A Fake Bank Audit and a Delayed Homeless Shelter

The hackers waited patiently. They quietly prepared to pounce.

And it worked. They walked away with $650k. Sadly, it also cost a critically needed homeless shelter.

The non-profit group, One Treasure Island, makes loans and grants to groups who serve the low-income and homeless community in and around San Francisco's Treasure Island.

Treasure Island's Williams received an email from Mercy explaining that its Denver bank was undergoing a yearly tax audit.

In this case, One Treasure Island wired funds to Mercy Housing California for an upcoming 138-unit development project on the island.

Just prior to executing the wire, One Treasure Island's Executive Director, Sherry Williams, received an email from Mercy, informing her that their bank was undergoing its annual audit and provided alternate wire instructions.

The new bank was Frost Bank in Odessa, Texas. It's a legitimate bank, so Ms. Williams forwarded the updated wire instructions to their bookkeeper, an independent contractor who has worked with the organization for over 20 years.

The bookkeeper followed the updated instructions and sent the wire on its way.

At this point, neither side was aware of a hack or compromise.

To keep the rouse alive long enough to get the funds moved out of Frost Bank, the attackers also sent an email to Mercy Housing to let them know that funds would be "delayed for several days because its bank in San Francisco was undergoing a yearly tax audit."

“I said at a meeting, ‘Great! Now you’re all paid!’” Williams recalled telling Mercy. “They said, ‘No, we haven’t received anything.’

Sound familiar?

So the attackers sent emails about "annual bank audits" to both parties to keep everyone quiet long enough for them to move money outside of the US. To One Treasure Island, the supposed audit meant that they needed to send funds to a different bank. To Mercy Housing, the faked audit meant that funds would be delayed.

“That’s when it dawns on me, and I freak out,” she said. Mercy’s email address was slightly misspelled in each one, with two letters transposed.

It was not until Ms. Williams proudly announced the successful funding that everyone realized something was wrong.

Mercy's bank wasn't under audit, and they didn't receive the money.

Ms. Williams sprang into action in pursuit of the stolen funds.

She quickly realized that the key piece of this hack was in the bookkeeper's hacked email. In what is called Business Email Compromise, the cybercriminals phished their way into the bookkeeper's email account. Then they waited. In the meantime, there's little hint of the attacker's presence in the bookkeeper's email. There are no glaring red flags.

Once inside, the attackers simply wait until it's time to pounce - i.e. when they can intercept a large money transfer.

That's exactly what they did here.

Ms. Williams remains on the hunt for the stolen funds, but that's no relief for displaced people experiencing homelessness on Treasure Island. So far, her efforts have resulted in more disappointment than recovery. These attackers know how to work the system well. There's typically little to no recovery once funds are transferred out of the US.

This is the painful reality of cybercrime.

Hackers will continue playing these games.

And we must continue improving our defenses.

At INFIMA, we work with our partners and clients to see a more secure today, avoiding attacks just like this one.

Every day our clients and partners take steps to protect their people and their organizations with consistent, always-on Security Awareness Training.

Learn how easy it is to partner with INFIMA here!