The biggest issue with phishing attacks is that it only takes one uninformed individual to bring an organization to its knees. It is this reality that a school district in Texas is dealing with after discovering a phishing attack left them short of roughly $2.3 million. As local ABC affiliate KVUE states in their report, the phishing scam affects the Manor Independent School District, which serves 8,000 students from kindergarten to 12th grade. The phishing attack began in November and continued well into December before the school district noticed anything wrong. This is just the latest in a flood of phishing attacks hitting schools, cities, and agencies.
Once it was obvious that they were dealing with a massive incident; the school district involved local law enforcement and the FBI. Speaking to KVUE Anne Lopez, a detective for the Manor Police Department, stated that the investigation has strong leads on the culprits. Lopez also stated the following on the specific nature of the attack, which targeted multiple individuals with one actually giving in to the scam:
It was three separate transactions. Unfortunately they didn’t recognize the fact that the bank account information had been changed and they sent three separate transactions over the course of a month before it was recognized that it was fraudulent bank account.
With the investigators not giving much information to the press besides what is in KVUE, it can be difficult to ascertain the exact attack that took place. Some cybersecurity analysts are making educated guesses, however, as to what the likely style of phishing attack is responsible. One such cybersecurity professional is Armen Najarian, who holds the position of chief identity officer with Agari, a company that specializes in phishing attacks. Speaking with Threatpost’s Lindsey O’ Donnell, Najarian stated that, based on the available evidence, it is likely that a vendor email compromise (VEC) is responsible for Manor’s woes.
In this type of attack, according to Najarian, there is “a hybrid of credential phishing and identity deception that results in extremely realistic-looking phishing emails that target a vendor’s or supplier’s customers.” Even so, for this type of attack to go unnoticed for so long to point that millions were lost, quite frankly, is inexcusable. The criminals are at primary fault of course, but organizations should look at this incident as a warning to educate their employees on phishing scam recognition.
Even the best phishing scams have “tells” that should tip-off an informed individual.