Portland City Officials Accidentally Send Hacker $1.4 Million

pcmag.com:

A hacker managed to swindle the city of Portland, Oregon, out of $1.4 million by tricking municipal employees into wiring them the funds back in April. 

The culprit pulled off the theft through a business email compromise (BEC) scheme, which involved hijacking a city employee’s email account, according to Oregon Public Broadcasting.

In May, Portland’s city government disclosed(Opens in a new window) it had lost $1.4 million in a cyber-related incident, without revealing all the details. But on Monday, OPB reported(Opens in a new window) it had obtained internal emails from the city that show the cybertheft occurred through a BEC attack. 

The hacker likely kicked off the scheme by sending a phishing email, which tricked a City of Portland employee into giving up their password to their email inbox. The access then gave the hacker enough information to impersonate an official at the housing nonprofit Central City Concern, which was preparing to secure $1.4 million in local funding. 

At one point, the city’s treasurer flagged the $1.4 million wire transfer as potentially fraudulent. This was because the name of the account receiving the wire transfer failed to match the Central City Concern's own bank account name.

As a result, the city’s treasurer demanded municipal employees confirm the bank account information with someone at the nonprofit. However, the municipal employees decided to do so simply by communicating over email. In reality, the employees were speaking with the hacker impersonating the nonprofit. This led city employees to make the $1.4 million transfer anyway.

The city of Portland only discovered the email breach after the hacker tried to make a second fraudulent wire transfer weeks later. IT staff then