[Mail_treas] FRAUD ALERT

Pursley, Jacqui jpursley at revereschools.org
Thu Apr 25 11:18:57 EDT 2019 

Hello All,



I just wanted to give you a heads up on an attempted fraud at our district
so you can warn your staff what to look for.



Our district was infected by the malware trickbot which steals usernames,
passwords, etc.  Four of the five staff in the Treasurer's office here were
attacked using this malware.  There were several incidents but the most
severe was an actual breach of our online banking.  They had changed the
beneficiary ABA and account number for two of our wire templates that we
used often and where large amounts were wired.  Luckily, (and I must stress
that there was definitely some luck involved which makes it even scarier),
we noticed the change and were able to correct the templates and let our
bank know what had been attempted.



Luckily, the changes the thieves made were enough to make the Treasurer
come to me to question why the account looked somewhat different when he
was getting ready to wire $2 million dollars.  That started us looking more
closely.  We discovered that on Wednesday April 17, one of our staff had
modified 2 templates which was a red flag to us.  Since we have a 2 person
approval requirement for all changes, they could not complete the change.
We knew that staff member would not change the template and remembered that
on that day, she was actually unable to get into the bank after her first
posting to the online banking system.  We had mistakenly attributed that to
just one more difficulty we were experiencing district wide because of the
malware.



So, what the bank thinks happened is that when she was in the first time
that day, they grabbed all of the info she entered including the temporary
random access number from the her bank fob.  Acting quickly, because the
fob number is so brief, they entered the online banking system as her and
made the changes.



They continued on to attack both another staff member and myself -
obviously looking to snag another set of credentials that would let them
complete the change.  Luckily, we needed to do a wire transfer before they
were able to do that and were alerted to the attack.  Had they succeeded in
getting the other set of credentials, we may not have realized what had
happened and may have proceeded with the wire transfer.



My advice to you is - be on hyper alert if your district gets infected with
a password stealing malware like trickbot.  Don't just assume that any
issues or strange incidents on staff computers can be chalked up to the
malware issue in your district.  Those issues and incidents may very well
mean your banking information (or other equally valuable data) is under
attack.



Some things that happened here (each person seemed to have a slightly
different experience):



1.    Not being able to access the online banking system – just won’t load.



2.    Sudden shut down of google chrome immediately after entering or
approving a payment via the online banking system.  When you attempt to
sign back in, you get a message that chrome shut down oddly and asking if
you want to restore.  When you say yes, the online banking opens exactly
where you left off.  I learned this was a BIG no-no.  If all were well, you
would be forced to sign back in after an internet shut down.



3.    When in bank, screen goes blank momentarily then comes back at first
greyed out and then in full color.



We also learned that at least one other district has had a similar attack.



This is our second fraud attempt in the last 2 months.  The first one was
an email from a vendor that we make very large regular payments to asking
to be paid by ACH rather than paper check.  As we were in the process of
implementing ACH vendor payments, we were happy to oblige and requested the
banking information to make it happen.  There was something just a little
fishy about the urgency they were conveying that this happen very soon, so
the Treasurer called the person who said that they had not sent the
emails.  So we dodged a bullet there.  And, implemented a policy that no
ACH or Direct Deposit changes could be made without our staff calling the
vendor or employee personally and verifying that the request indeed came
from them.  I would recommend this process to everyone.



I guess bottom line is be very vigilant.  The threat is real.

-- 



Thank you and have a great day!



Jacqueline Pursley

Assistant Treasurer - Revere Local Schools

Phone:  330-556-3111

-- 
CONFIDENTIALITY NOTICE: This email is intended only for the addressee(s) 
and may contain material that is confidential under state and federal law. 
If you were not an intended recipient, please notify the sender and delete 
all copies. School District email is to be used only for school purposes. 
The District may monitor email to and from its network. This email and any 
response to it may be archived for later retrieval and may constitute a 
public record and therefore may be made available upon request in 
accordance with Ohio Public Records law (ORC 149.43).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.mveca.org/pipermail/mail_treas/attachments/20190425/a0a63a43/attachment.htm>

More information about the Mail_treas mailing list