A new security incident has just been reported; according to data protection specialists, Collier County, in Florida, was the victim of a phishing campaign deployed in late 2018. Thanks to the little cybersecurity knowledge of public officials, the local government lost about $180k USD, money that was handed over to a hacker group.
This incident, which the FBI classified as a “business email compromising”, occurred in December 2018. The attackers focused on money from county reserves, which was transferred electronically to a bank account allegedly controlled by Quality Enterprise USA Inc., a company that has provided various services for the Collier government. In other words, the attackers tricked employees posing as contractors to make them perform electronic transfers.
“We contacted the county Sheriff’s Office immediately after we detected the operations, perpetrated by a group of fraudsters,” a county statement mentions. “Local authorities are investigating this incident in collaboration with the FBI,” the statement adds.
According to early reports released by FBI data protection experts, the attack would have been operated from abroad, although a potential culprit is not explicitly mentioned. In addition, it has been revealed that electronic transfers were recovered thanks to insurance policies hired by the county.
Data protection experts have emphasized that no data breach or security violation occurred in Collier’s computer systems; “Attackers did not gain access to our email systems or computer networks, nor was the presence of any variant of malware detected,” they said. “We continue to work actively to improve our policies and protocols for security, prevention, detection and containment of cybersecurity incidents,” added experts working with local authorities.
The increase in reports of phishing attempts against government organizations has caught the attention of the U.S. president administration, which is already concerned about the potential for success these attacks. As for the county, the local administrators mention that some improvements to their security systems have already been implemented; however, the human factor must remain vigilant for potential threats in the future.
Quality Enterptises is a company that works closely with multiple government entities, so it is relatively understandable that the attackers have selected the image of this company to deceive Collier County employees. As a prevention measure, company executives have advised their clients to follow up on any suspicious-looking bank transfer request; in addition, the company recommends them training their staff in those areas to learn how to distinguish malicious and legitimate content.
Unfortunately this is not the first time a similar incident occurs in a Florida city. A few months ago data protection specialists from the International Institute of Cyber Security (IICS) reported a complex phishing campaign that caused nearly $1 million USD losses to the Naples city government. The money would have been sent to an account allegedly operated by Wight Construction Group, a city government contractor, using fraudulent calls and emails.