An incident involving a university falling victim to CEO fraud serves as a stark reminder of the creative tactics cybercriminals use to deceive higher education institutions. The FBI refers to this type of cyberattack as Business Email Compromise (BEC) and defines it as “a sophisticated scam targeting businesses that regularly perform wire transfer payments and/or businesses working with foreign suppliers.” According to the FBI, the scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

• Cyber Attack Type: Business Email Compromise (BEC)
• Affected Institution: Southern Oregon University
• Outcomes:
  • Cybercriminals learned that Southern Oregon University hired Andersen Construction to build their pavilion and student recreation center. They posed as the contractor to trick University employees into sending payment to a fraudulent bank account.
  • The University wired $1.9 million to what they thought was Andersen Construction. However, three days later, the contractor reported that they never received their payment.

Universities are frequently engaged in large construction projects that require regular and very large electronic payments. If cybercriminals can identify which construction companies are involved (which is normally easy to do, as the information may be available to the public), it's a matter of spoofing an email account or website and sending spear phishing emails, or even using malicious software to infiltrate company networks and gain access to legitimate information about billing and invoices.

What Southern Oregon University went through emphasizes the importance of heightened vigilance and robust cybersecurity measures to combat scammers’ schemes effectively. Anyone can fall victim to a business email compromise if they cannot spot the warning signs.

If you suspect that UCR has fallen for a BEC scam, it is important to act quickly to mitigate the attack's impact. The FBI recommends immediately taking the following actions:

• Contact your financial institution immediately and request that they contact the institution where the transfer was sent.
• Contact your local FBI field office to report the crime.
• File a complaint with the FBI’s Internet Crime Complaint Center (IC3). Click “File a Complaint” and then select “Business Email Compromise.”

How to Avoid Falling Victim to Business Email Compromise Attacks:

• Comply with UC cybersecurity standards, starting with completing the UC Cyber Security Awareness Fundamentals training at ucrlearning.ucr.edu.
• Educate employees about BEC threats and train them to recognize phishing attempts and fraudulent communications. Report suspicious emails to ITS using PhishAlarm.
• Implement strict verification processes for financial transactions, including multi-factor authentication and verification of contractor identities through multiple channels.
• Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer provides), and call the company to ask if the request is legitimate.
• Carefully examine the email address, URL, and spelling used in correspondence. Scammers use slight differences to trick your eye and gain your trust.
• Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
• If possible, verify payment and purchase requests in person or by calling the person to make sure they are legitimate. You should also verify any change in account number or payment procedures with the person making the request.
• Be especially wary if the requestor is pressing you to act quickly.

UCR Information Technology Solutions provides campus units with best-in-class cybersecurity measures. Schedule a consultation with ITS today at sds@ucr.edu to learn how to protect your organization from cyberattacks.