Cyber Incident Victim: Southern Oregon University

In June 2017, Southern Oregon University (SOU) lost $1.9 million to a business email compromise (BEC) scam initiated through a single fraudulent email. An attacker impersonated a construction vendor with which the university maintained an established business relationship, spoofing the legitimate company's email domain by using a nearly identical address—such as substituting "abc-builders.com" for the authentic "abcbuilders.com." The email, sent to SOU's accounting office, instructed the university to update banking details for future vendor payments. Following standard payment procedures, the university processed its next scheduled payment to the fraudulent account controlled by the scammer. By the time SOU identified the deception, the funds had been irreversibly transferred and could not be recovered. The attack mirrored a widespread pattern observed by law enforcement, wherein criminals target organizations’ accounts payable departments by exploiting trusted vendor relationships through domain spoofing and social engineering.

SOU spokesman Joe Mosley publicly confirmed the incident, noting the FBI had briefed the university about 78 similar attacks targeting educational institutions and other organizations. The university emphasized it was not an isolated target, citing corporate victims like Leoni and Ubiquiti Networks, which suffered multimillion-dollar losses through identical scams. The FBI’s 2016 report on BEC schemes indicated cumulative losses exceeding $3 billion across affected corporations prior to the SOU incident. No specific internal containment actions or detection timelines by SOU were disclosed, though the acknowledgment aligned with federal warnings about the escalating prevalence of email-based financial fraud targeting institutional payment systems. The financial impact to the university remained confined to the unrecovered $1.9 million transfer, with no additional operational disruptions or compromised systems reported.