Southern Oregon University recently fell victim to email fraud, resulting in $1.9 million being transferred to an attacker-controlled bank account. Fraudsters posing as the Andersen Construction company building a university pavilion and recreation center instructed SOU to transfer the money to an account not controlled by the contractor.
The transfer was initiated during the last week of April, but three business days later the university was notified by the contractor that payment was never received. The FBI was immediately notified and an investigation into recovering the funds is underway.
“It’s certainly a substantial amount,” said SOU spokesman Joe Mosley. “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”
The bank account is believed to also contain funds from other fraudulent activities, making recovery of the $1.9 million difficult unless the university is insured against such fraud. The FBI has also stated that Business Email Compromise scams are spreading, particularly targeting small and medium-size businesses. Although an alert has been sent by the Bureau in early May warning universities of these scams, losses seem to be significant.
“Many universities are frequently engaged in large construction projects which require regular electronic payments of at least several hundred thousand dollars,” reads the FBI Public Service Announcement. “It is relatively easy for a criminal to identify the construction companies involved in these projects and use social engineering and e-mail spoofing to commit this type of fraud. As a result of the nature and large size of these payments to a construction company, losses are significant.”
It’s unclear whether the fraudster spoofed the contractor’s email address or compromised their email, but the FBI’s investigation is believed to also include an additional 78 similar attacks that also include universities, according to Mosley.