Scammers use DocuSign API to send fraudulent invoices
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Cybercriminals recently stole $7.7 million combined from organisations in Texas and North Carolina through sophisticated Business Email Compromise (BEC) scams. These attacks targeted a construction firm in Texas and a government entity in North Carolina, exploiting weaknesses in financial controls. Despite recovery efforts, a significant portion of the funds remains unrecovered, including $6 million in Texas and $1.7 million in North Carolina.
Here’s how these scams worked—and why construction and government sectors are prime targets.
A BEC scam occurs when cybercriminals pose as trusted partners—like vendors or executives—to deceive finance teams into sending money to fraudulent accounts. These scams rely heavily on email hacking and social engineering to make requests appear legitimate.
In Texas, cybercriminals hacked into the email account of a vendor working with a construction firm. They monitored communication between the vendor and the firm for an extended period, waiting for the perfect moment to strike. When a legitimate payment was expected, the attackers sent a fraudulent email, disguised as the vendor, requesting a change in bank details.
The construction firm’s finance team, unaware of the fraud, transferred $6 million to the fraudulent account. By the time the fraud was detected, the money had already been dispersed through multiple accounts, many of them overseas. The complex network of transactions made tracing the funds extremely difficult, and recovery efforts were largely unsuccessful.
In North Carolina, Cabarrus County was targeted by BEC scammers posing as a contractor building a new high school. The scammers sent an email requesting a change in bank details, which the county’s finance department processed without verifying directly with the contractor.
The county transferred $2.5 million to the fraudulent account, but only $776,000 was recovered. This left $1.7 million unrecovered. The funds were quickly dispersed through various accounts, making recovery nearly impossible. This scam was part of a larger nationwide BEC operation targeting various government organisations across the US.
Construction and government sectors are frequent targets for BEC scams due to their specific operational characteristics:
Finance leaders should prioritise strong financial controls to protect their organisations from BEC scams. Here are key steps that can help mitigate the risk:
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Learn how US school districts were tricked into losing millions through email scams and what you can do to defend against them.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.