Scammers Dupe Texas School District Out of $2.3M

texas school district scam

The wide-scale phishing scam reportedly started in early November and continued through December, before it was discovered by the Texas school district.

A Texas school district, based outside of Austin, Tex., has lost $2.3 million after falling victim to an email scam.

The Manor Independent School District encompasses 8,000 students from elementary to high school. Police told local news outlets that the incident started in early November and continued through December, before it was discovered by the district.

“It was three separate transactions. Unfortunately they didn’t recognize the fact that the bank account information had been changed and they sent three separate transactions over the course of a month before it was recognized that it was a fraudulent bank account,” police told local news outlets.

Moving forward, the district said on Twitter that it is investigating the incident further in conjunction with the FBI and the Manor Police Department. It urged anyone with information on the incident to contact the local police department.

When asked for further details of the scam by Threatpost, both the Manor district and police department said they have no further information to offer at this time.

However, Armen Najarian, chief identity officer with Agari, told Threatpost that the incident appears to be a case of “vendor email compromise (VEC),” a term researchers have coined based on research into a Nigerian cybercriminal group called Silent Starling.

This type of attack begins with an attacker compromising an employee at a company involved in billing or payments, using a credential phishing site that mimics commonly-used business applications (like OneDrive or DocuSign). After the target’s email account is compromised, attackers add a forwarding or redirect rule on the account that passes copies of all incoming emails to another account controlled by the attackers.

“VEC is a hybrid of credential phishing and identity deception that results in extremely realistic-looking phishing emails that target a vendor’s or supplier’s customers. This is an attack we predicted last year will be one of the biggest threats to organizations in 2020,” Najarian told Threatpost. “Identity-based scams often slip through legacy controls because those controls were designed to detect and prevent technically sophisticated attacks rather than socially-engineered threats, which are now the attack-type-of-choice for many email scammers.”

Indeed, business email compromise (BEC) scams and other similar types of fraud efforts are squeezing more money than ever out of victims, with losses from the attacks almost doubling year-over-year in 2018 to reach $1.2 billion. In November, media conglomerate Nikkei Inc. fell victim to a BEC scam that fleeced the company out of $29 million.  Other victims of scams include the City of Ocala in Florida, which was swindled out of $742,000, and a church in Brunswick, Ohio that was scammed out of $1.75 million in August.

Security experts stress that these incidents underscore the need for better employee training when it comes to identifying email-based scams.

“Cybercriminals will attack organizations with the intention of getting the highest return on investment,” said Javvad Malik, security awareness advocate at KnowBe4, in an email. “Usually this translates into social engineering attacks, which are, in essence cons against people to do things against the interest of the company. This usually occurs in the form of phishing emails, but can also be SMS messages or phone calls. Therefore, organizations should take time to invest in providing security awareness and training so that they can be better-prepared to identify and report any suspicious activity.”

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.