Downeast Energy of Brunswick says damage contained after losing $150K to phishing scam
BRUNSWICK — An official at Downeast Energy & Building Supply said Wednesday that an Internet scam that robbed the company of $150,000 seems to have left its customers unscathed.
The so-called "phishing" scheme hit Downeast Energy last week, when scammers gained access to the company bank account that accepts direct electronic payments from Downeast's fuel customers. Although Downeast said the breach also exposed the names and account numbers of hundreds of customers, company spokesman John Peters said Wednesday that customers have not reported any suspicious activity in their bank accounts.
Peters said the company had called nearly all of the customers affected by the breach.
"So far the news we're hearing from our customers is very gratifying," he said. "... Our customers' individual banks have layered security and protocols that would prevent anyone from accessing their funds."
The scam was uncovered when a Downeast employee received what seemed to be, but wasn't, an e-mail from KeyBank. A link in the e-mail took the employee to a Web site nearly identical to the real bank site. There the employee entered Downeast's login and account information, which allowed the scammers behind the phony site to withdraw $150,000 from the company's bank account.
Peters said the company contained the breach quickly after seeing the withdrawal. It then notified by mail and phone the customers whose account numbers were exposed.
"By the end of (Wednesday) we'll have spoken to every customer who was affected," he said.
Peters said Downeast spends thousands of dollars on Internet security, and said the lapse was the result of human error. He said the only difference between the fake Web site and the real KeyBank site appeared to be the Web address, or URL.
"I've seen the (fake) e-mail and the Web site," he said. "For all the world, I couldn't tell the difference. The e-mail and Web site looked exactly the same."
In the future, he said, the company will add layers of security to certain transactions while considering limiting how many employees have access to Downeast's bank log-in information.
Peters said the company believes the scammers, apparently from eastern Europe, were looking for a "quick hit." He added that the $150,000 loss wouldn't have a big financial impact on the company or its employees.
"Fortunately, we're well-capitalized," he said.