A school district in Texas announced that it lost approximately $2.3 million after falling victim to a phishing email scam. On January 10, the Manor Independent School District (MISD) published a statement on Twitter and Facebook in which it revealed that it was investigating a phishing email scam that cost it $2.3 million. https://twitter.com/ManorISD/status/1215731859805609984?ref_src=twsrc%5Etfw In the statement, MISD Director of Communications Angel Vidal Jr said that the Federal Bureau of Investigations and the Manor Police Department were pursuing "strong leads" as part of their investigation but that their efforts were ongoing. Vidal also took the opportunity to thank the Manor Police Department for working with MISD to notify the community about the security incident. MISD's statement didn't disclose any information about the phishing email scam including how it occurred or how the school district, which serves 9,600 students, detected it. Anne Lopez, a detective with the Manor Police Department, provided some details about the attack to television station KVUE:
It was three separate transactions. Unfortunately they didn’t recognize the fact that the bank account information had been changed and they sent three separate transactions over the course of a month before it was recognized that it was a fraudulent bank account.
Lopez's insights suggest that the attack consisted of a business email compromise (BEC) scam in which digital fraudsters tricked an employee at MISD into changing the payment instructions for a vendor or supplier. Those attacks have individually cost companies like Nikkei and Toyota millions of dollars. Between June 2016 and July 2019, BEC scams were responsible for $26 billion in damages globally. The attack described above highlights the importance of organizations taking steps to protect themselves against malicious emails. They can do so by educating their employees about some of the most common types of phishing attacks circulating in the wild today. This resource is a good place to start.