Industry News

$1.7 million still missing after North Carolina county hit by business email compromise scam

Money intended for the construction of a brand new high school was instead placed in a bank account controlled by scammers by officials of a North Carolina county.

Cabarrus County in North Carolina, home to NASCAR races at the Charlotte speedway, was duped into believing it was paying a contractor when it moved US $2.5 million into the pockets of online criminals.

According to a notice published on the Cabarrus County government’s website, problems began in November 2018 when Cabarrus County Schools received an email claiming to come from Virginia-based Branch and Associates, which was working on the construction of West Cabarrus High, a new school for the district.

The email claimed that Branch and Associates had changed their bank account details, and requested that future payments on the school construction project were sent to the new account.

To its credit, Cabarrus County says that its staff followed the correct processes – requesting that forms and documentation (including an electronic funds transfer (EFT) form signed by the bank) were submitted to make the change.

One week later, Cabarrus County received the documentation from the criminals, and saw nothing to raise any concerns.

Then, on December 21 2018, Cabarrus County electronically transferred $2,504,601 into what they believed was Branch and Associates’ bank account. What an early Christmas present that must have been for the scammers.

It wasn’t until January 8 2019, when anyone realised that something was wrong. A genuine representative of Branch and Associates contacted Cabarrus County enquiring about a missing payment.

Soon afterwards, the bank and law enforcement were informed, as were the county’s insurers, and an investigation determined that Cabarrus County’s computer systems had not been hacked or compromised, but instead a socially engineered business email compromise scam had been successfully pulled off using a bogus email address.

In response Cabarrus County halted all future payments via electronic transfer until account details could be verified. This process, alongside a redesign of the county’s vendor system, took three months.

And although some of the funds were recovered by the Bank of America, some $1.7 million remains missing.

In the video below you can watch the county’s board of commissioners approve the transfer of $1,653,082,60 from its emergency fund to allow work to continue on the school’s construction without further disruption.

Sadly for Cabarraus County, their insurance policy has only covered $75,000 of the loss.

Business email compromise scammers have been stealing large amounts of money from organisations engaged in construction projects in recent years, by posing as companies providing services. Earlier this year, for instance, a church in Brunswick, Ohio, was duped into wiring $1.75 million into an account controlled by criminals.

All organisations need to learn to be exceptionally cautious whenever one of their suppliers says that their bank account details are changing – it may be another scammer trying to make a quick and easy fortune.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.