The FBI has warned state and local government organizations to be on the lookout for business email compromise (BEC) scams after revealing that millions have already been lost during the past two years.
Losses from BEC campaigns ranged from $10,000 to $4m between November 2018 and September 2020, according to a new Private Industry Notification.
Attackers are targeting state, local, tribal and territorial (SLTT) government entities, masquerading as vendors and suppliers. They use phishing attacks to hijack email accounts at these companies and send urgent fake invoices to their government clients.
The ready availability of dark web phishing kits and information on government contractors, combined with poor security awareness among government employees, is making their job easier, according to the FBI.
“The substantial amount of publicly available SLTT government operating information required by government transparency requirements enables cyber-criminals to acquire information on SLTT leadership, vendor relationships and associated contractors, allowing them to tailor attacks directly to victims,” the notification revealed.
“Cyber-criminals may also determine those SLTT entities with inadequate cybersecurity protocols, such as a lack of personnel training, that they can compromise with the least amount of effort. Phishing kits — which bundle phishing tools and resources into user-friendly software — are increasingly available for purchase on the dark web, enabling even inexperienced cyber-criminals with minimal technical skills to conduct more sophisticated attack.”
The chances of success have also risen during the pandemic, with remote government workers potentially even more likely to click through on phishing links. An SLTT assessment last year by the Cybersecurity and Infrastructure Security Agency (CISA) revealed a click rate of nearly 14%.
BEC costs organizations nearly $1.9bn in total last year, up 5% from 2019 figures.
The FBI urged SLTT entities to improve education and awareness training, verify all payment changes in person or via a known telephone number, prevent automatic email forwarding, require multi-factor authentication and more.