Since 2003, October has been recognized as cybersecurity awareness month. The city of Fort Lauderdale would have appreciated it if it had been a little earlier. On September 14th, the city paid a $1.4 million invoice that they believed came from Moss Construction. The next day, they discovered that this was a fraudulent invoice.
Moss Construction is building the new police station for the Fort Lauderdale Police Department. This is a $144 million project, and therefore, this invoice is not out of the ordinary. The invoice also contained a blank check that stated it was for Moss Construction, which is what the city expected and had received before.
Due to the quick recognition of the scam and the large amount of the wire transfer, the city is hoping to be able to recover the money. Several law enforcement agencies are working to determine exactly what happened.
This attack bears the markings of an email compromise. This is where an attacker gains access to an email system and waits, examining the emails sent and received. They discover a pattern of invoices and then copy the timing and contents of the invoice while changing the routing numbers.
These fake emails attempting to get you to take action are referred to as phishing scams. Most phishing scams send out many emails, hoping that some of the recipients will bite on the scam and send them what they want. This was a targeted phishing scam, which is referred to as spearphishing. Often, these spearphishing attempts are only sent to a single individual.
This is a reminder that it is always a good idea to independently verify invoices. If the city had contacted Moss Construction via a number that they had been using before receiving this invoice, the fraudulent payout could have been avoided.
This applies to individuals as well. If you receive a request for payment, you need to verify the request. A year ago in Florida, the clients of a roofer were contacted to put down deposits of several thousand dollars, but the requests did not come from the roofer, and the money did not go to the roofer. We must always be vigilant to make these types of phishing scams more difficult.