The Real Cost of Weak Cybersecurity

How hackers use low-tech methods to steal from responsible organizations— and how you can stop them.

As organizations across the country increase their vigilance against cyberattacks, hackers have intensified their own efforts and methods. Computer networks are becoming increasingly secure through AI and cybersecurity software, so cybercriminals are turning their attention to the human element. 

Spear-phishing attacks use a combination of inside information and precision timing to execute painful attacks on their targets. Though these methods require a great deal of patience and dedication from the attacker, potentially huge payouts incentivize them to bide their time and strike at the ideal moment. 

In the modern age, it has become easier to slip past a human eye than through cybersecurity software—even those eyes that are wide open. Even savvy managers with a keen awareness of cybercrime can be robbed in these sophisticated strikes. Today we will take a look at a recent example of just such an attack. 

May 2023 Attack on Washington State School System 

A school system in Washington recently lost $346,000 in a devastating phishing scheme despite efforts on the part of Adna School System to prevent this kind of loss. Aware of the threat of being defrauded, the superintendent had established a very thorough payment process. Each disbursement required a review by seven different individuals from multiple disciplines: project managers, architects, school principals, general contractors, the superintendent, and others. A payment was only issued once each party had verified the expenses listed in that payment. 

Prior to the attack, the system was working well. The district had already successfully paid $780,000 of the $3 million project to the contractor, and the same review process had been used for the stolen payment. However, even this level of vigilance proved insufficient. 

“With this contract I felt we had created a textbook system for managing funds in a public construction project,” said the superintendent. “But we were tricked, and it cost our district a significant amount of money and I take responsibility for this mistake. I apologize to our families and the community of Adna.” 

As soon as they realized that they had been attacked, school officials contacted law enforcement and their bank. Despite these efforts, Chase Bank’s fraud department returned only $1,200 to the school district. 

How did the hackers do it? 

The hackers behind this attack most likely utilized a form of phishing known as business email compromise (BEC). In this specific instance, the cybercriminals sent a spoofed email to the school district with payment instructions—including bank account information. The email appeared to be a legitimate email from the general contractor. 

As a result of this deception, when the school made the ACH transfer, they deposited the payment into the hacker’s account—not the contractor’s account. 

To carry out such an attack, a hacker needs to know exactly when to time their request for payment to not raise suspicions. In order to gain insight into these types of opportunities, they typically try to penetrate the email account of someone involved in payment process that may not even be a key player. They want to monitor the timing of payment cycles, observe how the vendor requests payment, determine which email account to spoof or mimic, and potentially even replicate a PDF invoice and type of language used by the vendor. 

When a hacker finally does send the email with the falsified payment information, they do so from an email account that looks very similar to the original. For example, contractor@webuildit.net instead of contractor@webuildit.com. Unless the payer remains vigilant through ongoing awareness training or runs AI email scanning, this simple trick can have painful results.   

What can an organization do to prevent this kind of attack? 

Though it is difficult to stop such determined hackers, there are many ways that an organization can protect itself from these types of phishing attacks. Following their experience, the Adna School System decided to immediately implement the following set of cybersecurity measures following the attack. 

• Ongoing cybersecurity training for staff 
• Penetration testing (simulated hacking attacks) 
• 2FA (two-factor authentication) for staff 
• A policy that prohibits ACH payments 
• Additional separation of payment oversight duties 
• Network audits 

This an excellent list. Policies and staff training are particularly important to avoid this specific type of attack since the approach relies on human error rather than technological vulnerabilities. If a compromised email account was indeed the source of the hacker’s inside information (as opposed to an inside informant or other source of information), 2FA could have potentially prevented the hacker from gaining access to the information in email. 

Beyond these great steps, we would also encourage you to consider AI cybersecurity software, Advanced Threat Protection (ATP) for email accounts, and even cybersecurity insurance that can offset the financial damage from any successful attacks. 

This has become such a serious, and common issue, that we even wrote a free eBook about it that you can download to learn more about how these attacks work and what you can do to prevent them. Follow this link to download your free copy of Email Fraud: How to keep hackers from hijacking your inbox.