A simple scam was used to rob the town of Erie, Colorado,
of more than a million dollars, taking social engineering to another level.
An unknown party completed and submitted an electronic
form on Erie’s administration website with a simple request: change the type of
payment, from check to direct fund transfer, for a company called SEMA
Construction, which was already employed by the city.
No one paid close attention to the request, and it was
granted. On October 25th, 2019, the city wired $1.1 million when the payment
was due. The bank officials notified the administration of the suspicious
transfers 10 days later. SEMA Construction confirmed that they never made the
request, and, of course, never got the money.
The blame rests on the Erie administration employees who failed
to check the validity of the request; it’s precisely the kind of lax behavior
that allows scams to go through as criminals rely on human negligence. The
weakest link, in most cases of hacking and social engineering, are the people
handling the digital information.
The initial investigation revealed no accomplices in the
administration, and the town is trying to recoup the money from insurance. In
the meantime, all electronic forms were disabled, and fund transfers are no
longer permitted.
The fraud perpetrated against the city is a combination
of social engineering and business email compromise (BEC), although no emails
were actually exchanged in this case. The goal is the same; criminals
impersonate someone else to trick their victims into making payments or sharing
sensitive information.
The FBI and the local police are now investigating how
exactly the scammer managed to pull this through. According to the Denver
Post, this is not the first time it happens, and it’s becoming a lucrative
scam.