January 6, 2020 By David Bisson 2 min read

A Colorado town lost more than $1 million in a business email compromise (BEC) scam after mistakenly transferring the money to digital fraudsters.

According to the Denver Post, the town of Erie, Colorado, sent $1.01 million to malicious actors as a result of a BEC scam. The attack began back in mid-October when an unknown individual completed an electronic form on the town’s website. They used the form to request that SEMA Construction, Inc., a local construction company, begin receiving electronic payments instead of checks for its work on the Erie Parkway Bridge going forward.

A staff member subsequently accepted the form and updated the payment information without following the necessary guidelines for doing so. As a result, the town sent two electronic payments totaling $1.01 million to an account not authorized by SEMA. The perpetrators then used wire transfers to move that money outside of the country.

The staff person voluntarily resigned after the town had learned of the fraud. In the meantime, Erie officials used a transportation impact fund to pay SEMA via check while it awaits a pending insurance claim concerning the scam.

Just the Latest Successful BEC Scam

This attack is among other successful BEC scams that occurred in recent months. Back in July 2019, the Griffin Police Department revealed that the city of Griffin, Georgia, had sent more than $800,000 to an account under attackers’ control. In October, Nikkei revealed that an employee had transferred $29 million to a malicious individual pretending to be a management executive at the stock market index. Just a week after that, Ocala.com revealed that BEC scammers had defrauded the Floridian city of Ocala out of nearly three-quarters of a million dollars.

How to Defend Against Business Email Compromise

Security professionals can help their organizations defend against BEC scams by crafting an incident response plan that identifies the policies and procedures that team members should follow in the event of a security incident. Doing so will help speed up the incident response process should the organization fall victim to a BEC attack. Infosec personnel should balance this plan with security awareness training that educates employees about social engineering techniques, including emails that are designed to trick employees into sending funds to an attacker-controlled bank account.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today