Cybercriminal scams City of Portland, Ore. for $1.4 million
(Image: Zach Savinar, Illustration: The Record)
Andrea Peterson May 31, 2022

Cybercriminal scams City of Portland, Ore. for $1.4 million

Cybercriminal scams City of Portland, Ore. for $1.4 million

Portland, Ore. is investigating a cybersecurity breach that resulted in a $1.4 million fraudulent transaction with city funds in April — one discovered after the same compromised account tried again the next month, the city said in a press release late last week. 

“Preliminary evidence indicates that an unauthorized, outside entity gained access to a City of Portland email account to conduct this illegal activity,” according to the statement. 

Although the specifics of the situation remain unclear, the details could point to a Business Email Compromise (BEC) attack.BEC fraud is a growing source of cybercrime that targets organizations and the people inside, either by compromising accounts that can approve fraudulent transactions or by tricking employees in control of those accounts.

In a public service announcement earlier this month, the FBI warned known losses to BEC fraud amounted to over $43 billion between June 2016 and December 2021, with nearly a quarter-million reported incidents around the world. 

State and local governments have long faced similar attacks. In 2019, the town of Erie, Colo. was scammed out of $1 million for a bridge project after a fraudster submitted a change of payment request through an online form, according to the Denver Post. 

The same year Portland Public Schools were nearly scammed out of $2.9 million, the Oregonian reported, in a scheme where employees were tricked into signing off on a fraudulent payment for someone digitally impersonating a contractor. In that case, the money was recovered after the incident was quickly flagged. 

It’s unclear if any funds have been recovered in the recent Portland incident. The City did not immediately respond to requests for comment from The Record. 

But some local observers are not optimistic. 

“In this particular case, they detected it a month after so I’m guessing that money has gone to a gazillion other bank accounts,” Portland State University computer science professor Wu-chang Feng told local CBS station KOIN. “Typically, with this amount of time, it would be hard to trace.” 

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.