A simple scam was used to rob the town of Erie, Colorado, of more than a million dollars, taking social engineering to another level.
An unknown party completed and submitted an electronic form on Erie’s administration website with a simple request: change the type of payment, from check to direct fund transfer, for a company called SEMA Construction, which was already employed by the city.
No one paid close attention to the request, and it was granted. On October 25th, 2019, the city wired $1.1 million when the payment was due. The bank officials notified the administration of the suspicious transfers 10 days later. SEMA Construction confirmed that they never made the request, and, of course, never got the money.
The blame rests on the Erie administration employees who failed to check the validity of the request; it’s precisely the kind of lax behavior that allows scams to go through as criminals rely on human negligence. The weakest link, in most cases of hacking and social engineering, are the people handling the digital information.
The initial investigation revealed no accomplices in the administration, and the town is trying to recoup the money from insurance. In the meantime, all electronic forms were disabled, and fund transfers are no longer permitted.
The fraud perpetrated against the city is a combination of social engineering and business email compromise (BEC), although no emails were actually exchanged in this case. The goal is the same; criminals impersonate someone else to trick their victims into making payments or sharing sensitive information.
The FBI and the local police are now investigating how exactly the scammer managed to pull this through. According to the Denver Post, this is not the first time it happens, and it’s becoming a lucrative scam.