In April, a hacker was able to defraud the city of Portland, Oregon, of $1.4 million by deceiving municipal workers into sending the money to them.

According to Oregon Public Broadcasting, the thief used a business email compromise (BEC) technique to carry out the heist, which required taking control of a city employee’s email account.

Without going into great detail, Portland’s city government stated in May that it had lost $1.4 million in a cyber-related event. However, OPB reported (Opens in a new window) discovered Monday that it possessed internal emails from the city that demonstrate the cybertheft took place as a result of a BEC attack.

The hacker most likely started the plan by sending a phishing email that convinced a City of Portland employee to reveal their email account password. The hacker used the access to Central City Concern, a housing nonprofit preparing to secure $1.4 million in local financing, to assume the identity of a representative.

The $1.4 million wire transfer was at one point marked as potentially fraudulent by the city treasurer. This happened because the name of the account receiving the wire transfer did not match the name of the bank account that the Central City Concern actually had.

As a result, the city treasurer insisted that municipal workers verify the bank account details with a representative of the organization. However, the municipal staff members just decided to do so by emailing one another. The employees were actually interacting with the hacker posing as the NGO. Employees of the city decided to transfer the $1.4 million despite this.

After the hacker attempted to conduct a second fraudulent wire transfer some weeks later, the city of Portland only learned about the email compromise. The hacked email account had then been accessed from several countries, including Texas, Germany, and Nigeria, most likely via a VPN, according to IT employees.


” alt=””>

” alt=””> According to Portland’s city government’s said (Opens in a new window) in June, “The City is pursuing recovery for as much of the stolen money as possible through cybersecurity insurance and other ways, but won’t have resolution for some time.”

The story serves as a reminder that it is always a good idea to personally phone (or meet with) the beneficiary of a wire transfer before sending the money. The FBI calculates that since 2016, BEC schemes have attempted to or successfully stolen up to $43 billion from multinational corporations.

APPRECIATE WHAT YOU JUST READ? For direct delivery of our top privacy and security stories to your inbox, subscribe to the SecurityWatch newsletter.

Advertisements, discounts, and affiliate links could be found in this newsletter. You agree to our Terms of Use and Privacy Policy by subscribing to a newsletter. You are always free to unsubscribe from the newsletters.


You may also like