You are here

(TLP:WHITE) EPA and WaterISAC Joint Advisory Regarding Continued Email Account Compromise Incidents Against U.S. Water and Wastewater Systems

(TLP:WHITE) EPA and WaterISAC Joint Advisory Regarding Continued Email Account Compromise Incidents Against U.S. Water and Wastewater Systems

Created: Thursday, November 18, 2021 - 09:12
Categories:
Cybersecurity, Security Preparedness

During the past year, the FBI has published multiple notifications highlighting the widespread threat of Business Email Compromise (BEC). Likewise, recent sector reports and responses to WaterISAC’s Quarterly Incident Surveys corroborate that water and wastewater systems of all sizes continue being victimized by impersonation-style attacks such as Business Email Compromise, and specifically Vendor Email Compromise (VEC).

Vendor Email Compromise (VEC), also known as supplier invoicing fraud, is prevalent in the water and wastewater sector. In a Vendor Email Compromise, threat actors assume the identity of a trusted partner in order to steal money by redirecting invoice payments to new accounts controlled by the attacker. In many cases, a VEC involves compromising an email account of a trusted supplier or vendor and then hijacking existing email threads to identify financial transactions. The attacker will then wait for the opportunity to request an account number change for an upcoming invoice payment.

In light of this ongoing threat activity, WaterISAC and the Environmental Protection Agency (EPA) recommend that all members and partners of the sector review FBI PIN 20210317-001: Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments, Straining Resources and adopt the recommended mitigations. End-user awareness and education of BEC, VEC, other impersonation scams and implementing technical controls such as multifactor authentication (MFA) are some of the most important steps sector organizations can take to curb this threat.

Additional PINs and Resources

WaterISAC Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email [email protected], call 866-H2O-ISAC, or use the online incident reporting form.