June 16, 2024

Cabarrus County situated in North Carolina fell prey last December to an elaborate email scam that ended up rerouting $2.5 million in funds that were meant for the construction of a new high school, reported county officials recently. The county has successfully recovered $776,518, leaving a massive sum of over $1.7 million untraceable.

While no suspects have been identified, this incident has placed Cabarrus County among recent victims of public sector targeted by business email exchange scams, one of the most prevalent and economically damaging types of online fraud. Such scams involve impersonating a trusted party and targeting a specific individual or entity, deceived almost $1.3 billion from victims just last year, as observed by the FBI’s 2018 Internet Fraud Report.

The Scam

Cabarrus County was ensnared in November when cyber fraudsters presented themselves as Branch and Associates, a company based in Roanoke, Virginia appointed as the main contractor for a new high school construction project. The fraudsters requested Cabarrus County Schools to alter information on the electronic funds transfer account set up for payment to the contractors, as reported by the county government. County officials fell for the trick and followed their normal procedures including the updating of EFT forms and bank paperwork. After returning the signed paperwork on December 4, the county transferred $2.5 million to a Bank of America account held by the scammers.

Aftermath of the Scam

The fraud was detected on January 8, when the actual Branch and Associates made an enquiry about their unreceipted payment amounting to $2.5 million. The county sheriff’s office was immediately summoned by the school authorities, which led to the FBI stepping in. The county also alerted its bank, SunTrust, and lodged an insurance claim.

Bank of America was successful in locating and retrieving $776,518 of the stolen amount, which the county then forwarded to Branch and Associates the following month. Cabarrus County was forced to dip into its reserve or “rainy-day” fund to cover the deficit constructuon costs, using $1,653,083 to refill the county’s Capital Projects Fund. On May 22, a sum of $1,728,083 was paid to the contractor while an insurance payout of $75,000 covered the rest of the balance.

The investigation into the BEC scam is ongoing by both county and federal officials. Cabarrus County did disclose that they have employed a consultant to overhaul their vendor verification systems.

Growing Threat

According to IT security firm Mimecast, cyber-attacks and online crimes via email targeted at government bodies have been on a rise. As per the company’s recent State of Email Security report, attempted frauds impersonating vendors and business partners saw a rise of 39 percent against public sector entities. Moreover, 56.1 percent of government groups witnessed a surge in attempted phishing attacks showcasing malicious links or attachments meant to compromise IT systems. Unfortunately, only a mere 23.7 percent of government organizations use DMARC, an email security protocol designed to prevent criminal activities like impersonation and phishing.

In respect of the ongoing investigation, no further comments will be made by the county officials. Despite the BEC attack disruption, the construction of the new high school remains unhindered and is expected to be operational for the 2020-21 school year.

Authored by Benjamin Freed

The former managing editor of StateScoop and EdScoop, Benjamin Freed has extensively documented cybersecurity concerns in state and local governments across the country. His expansive coverage includes articles on ransomware attacks, election security, and the methods the federal government uses to assist states and cities in information security.