There are lessons to be learned for businesses, individuals and agencies in the astonishing email scam pulled on Southern Oregon University. The internet or any form of digital communication is a dangerous place to be conducting business, whether you're paying your personal credit card or sending a payment for — gulp — $1.9 million to someone you thought was your contractor.
SOU was the victim of a scam that's already been given a formal name by the FBI: Business Email Compromise. Essentially it works by the perpetrators sending a bogus invoice, with a new bank account, and then sitting back and hoping their target does not have adequate safeguards in place. SOU clearly did not.
The "spoofing" email scheme snagged a payment of $1.9 million that was intended to cover ongoing construction work on the university's McNeal Pavilion complex. A significant, but undisclosed, amount of that money remains in the scammers' bank account, which has since been frozen, so the university is not out the entire amount. A university spokesman said it was not yet clear if the school's insurance policy covers fraud.
That's clearly not the only policy SOU needs to be worried about, as whatever safeguards it had in place were not sufficient. We would also say the university's claims of transparency need some attending to, as it sat on the news for the better part of six weeks and released the information only when rumors began to swirl.
University President Linda Schott, who joined the university about 10 months ago, was "unavailable" to discuss the issue Thursday, even when a reporter made himself available until 8 p.m. that evening. Apparently the university doesn't provide its president with a cell phone.
Regardless, we are sure Schott was busy offering assurances to the school's Board of Trustees and to the sitting Legislature, which is considering higher ed funding, that the university would do a better job of ensuring that funding goes to the intended purposes.
While SOU no doubt can tighten its security, the frightening thing is that this could happen to any of us, in business or in our personal lives. The FBI says this scam alone has racked up more than $5 billion in "exposed dollar" losses worldwide, with more than 40,000 incidents reported.
Of particular concern is the note from the FBI that the scammers have been setting their sights on small- and medium-size businesses. A university can recover from a substantial loss; a small business could go under, taking valuable jobs with it.
Short of holing up in a cave, there are no absolute guarantees you won't be scammed. Electronic communications and online business dealings have become as familiar to us as licking a stamp once was. But, clearly, common sense has to be part of the marching orders for anyone, business or individual. For starters, confirm any bank or mailing addresses changes through a separate, secure method — in person or by phone if possible. Don't hit "respond" to requests for payment or electronic invoices, type in the address that you know to be correct.
You can check out more about the Business Email Compromise scam online from the FBI at www.ic3.gov/media/2017/170504.aspx. Individuals can check on ways to protect themselves online at an Oregon Department of Justice website, www.doj.state.or.us/consumer/pages/scam_alert.aspx.
The money you save may just be your own.