El Paso Loses 3.2 Million Dollars via Spear Phish

By April 17, 2017November 25th, 2020Protect Yourself, SE

In 2016, phishing reached an all-time high by the second quarter. An average of 155,000 phishing emails were sent out during the months of April, May, and June according to the Anti-Phishing Workgroup. This alarming trend was noted among many industry analysts, helped to bring much of information security to the forefront of news media, and generated more visibility into the security community as an increase in the cost and visibility of these attacks made them a threat to many businesses.

In August of 2016, the city of El Paso, Texas was scammed out of a total of $3.2 million USD. How did this happen? By a simple e-mail. Starting in August, the Camino Real Regional Mobility Authority (CRRMA) was contacted by an entity claiming to be a contractor for the city’s new streetcar project.  These attackers were able to learn the identity of both the person in charge of the CRRMA and an actual contractor being used by the city in construction efforts and were successful in targeting the executive in charge of the project by impersonating this group. The group claimed to be using a joint venture organization as the subcontractor on the deal and requested a different bank account for the payment of the contract. When the new banking information was given by the attackers, several questions were raised by the city comptrollers. They requested the required forms and documentation to complete the transaction, and the CRRMA executive helped the attackers know what they needed to file and how to get the documents, which are still suspect and under investigation as to whether they are forged or not. 

After being contacted by the real vendor stating there had been no payment made, an investigation was launched and the payments were put in recovery in conjunction with Wells Fargo. The city has so far recovered $1.9 million USD and is actively working to manage the issue and on policies and procedures on what to do in the future to prevent this.

Options to combat this type of attack are varied, but in this case, the attacker contacted the target with the claim of being the vendor and was not vetted by following up with a known contact at the vendor company. In doing this, the target could have noticed several issues and prompted a review of the request at a much earlier stage. Frequently accompanying the impersonation of a company or individual there is a letter off in the name of the domain, or the company name, a technique known as typo-squatting. Looking for these inconsistencies can also help in deterring this type of attack. 

Frequently, a little paranoia can stop an attack before it happens.  


Leave a Reply