Located near the edge of the Austin metropolitan area, Manor is home to fewer than 10,000 people. Though it’s far from the smallest possible target, the Manor Independent School District is relatively modest as potential cyber crime victims go. How much damage could a hacker possibly do to a small school district in Texas? In the wake of a recent phishing scam, it turns out to be about $2.3 million dollars worth.
The hack began with phishing emails sent to school district employees in November. This gave the attackers surreptitious access to the district’s network, which they used to perpetrate a business email compromise scam. Posing as vendors, they were able to bilk the school district out of approximately $2.3 million before the scheme was discovered about a month later.
The Manor Independent School District phishing scam
Local law enforcement authorities are not releasing any further information about the incident, other than the fact that the scam involved three separate transactions over the course of about a month.
Given the multiple separate fraudulent transactions and the large amount of money lost, and knowing that it was not a ransomware or data wiping incident, business email compromise is almost certainly the approach that was used. After they gain access to the network by way of a phishing email, the attackers usually use inside information about vendors and trusted email addresses to get employees to authorize fraudulent payments. The employees think they are making regular payments to vendors, but the money instead is going into the bank account of the hackers.
Though the details of this particular phishing scam are unknown, business email compromise attacks usually involve the hackers impersonating a high-level figure capable of authorizing payments to convince a lower-level employee in the billing department to release funds. It is also possible that the attackers simply spoofed the vendors and presented fraudulent invoices to the organization by email.
Federal Bureau of Investigation (FBI) complaint statistics indicate that there over 350,000 of these sorts of phishing scams are successful each year, and that they cost organizations over $1 billion in total.
The Manor police department and the FBI are investigating. A perpetrator has not yet been identified, but a district official said that there were “strong leads” in the case.
School districts becoming a popular target
American municipal networks have become a popular target for phishing scams as of late, particularly those that are smaller and more rural. They have enough resources to be worth hacking, but also tend to be poorly defended. Often this is due to an underfunded and understaffed IT department; some areas do not even have their own department, relying on sporadic coverage from some sort of county or state agency. Some municipalities have had to call in the National Guard for recovery assistance after being attacked.
Texas has experienced a particularly bad wave of this sort of cyber crime in the past year. A wave of ransomware hit 22 towns in the state in a coordinated attack over the summer, causing some to be locked out of vital resources and costing millions of dollars in recovery expenses. And the Port Neches-Groves school district in the Beaumont area was just hit with a ransomware attack in early November; insurance covered the ransom demand of about $35,000, and school officials were fortunate to get access to their systems back with a deductible payment of only $2,000.
School districts in Alabama, Florida, Louisiana, New York, Oklahoma and Virginia were also hit by either ransomware or theft of sensitive personal information in 2019. The K-12 Cybersecurity Resource Center tracks incidents specific to schools and school districts and reports 757 of these attacks since 2016. In total, 500 schools across the country were impacted by ransomware last year.
The total bill
So how much damage can even a small, non-profit organization expect to take from profit-motivated hackers running a phishing scam? In the case of a business email compromise incident such as this, the answer is “however much your billing department is regularly authorized to pay to vendors.” In the case of ransomware, the cost is whatever it takes to restore normal operations when access to your computers is cut off. And in the case of data breaches, it’s whatever the legal compliance costs and expenses from any lawsuits might be.
Mike Reimer, Chief Security Architect for secure access provider Pulse Secure, points out that the answer to protecting lower-profile targets is not in lavish spending on software but in training of personnel to recognize phishing attempts:
“Phishing is a top cyberattack vector – and threat actors are applying the same targeting expertise as advanced marketers. The imitations are well executed and offer enticing messages to trick a recipient into clicking on a malicious link or share sensitive data. In this case, the scam was so convincing that someone transferred millions of dollars. Cases such as the Manor ISD attack demonstrate the need to coordinate secure controls and continue to raise employee security awareness in 2020.”
Greg Wendt, Executive Director of Appsian, also commented on the need for an active approach to cybersecurity in all types of organizations:
“Phishing attacks such as this are sophisticated, meticulously planned, and strategically executed leaving very little time to react. It is unfortunate that in this case the phishing scam was able to recur three times and resulted in millions lost.
“In order to mitigate the risk of phishing scams moving forth, Manor ISD must implement a custom security strategy that provides fine-grained user access control. By deploying adaptive Multi-Factor Authentication, organizations are able to significantly enhance security with additional user authentication – both at login and inside an application. Contextual controls also mitigate cyber risk by adapting policies in accordance with changing context of user access. Furthermore, by deploying granular logging and real-time analytics, an organization gains comprehensive insights into user activity.
“When armed with actionable data, Manor ISD can identify suspicious activity immediately and take remedial measures before an attack results in costly damages.”
This incident is yet another that makes clear that no organization can consider itself too small or too unimportant to be worth the notice of profit-minded hackers. If the organization has an insurance policy, sensitive personal data or a relationship with trusted vendors that can be exploited, someone out there will be interested in them. The Manor school district phishing scam demonstrates that targets such as these are considered valuable enough to execute a targeted phishing email scam and extended periods of impersonation of a vendor.