$1.7 million still missing after North Carolina county hit by business email compromise scam

Money intended for the construction of a brand new high school was instead placed in a bank account controlled by scammers by officials of a North Carolina county.

Cabarrus County in North Carolina, home to NASCAR races at the Charlotte speedway, was duped into believing it was paying a contractor when it moved US $2.5 million into the pockets of online criminals.

According to a notice published on the Cabarrus County government’s website, problems began in November 2018 when Cabarrus County Schools received an email claiming to come from Virginia-based Branch and Associates, which was working on the construction of West Cabarrus High, a new school for the district.

The email claimed that Branch and Associates had changed their bank account details, and requested that future payments on the school construction project were sent to the new account.

To its credit, Cabarrus County says that its staff followed the correct processes – requesting that forms and documentation (including an electronic funds transfer (EFT) form signed by the bank) were submitted to make the change.

One week later, Cabarrus County received the documentation from the criminals, and saw nothing to raise any concerns.

Then, on December 21 2018, Cabarrus County electronically transferred $2,504,601 into what they believed was Branch and Associates’ bank account. What an early Christmas present that must have been for the scammers.

It wasn’t until January 8 2019, when anyone realised that something was wrong. A genuine representative of Branch and Associates contacted Cabarrus County enquiring about a missing payment.

Soon afterwards, the bank and law enforcement were informed, as were the county’s insurers, and an investigation determined that Cabarrus County’s computer systems had not been hacked or compromised, but instead a socially engineered business email compromise scam had been successfully pulled off using a bogus email address.

In response Cabarrus County halted all future payments via electronic transfer until account details could be verified. This process, alongside a redesign of the county’s vendor system, took three months.

And although some of the funds were recovered by the Bank of America, some $1.7 million remains missing.

In the video below you can watch the county’s board of commissioners approve the transfer of $1,653,082,60 from its emergency fund to allow work to continue on the school’s construction without further disruption.

Sadly for Cabarraus County, their insurance policy has only covered $75,000 of the loss.

Business email compromise scammers have been stealing large amounts of money from organisations engaged in construction projects in recent years, by posing as companies providing services. Earlier this year, for instance, a church in Brunswick, Ohio, was duped into wiring $1.75 million into an account controlled by criminals.

All organisations need to learn to be exceptionally cautious whenever one of their suppliers says that their bank account details are changing – it may be another scammer trying to make a quick and easy fortune.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: