after falling victim to an email scam that ran for nearly two months at the end of 2019. District employees were duped by supplier-spoofing emails into sending three separate transactions to a fraudulent bank account.
In September, media conglomerate Nikkei Inc. (which gives its name to Japan’s premier stock index) fell victim to BEC scammers who purported to be a Nikkei executive. That fleeced the company out of $29 million. And last April, St. Ambrose Catholic Parish in Ohio lost a whopping $1.75 million after attackers breached two employees’ email accounts – and then tricked other employees into sending wire transfers to a fraudulent bank account.
According to the latest annual Internet Crime Report (IC3) from the FBI, individuals suffer BEC scams too: One victim received an email purporting to be from a closing agent during a real-estate transaction — resulting in the person initiating a wire transfer of $50,000 to a fraudster’s bank account located in New York.
