<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.gmail-msolistparagraph, li.gmail-msolistparagraph, div.gmail-msolistparagraph
{mso-style-name:gmail-msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Good afternoon!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I wanted to share the message below with those responsible for cyber security and awareness in your districts. This is happening all over Ohio and beyond. Please
make sure your malware protection is up-to-date and fully deployed and consider recurring awareness training for your staff. Let me know if you need assistance.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thor<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thor Sage<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Executive Director<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Miami Valley Educational Computer Association<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">937-767-1468 x3101<o:p></o:p></span></p>
<p class="MsoNormal"><a href="http://www.mveca.org/"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;text-decoration:none"><img border="0" width="174" height="64" style="width:1.8125in;height:.6666in" id="Picture_x0020_1" src="cid:image001.jpg@01D4FB60.66137390" alt="http://www.mveca.org/images/logo.gif"></span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
</span><a href="https://www.linkedin.com/company-beta/3947840/"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1027" src="cid:image002.jpg@01D4FB60.66137390" alt="i"></span></a><a href="https://twitter.com/mvecarcog"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_2" src="cid:image003.jpg@01D4FB60.66137390" alt="t"></span></a><a href="https://www.facebook.com/MVECA-707401659416692/"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_3" src="cid:image004.jpg@01D4FB60.66137390" alt="f"></span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Not-for-profit Technology Services for Education and Local Governments<o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> mail_treas-bounces@listserv.mveca.org <mail_treas-bounces@listserv.mveca.org>
<b>On Behalf Of </b>Pursley, Jacqui<br>
<b>Sent:</b> Thursday, April 25, 2019 11:19 AM<br>
<b>To:</b> oecn_treas@oecn.k12.oh.us<br>
<b>Subject:</b> [Mail_treas] FRAUD ALERT<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Hello All,</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">I just wanted to give you a heads up on an attempted fraud at our district so you can warn your staff what to look for.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Our district was infected by the malware trickbot which steals usernames, passwords, etc. Four of the five staff in the Treasurer's office here were attacked using this malware. There were
several incidents but the most severe was an actual breach of our online banking. They had changed the beneficiary ABA and account number for two of our wire templates that we used often and where large amounts were wired. Luckily, (and I must stress that
there was definitely some luck involved which makes it even scarier), we noticed the change and were able to correct the templates and let our bank know what had been attempted. </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Luckily, the changes the thieves made were enough to make the Treasurer come to me to question why the account looked somewhat different when he was getting ready to wire $2 million dollars.
That started us looking more closely. We discovered that on Wednesday April 17, one of our staff had modified 2 templates which was a red flag to us. Since we have a 2 person approval requirement for all changes, they could not complete the change. We knew
that staff member would not change the template and remembered that on that day, she was actually unable to get into the bank after her first posting to the online banking system. We had mistakenly attributed that to just one more difficulty we were experiencing
district wide because of the malware.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">So, what the bank thinks happened is that when she was in the first time that day, they grabbed all of the info she entered including the temporary random access number from the her bank fob.
Acting quickly, because the fob number is so brief, they entered the online banking system as her and made the changes. </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">They continued on to attack both another staff member and myself - obviously looking to snag another set of credentials that would let them complete the change. Luckily, we needed to do a wire
transfer before they were able to do that and were alerted to the attack. Had they succeeded in getting the other set of credentials, we may not have realized what had happened and may have proceeded with the wire transfer. </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">My advice to you is - be on hyper alert if your district gets infected with a password stealing malware like trickbot. Don't just assume that any issues or strange incidents on staff computers
can be chalked up to the malware issue in your district. Those issues and incidents may very well mean your banking information (or other equally valuable data) is under attack.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Some things that happened here (each person seemed to have a slightly different experience):</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="gmail-msolistparagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="font-family:"Arial",sans-serif">1.</span><span style="font-size:7.0pt">
</span><span style="font-family:"Arial",sans-serif">Not being able to access the online banking system – just won’t load.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="gmail-msolistparagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="gmail-msolistparagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="font-family:"Arial",sans-serif">2.</span><span style="font-size:7.0pt">
</span><span style="font-family:"Arial",sans-serif">Sudden shut down of google chrome immediately after entering or approving a payment via the online banking system. When you attempt to sign back in, you get a message that chrome shut down oddly and asking
if you want to restore. When you say yes, the online banking opens exactly where you left off. I learned this was a BIG no-no. If all were well, you would be forced to sign back in after an internet shut down.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="gmail-msolistparagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:106%">
<span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;line-height:106%;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="gmail-msolistparagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="font-family:"Arial",sans-serif">3.</span><span style="font-size:7.0pt">
</span><span style="font-family:"Arial",sans-serif">When in bank, screen goes blank momentarily then comes back at first greyed out and then in full color.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="gmail-msolistparagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:8.0pt;margin-left:.5in;line-height:106%">
<span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;line-height:106%;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">We also learned that at least one other district has had a similar attack.
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">This is our second fraud attempt in the last 2 months. The first one was an email from a vendor that we make very large regular payments to asking to be paid by ACH rather than paper check.
As we were in the process of implementing ACH vendor payments, we were happy to oblige and requested the banking information to make it happen. There was something just a little fishy about the urgency they were conveying that this happen very soon, so the
Treasurer called the person who said that they had not sent the emails. So we dodged a bullet there. And, implemented a policy that no ACH or Direct Deposit changes could be made without our staff calling the vendor or employee personally and verifying that
the request indeed came from them. I would recommend this process to everyone.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">I guess bottom line is be very vigilant. The threat is real.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div name="divtagdefaultwrapper">
<p><span style="font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif">Thank you and have a great day!<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif">Jacqueline Pursley<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif">Assistant Treasurer - Revere Local Schools<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif">Phone: 330-556-3111<o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<span style="font-size:7.5pt;font-family:"Tahoma",sans-serif;color:#212121;background:white">CONFIDENTIALITY NOTICE: This email is intended only for the addressee(s) and may contain material that is confidential under state and federal law. If you were not
an intended recipient, please notify the sender and delete all copies. School District email is to be used only for school purposes. The District may monitor email to and from its network. This email and any response to it may be archived for later retrieval
and may constitute a public record and therefore may be made available upon request in accordance with Ohio Public Records law (ORC 149.43).</span><o:p></o:p></p>
</div>
</body>
</html>