FBI Gives Warning of Increase in Business Email Compromise Attacks on Local and State Governments

The Federal Bureau of Investigation (FBI) in its March 17, 2021 Private Industry Notification cautioned state, local, tribal, and territorial (SLTT) governments about Business Email Compromise (BEC) scammers. It has been observed that BEC attacks on SLTT government entities increased between 2018 and 2020. Losses as a result of these attacks range from $10,000 to $4 million.

BEC attacks involve acquiring access to an email account and sending messages impersonating the email account holder with the intention to convince the target to make a bogus transaction. The email account is frequently employed to deliver communications to the payroll division to modify employee direct deposit data or to persons authorized to perform wire transfers, to request modifications to bank account data or payment methods.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) received information regarding the report of 19,369 BEC attacks and losses of approximately $1.9 billion. The following are some incidents of BEC scams:

In July 2019, a small city government lost $3 million after being scammed through a spoofed email that looked like it came from a contractor requesting an alteration of their payment method.

In December 2019, the email account of a financial supervisor of a government agency of a US territory was accessed and used to transmit 146 messages to government agencies with instructions regarding financial transactions. A lot of these requests were made via email, and the attacker had intercepted and replied to those messages. In total, $4 million was sent to the account of the scammer.

Besides the financial losses, the attacks hinder the operational functions of SLTT government organizations, cause reputational problems, and can additionally bring about the loss of sensitive information like PII, banking details, and employment information.

BEC scammers can very easily research targets and can find out SLTT operating data and data concerning vendors, suppliers, and contractors from public sources. Obtaining access to the email accounts is easy as the email address of the target can be quickly located, and phishing kits are available cheaply on the darknet for getting credentials.

As soon as an email account is compromised, the attacker copies the writing style of the account owner and often hijacks message threads. The scam can entail several messages where the target is convinced they are conversing with the real account holder when they are speaking with the scammer.

The FBI states that BEC scammers usually target SLTT government entities with insufficient cybersecurity practices and take advantage of SLTT government entities that are not able to give adequate training to the workers. The move to remote working because of the pandemic has additionally made it less complicated for the scammers.

In 2020, CISA performed phishing simulations involving SLTT government entities. Across 152 campaigns having about 40,000 messages, there were approximately 5,500 unique clicks of bogus malicious links. With a click rate of 13.6%, it indicates security awareness training doesn’t teach employees concerning the danger of email-based attacks and highlights the necessity of “defense in depth mitigations.”

The FBI suggests making sure that all workers receive training on security awareness, know about BEC attacks and how to distinguish phishing emails and bogus emails. Employees should be told to properly check email requests for advance payments, alterations to bank account details, or requests for sensitive details. Policies and processes must be carried out that call for any bank account change or transaction request to be validated by telephone utilizing a verified number, not information provided in emails.

Supplemental measures that ought to be considered consist of multi-factor authentication on email accounts, phishing simulations, blocking of automated email forwarding, keeping track of email Exchange servers for configuration alterations, including banners to emails from external sources, and employing email filtering services.

Read about further procedures that may be put in place to avoid and identify BEC attacks in the FBI Alert.