Cybercriminal scams City of Portland, Ore. for $1.4 million

Portland, Ore. is investigating a cybersecurity breach that resulted in a $1.4 million fraudulent transaction with city funds in April — one discovered after the same compromised account tried again the next month, the city said in a press release late last week. 

“Preliminary evidence indicates that an unauthorized, outside entity gained access to a City of Portland email account to conduct this illegal activity,” according to the statement. 

Although the specifics of the situation remain unclear, the details could point to a Business Email Compromise (BEC) attack.BEC fraud is a growing source of cybercrime that targets organizations and the people inside, either by compromising accounts that can approve fraudulent transactions or by tricking employees in control of those accounts.

In a public service announcement earlier this month, the FBI warned known losses to BEC fraud amounted to over $43 billion between June 2016 and December 2021, with nearly a quarter-million reported incidents around the world. 

State and local governments have long faced similar attacks. In 2019, the town of Erie, Colo. was scammed out of $1 million for a bridge project after a fraudster submitted a change of payment request through an online form, according to the Denver Post. 

The same year Portland Public Schools were nearly scammed out of $2.9 million, the Oregonian reported, in a scheme where employees were tricked into signing off on a fraudulent payment for someone digitally impersonating a contractor. In that case, the money was recovered after the incident was quickly flagged. 

It’s unclear if any funds have been recovered in the recent Portland incident. The City did not immediately respond to requests for comment from The Record. 

But some local observers are not optimistic. 

“In this particular case, they detected it a month after so I’m guessing that money has gone to a gazillion other bank accounts,” Portland State University computer science professor Wu-chang Feng told local CBS station KOIN. “Typically, with this amount of time, it would be hard to trace.”