The city of Ocala, Florida has become the latest victim of a ‘spear-phishing attack’. Officials revealed that the city lost over $500,000 after sending a payment to a fraudulent bank account.
According to Ocala.com, the city’s website, the incident occurred when a scammer sent a phishing email to a city department employee.
The scammer pretended to be a construction contractor working with the city and sent an email, requesting payment for services via electronic transfer.
While the email was phony, the underlying invoice was legitimate – which was enough to trick the employee.
The employee mistook the email to be legitimate and inadvertently transferred $640,000 to a fraudulent bank account set up by the scammer.
Here’s the thing, the email address used in the attack included an extra letter that is not part of the legitimate contractor’s email. So, it was only one letter off but enough to pass the human firewall test.
Once the city learned of the payment to the fake account, it reported the issue to law enforcement agencies.
About $110,000 was still in the account when law enforcement later tried to access it. So, the scammer collected a just over $500,000.
Ocala spokesperson Ashley Dobbs confirmed that no information systems were compromised in the incident. Furthermore, Dobbs added that the incident has been isolated and customers’ data is safe. Now let’s be clear, that taxpayer money is straight up gone. What’s the city doing about this? Here’s what they said:
“While we can’t change this outcome, we will continue to update and refine our cybersecurity systems and training to minimize future impacts.”
So, they’re doing exactly what all companies should be doing – cybersecurity training. This is small, short, ongoing micro-training sessions to educate employees on the latest methods criminals use to try and trick them into giving out company data such as employee records and bank account information. As you can see, once that money is gone, it’s gone for good and that could really sink even a medium sized business. At Cylanda, we do this and more, including monthly simulated phishing attacks to keep your employees on their toes. Feel free to reach out if this sounds like something you and your organization could benefit from. We can help.
Stay safe out there.