BEC Fraudsters Divert $742,000 from Ocala City in Florida

The City of Ocala in Florida fell victim to a business email compromise scam (BEC) that ended with redirecting over $742,000 to a bank account controlled by the fraudster(s).

The swindle involved a phishing email impersonating an employee of a construction company the city is using to build a new terminal at the Ocala International Airport.

Email to the right person

It started in September when a city senior accounting specialist received an email from a counterpart at Ausley Construction further payments be sent to a different bank account than the regular one.

Impersonating vendors or clients is the latest trend observed in BEC scams, and requires a lot of preparation to create a message the victim will take for genuine.

Fraudsters often use malware - like spyware or remote access tools, that allows them to collect the necessary information to craft a believable email.

In the case of Ocala, the criminals gave the city employee a routing number and a bank account number along with a copy of a voided check. The message came from "ausleyconstructions.com," a fake address impersonating the real one that has no 's' at the end.

The sham was discovered when Ausley Construction notified the city on October 22 that an invoice submitted five days earlier had not been paid.

The city had paid the invoice the day after receiving it but the money went to the fraudster's bank account, reports Ocala Star Banner.

A report from the Ocala Police Department says that the full amount the city lost this way is $742,376.73. According to an earlier statement from Mayor Kent Guinn, the fraudulent account still had about $110,000 when they learned of the scam.

Email account fraud is huge

Illegal transfers from BEC fraud (also known as email account compromise) are huge. Statistics from the Financial Crimes Enforcement Network (FinCEN) this summer reveal an average monthly figure of over $300 million.

The numbers may be hard to believe but they are supported by the reported incidents. In August, the city of Naples, Florida, went through the same problem, cybercriminals getting around $700,000 into their account.

On October 30, one of the world's largest media corporations, Nikkei, reported a BEC scam that caused a loss of about $29 million.

A member of the Toyota Group announced in early September that it had become a victim of the same type of fraud. The expected financial loss is over $37 million.