During the past year, the FBI has published multiple notifications highlighting the widespread threat of Business Email Compromise (BEC). Likewise, recent sector reports and responses to WaterISAC’s Quarterly Incident Surveys corroborate that water and wastewater systems of all sizes continue being victimized by impersonation-style attacks such as Business Email Compromise, and specifically Vendor Email Compromise (VEC).
Vendor Email Compromise (VEC), also known as supplier invoicing fraud, is prevalent in the water and wastewater sector. In a Vendor Email Compromise, threat actors assume the identity of a trusted partner in order to steal money by redirecting invoice payments to new accounts controlled by the attacker. In many cases, a VEC involves compromising an email account of a trusted supplier or vendor and then hijacking existing email threads to identify financial transactions. The attacker will then wait for the opportunity to request an account number change for an upcoming invoice payment.
In light of this ongoing threat activity, WaterISAC and the Environmental Protection Agency (EPA) recommend that all members and partners of the sector review FBI PIN 20210317-001: Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments, Straining Resources and adopt the recommended mitigations. End-user awareness and education of BEC, VEC, other impersonation scams and implementing technical controls such as multifactor authentication (MFA) are some of the most important steps sector organizations can take to curb this threat.
Additional PINs and Resources
- FBI PIN: Cyber Criminals Exploit Email Rule Vulnerability to Increase Likelihood of Successful Business Email Compromise (TLP:WHITE)
- WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities
- AWWA Resources on Cybersecurity
- Security Awareness Reminder – Business Email Compromise, a Primer on Impersonation Attacks
- Cybersecurity Awareness/Hygiene – Proofpoint BEC Taxonomy Series
- Security Awareness – Managing the Human Side of Cyber
- EPA Cybersecurity Best Practices for the Water Sector
WaterISAC Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email firstname.lastname@example.org, call 866-H2O-ISAC, or use the online incident reporting form.