by Jennifer Lyn Walker

If your utility uses email and pays invoices, you will want to read this and share it with everyone in your organization, especially accounts receivable and other finance staff. This post from Huntress about a BEC incident they experienced this past weekend doesn’t use any fancy/techy language and is appropriate for all staff. As Huntress states and is typical for BEC attacks, this incident wasn’t flagged by a flashy security tool or even its own solution. This is a story of good ol’ fashioned security awareness training and security-focused business procedures.

Fortunately, both organizations involved in this business email compromise (BEC) incident were spared from losing a lot of money. While the vendor experienced two total email compromises, security awareness and security-focused business procedures at Huntress kept this from becoming much worse.

The Twist

Scammers typically lead BEC invoice fraud with a request to change the account number for payment. However, this incident began with an “invoice due” email, followed up a few days later with a request to “stop payment,” and then another follow up a few hours later requesting the reissue of the payment to the “new” bank account information. While the end goal was the same as we’ve seen, read, and heard at least a thousand times, this incident is another example of how some scammers are willing to be patient for a payout to include prolonging their pretext.

While the incident breakdown is captured below for your convenience, please access Huntress for more details about this event.

Incident Breakdown (as told by Huntress)

On August 4, 2023, Huntress received a request for payment on an invoice due, so we initiated an ACH payment of around $103,000 to the vendor. Anastasia Koronios, an AR/AP Specialist on Huntress’ accounting team, informed our vendor contact (let’s call her “Darla”) that a payment had been made and that she should expect the money to hit their bank account on August 10.

Three days later, on the morning of August 7, Anastasia received an email back from Darla asking us to stop the payment because of suspicious activity in the vendor’s bank account. The email was from the known contact with all of her correct email signatures and information. We stopped payment immediately.

A few hours later, Darla followed up requesting that the payment be re-issued to a new bank, and all of the new account and routing information was included in the follow-up email.

Whenever a vendor presents us with a new bank account, our default procedure is to call our vendor contact and confirm the details. Even though in this case, Darla’s email address was clearly legitimate, we still made sure to call her to reconfirm. 

When Anastasia called and asked Darla about the new bank account that she had sent us, she was confused and had no idea what Anastasia was talking about. She said that there was nothing wrong with their bank account, she did not send any emails to us, and in fact, she was having email issues for the past week.

Members are strongly encouraged to incorporate this Huntress post into your security awareness training. Likewise, if you’ve experienced this twist, WaterISAC would like to know. Please use the confidential online incident reporting form, email analyst@waterisac.org, or call 866-H2O-ISAC to let us know. Reporting to WaterISAC helps utilities and other stakeholders stay aware of threats being experienced across the sector.