Business Email Compromise (BEC) , Email Security & Protection , Email Threat Protection

FBI Investigating How Town Defrauded of $1 Million: Report

Imposter Posing as Contractor Reportedly Tricked Erie, Colo., Officials Into Wire Transfer
FBI Investigating How Town Defrauded of $1 Million: Report
The town hall in Erie, Colorado, which was a victim of fraud. (Photo: Bahooka via Wikipedia/CC)

The FBI and local police are investigating how scammers posing as a contractor for a local bridge project tricked officials in a small Colorado town into electronically transferring over $1 million to a fraudulent account, according to the Denver Post.

The town of Erie, population 18,000, is still attempting to recover the funds via its insurance coverage, the Post reports. Town officials and the FBI did not immediately reply to a request for comment.

Building Project Targeted

A Dec. 30 internal email sent by Malcolm Fleming, the town administrator for Erie, says that it appears the scam started when a fraudster completed an electronic form posted on the town’s website requesting a change in how SEMA Construction, the primary contractor for a local bridge project, would receive payment for its work, according to the Post. The requested change was to receive payments via electronic funds transfer rather than by check, according to the local ABC affiliate, which also reviewed the town manager's message.

See Also: Email Authentication: The Key to Email Deliverability

While the Erie town staff checked some of the information on the form for accuracy, they did not verify the authenticity of the submission with SEMA Construction, according to the television station. Instead, local officials accepted the form and updated the payment method, according to that news report.

On Oct. 25, Erie officials sent two payments totalling more than $1 million to a fraudulent account not connected to SEMA Construction, the Post reports. Town officials failed to follow the guidelines for verifying these types of money transfers, Fleming noted in the internal email that the Post reviewed.

On Nov. 5, bank officials notified Erie about suspicious activity regarding the wire transfers. When local officials contacted SEMA Construction, the company confirmed that it neither received the payment nor requested a change in how payments were processed.

The Post report notes that town staff involved in the wire transfer were not part of the scheme, but at least one Erie worker resigned because of the incident.

Incident Leads to String of Actions

Erie officials have since removed the electronic payment forms from its website and will temporarily suspend wire transfers until an investigation is complete, according to the Post.

The Fleming email also notes that the town is working with its insurance providers to determine if Erie can recoup the lost $1 million, the newspaper reports.

Erie officials are considering whether to turn the position of risk manager from a part-time to a full-time job to provide additional support and oversight, the Post notes.

Similar Scams

The scam that targeted the Colorado town is similar to a type of business email compromise scheme that some have labelled a “vendor email compromise,” which involves fraudsters targeting the vendors or suppliers of organizations (see: 'Vendor Email Compromise': A New Attack Twist).

In a report issued in October, security firm Agari warned that these types of attacks involving vendors and third parties are being conducted by criminal gangs and are becoming more sophisticated.

"The situation in Colorado appears to be a clear case of a specific type of business email compromise attack, which we’ve coined vendor email compromise," Armen Najarian, the chief identity officer at Agari. "Many companies and municipalities probably have already had their inboxes infiltrated with this type of attack. That means more and more companies and government agencies will be reporting they’ve been impacted in 2020."

A recent report from the U.S. Treasury Department found that BEC scams are surging, costing U.S. companies a total of more than $300 million a month (see: BEC Scams Cost U.S. Companies $300 Million Per Month: Study).

Meanwhile, another report by the FBI found that BEC scams accounted for $26 billion in company losses between June 2016 and July 2019 in the U.S.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.