Pandemic + Phishing = $1M Losses for Lynchburg Business

Yes, you read that correctly and it really is a local (Central Virginia) story.  Part of our “new normal” is remote work, which often creates some barriers for communication.  Unfortunately, there are people in the world who recognize this as an opportunity to take advantage of others for a big pay-out.  The following is a synopsis of a very sophisticated phishing attack that cost one central Virginia business nearly one million dollars in losses. You’ll want to read this!

Here’s the high-level detail of what happened:

A user receives an email that looks like a link to a shared document in Microsoft OneDrive or Microsoft SharePoint.  The user clicks the link which takes them to a log in page that looks almost identical to the Office 365 login page.  The user, thinking she is signing into the Microsoft Office page, provides her Microsoft username and password.  Nothing seems to happen, and the user seems confused but dismisses the issue.  Meanwhile, the bad guys have now captured the credentials for the user.  Because the proper security features are not configured, the perpetrators can use the credentials to log into Microsoft Office 365 as a legitimate user.  Because they have specifically targeted an executive in the organization, the stolen credentials give the perpetrators administrative rights in the Office 365 portal for the victim organization.  Once in, they set up rules so that any emails from the Accounts Payable employee directed to the CEO get automatically forwarded to another external email address without the CEO knowing about it.  Then, some fake invoices with ACH information are sent to the AP person seemingly from the CEO’s account. The CEO directs the AP person in these fake emails to pay the attached invoices right away via ACH.  The perpetrators have taken the time to register a domain that is almost identical to the domain of the victim organization.  The AP person suspects nothing and unknowingly sends payments for the fake invoices via ACH to the bank account of the bad guys.  Once that is done, it is VERY difficult to get the money back and perhaps nearly as difficult to get an insurance claim (cyber security or loss of business policy) paid.

This is serious business.  The reason this worked is primarily because under normal conditions, the AP person and CEO likely would see each other, at least in passing, on a regular basis.  There is a much greater likelihood that under normal working conditions, there would have been some conversation outside of the email communication regarding the invoices.  Remember, the CEO did not really send the invoices and would have had no idea what the AP person was talking about if she mentioned it to him.  Unfortunately, those conversations that may have occurred prior to COVID-19-induced remote work, never happened.  In fact, the AP person made several ACH payments that totaled nearly $1,000,000 before the organization realized what was happening.  While this case is being investigated by the FBI and another one that was very similar in Central Virginia was investigated by the Virginia State Police, there is often very little the authorities can do to get the money returned.  While it is possible that the victim organization may be able to get their insurance company to pay a Cyber Liability or Business Interruption claim, for many, that will be a long shot as well.  Unfortunately, most small businesses won’t survive such losses.

While there was certainly a human element in this, I know for a fact, that there were configurations and safeguards that were unknowingly omitted because it didn’t seem important to take the time or pay the price for a legitimate information security assessment by certified experts.  Had those configurations and safeguards been in place, this would have never happened.  If the cost of that was $1,000 would it have been worth it?  $10,000?  Remember…nearly $1,000,000 in losses.

Are you rolling the dice with your business’ future by not taking information security seriously enough?  Contact us today for more information on how to protect your business’ future from these and other risks!

Paul Meadows,