An email scheme has cost Southern Oregon University $1.9 million in lost funds that should've gone to the contractor on the McNeal Pavilion and Student Recreation Center construction project, the university announced this afternoon.
Unknown suspects allegedly posed as Andersen Construction in an email, prompting officials to send their spring payment to a bank account the contractor did not control, according to Mark Denney, SOU's vice president of budget and planning.
The university wired the payment the last week of April, according to SOU spokesman Joe Mosley. About three business days later, the construction company reported it never received payment.
Local, state and federal authorities were notified immediately after the fraud was discovered, Denney said. An FBI investigation was launched and efforts by the university are currently underway on multiple fronts to recover any and all losses.
Mosely said there are funds that remain in the bank account involved in the fraud, but said the amount remaining is "not clear."
"It's certainly a substantial amount," Mosley said. "It's certainly not all of the money that was transferred, but it's not just nickels and dimes, either."
Recovering the available funds is not immediate, Mosley said, saying there's a "process we have to go through."
As for the remainder of the money lost, Mosley said it's not yet known whether the university's insurance company covers fraud.
"We're hoping that it does," Mosley said.
FBI Portland Bureau spokeswoman Beth Anne Steele couldn't speak on the open investigation, but said generally that the so-called Business Email Compromise scam has been spreading, more recently setting its sights on small and medium-size businesses. The scam racked up more than $5 billion in losses or attempted losses worldwide between October 2013 and December 2016, according to a May 23 FBI release.
The FBI on May 5 alerted universities with the warning: “Many universities are frequently engaged in large construction projects which require regular electronic payments of at least several hundred thousand dollars. It is relatively easy for a criminal to identify the construction companies involved in these projects and use social engineering and e-mail spoofing to commit this type of fraud. As a result of the nature and large size of these payments to a construction company, losses are significant.”
Denney said there's no indication that the fraud was internal, or that the fraud involved anyone associated with Andersen.
The FBI says that the scheme typically works by a fraudster either spoofing an email account or hacking a longtime vendor's email account, then sending an invoice to the victim company with instructions to wire the money to the fraudulent account.
Mosley couldn't share specifics as to how SOU fell prey to the fraud. The university says there is a process in place for vendors to change their bank account numbers.
“It’s not an uncommon thing to happen,” said Mosley. “The person went through the processes that are outlined. We thought that was sufficient but we’re taking another look at the processes now.
“Obviously somebody found a way in.”
Mosley said this has never happened to SOU before. “We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities,” Mosley said. “We’re not alone.”
Steele said she was unaware of the number of attacks Mosley cited, and couldn't confirm or deny it.
The university is working to quell the concerns of students.
“It will not affect operating budget, programs or operations,” Mosley said, adding that a 12 percent tuition increase approved in May has nothing to do with the fraud. “We want to make very clear this has absolutely no relationship with the tuition increase which was in process long before. This doesn’t aggravate that. This is totally separate.”
The incident will not affect any university programs or operations, and will not alter the athletic pavilion construction project, which is scheduled for completion in January, officials said.
— Reach reporter Nick Morgan at 541-776-4471 or firstname.lastname@example.org. Follow him on Twitter at @MTCrimeBeat.
— Email Ashland freelance writer Julie Akins at email@example.com and follow her on Twitter at twitter.com/@julieakins.
— Siskiyou Editor Hannah Jones contributed to this report.