Cape Cod Community College Hit With $800,000 Phishing Attack

Hackers Know How to Steal Money Anonymously

In West Barnstable, Massachusetts, Cape Cod Community College recently fell victim to a phishing scam that resulted in the school losing more than $800,000. The money was taken out of the school’s bank accounts. While this kind of scam is common these days, there are measures a business can take to prevent it. In the case of Cape Cod Community College, experts believe endpoint security solutions using next-generation technology would have prevented the monetary loss for the school.

The hackers of today are quite sophisticated, and if a business falls victim to one of their scams, there is often very little they can do about it. Hackers know how to remain anonymous, and leave few if any, digital footprints to follow. This means the likelihood of recovering one’s money is little to none. That is why it is so vital to prevent these things before they happen by using proper technology.

The president of Cape Cod Community College, John Cox, revealed the financial loss via a digital theft to the staff and faculty of the school in an email on December 7. By working with the bank at which the school’s accounts were held, the school has been able to recover about $300,000 of what was stolen, which is more than most smaller businesses would be able to do. It is unlikely they will be able to recover the entire $800,000, but they might be able to get some more of the money back by working closely with the bank, as they are doing.

Details of the Digital Theft

Cox gave an interview with a local newspaper after informing the workers at the college of the theft. In the interview, he revealed many interesting details about the theft, including:

• The email that allowed hackers access to the school’s bank account information appeared to come from another college, so it seemed safe to open the attachment that came with it.
• After opening the attachment, the person who initially opened the email believed the attachment was suspicious and alerted the school’s IT department. Alerting the IT department is standard protocol at the school when it comes to suspicious emails and attachments.
• When the IT department did a diagnostic on the attachment, they found a polymorphic computer virus embedded in it. They quarantined the virus, but it had already gotten into the school’s computer network.
• The scammers had a fake URL that seemed to go to TD Bank, where the college has its accounts. By placing phony calls to school employees to validate transactions, the scammers were able to make nine transfers out of the college’s bank accounts, totaling $807,103.
• The scammers attempted 12 transfers, but workers at TD Bank recognized three of them as suspicious and did not allow them to go through.
• Cape Cod Community College has recently installed next-generation endpoint protection software, but only on some of their computer networks. If it had been installed on all of them, the hackers likely would not have been able to gain access to the school’s bank account information and use it to transfer out the money.

Other Schools Have Had This Issue, As Well

Cape Cod Community College is not the only school to have this kind of issue in recent times. In June of 2018, hackers stole around $1.4 million from 21 account holders in the Connecticut Higher Education Trust.

Hackers are not just after money, either. They are out to cripple the schools they target. Sometimes, they don’t steal any money at all, but instead, generate outages of the computers at a particular school. This happened to a college in Wisconsin in June of 2018, and it resulted in classes having to be canceled for three days because the computer infrastructure to support the classes, students, and employees wasn’t there.

It hasn’t just been colleges being targeted, either. K-12 schools are also targets. A public K-12 school in New Jersey lost $200,000 in September of 2018 in a phishing incident similar to the one experienced at Cape Cod Community College.

Technology Companies are Stepping Up to Help Prevent This

Technology companies are stepping up in light of such incidents, creating phishing simulators to help schools teach their employees to avoid allowing their workplaces to become the next phishing victims. They are also reaching out to schools to increase awareness of the need for next-generation endpoint protection software, and to help schools install and use it.