Cabarrus County, North Carolina, was the victim last December of an email scheme that diverted $2.5 million meant for the construction of a new high school, county officials said this week. Though the county has recovered $776,518, more than $1.7 million remains unaccounted for.
While no suspects have been named, the incident made Cabarrus County the latest public-sector victim of business email compromise, which is one of the most common and lucrative forms of online crime. Such scams, which occur when scammers target a specific individual or organization while impersonating another party that the victim is conducting transactions with, snagged nearly $1.3 billion last year, according to the FBI’s 2018 Internet Crime Report.
Cabarrus County was ensnared last November when online scammers posed as Branch and Associates, a firm based in Roanoke, Virginia, hired as the general contractor for a new high school. The scammers emailed Cabarrus County Schools with a request to alter details on the electronic funds transfer account the county had set up to pay its contractor, according to a county government report. Unaware of the ruse, county officials followed their standard processes for such a request, including an updated EFT form and bank documentation. The scammers returned the signed forms as requested on Dec. 4, and the county wired a $2.5 million payment a few weeks later to an account at Bank of America.
The county discovered something was amiss on Jan. 8, when the actual Branch and Associates called about a missing payment for $2.5 million. Cabarrus County school officials notified the county sheriff’s office, which in turn brought in the FBI to investigate. The county also notified its bank, SunTrust, and filed an insurance claim.
Bank of America was able to find and return $776,518 of the stolen funds, which the county sent to Branch and Associates the following month. But Cabarrus officials had to dip into their rainy-day fund to pay the balance owed for school construction, using $1,653,083 to replenish the county’s Capital Projects Fund, which on May 22 paid the contractor $1,728,083, while a $75,000 insurance payout covered the difference.
County and federal officials are still investigating the source of the BEC scheme, and Cabarrus County said it hired a consultant to redesign its vendor authentication processes.
Cyberattacks and online crimes that use email to target government organizations are on the rise, according to IT security firm Mimecast. According to the company’s recent State of Email Security report, 39 percent of public-sector entities saw an increase in attempts to fraudulently impersonate vendors and business partners, while 56.1 percent of government organizations have seen an increase in attempted phishing attacks that use malicious links or attachments designed to compromise computer systems.
Additionally, Mimecast found that just 23.7 percent of government organizations employ DMARC, an email security protocol designed to filter out criminal activity like impersonation and phishing attempts.
County officials said they will not comment further on the scam. Construction on the new high school, which is scheduled to open in time for the 2020-21 academic year, was not interrupted by the BEC attack.