Cabarrus County Government Targeted in Social Engineering Scam
Jul 30, 2019 03:49PM
● By Kristy Huddle
Cabarrus County officials released details of a social engineering scam that diverted a $2,504,601 vendor payment made by the County. Of that total, $1,728,082.60 remains missing.
The County intended to send the money to Roanoke, Virginia-based Branch and Associates, Inc., which serves as general contractor for construction of West Cabarrus High, a new school for the Cabarrus County Schools District.
Construction on the new high school has not been impacted, and the scam remains under investigation by the Cabarrus County Sheriff’s Office and the Federal Bureau of Investigation.
The investigation revealed that conspirators posed as representatives of Branch and Associates and targeted employees of Cabarrus County Schools and Cabarrus County Government in a series of emails that began on November 27, 2018.
Legitimate requests to update bank account information are routine. In this case, the request to change Branch and Associates’ vendor banking information was made by conspirators. They provided County staff with new banking information, seemingly valid documentation and signed approvals. The conspirators then waited for the County to transfer the next vendor payment. After the funds were unknowingly deposited into the scammers’ account, they were diverted through multiple different accounts, the investigation revealed.
The County received a courtesy notification of a missed payment from Branch and Associates on January 8, 2019. County staff then confirmed that the electronic funds transfer (EFT) cleared in December.
The County notified SunTrust, the bank from which the funds were transferred, and followed their recommended procedures. Branch and Associates notified Bank of America, the bank to which funds were transferred, which froze $776,518.40 of the $2,504,601 that remained in traceable accounts. Cabarrus County also consulted with its insurance vendors.
The $776,518.40 in recovered funds were paid to Branch and Associates on March 20, 2019. The remaining balance of $1,728,082.60 was paid by the County to Branch and Associates on May 22, 2019. The Cabarrus County Board of Commissioners restored funding for the construction project with the approved transfer of $1,653,082.60 to the Capital Projects Fund on July 29, 2019. The funds for the transfer came from a portion of the County’s Assigned Fund Balance set aside for extraordinary circumstances. The County is eligible to receive any future funds recovered though the investigation.
A rising issue
In recent years, the FBI has seen a steep increase in the amount and sophistication of socially engineered business email account compromise (EAC) scams. The FBI’s 2018 Internet Crime Report indicates the agency received 20,373 BEC/Email Account Compromise complaints with adjusted losses of over $1.2 billion last year.
Cabarrus County hired Oklahoma-based accounts payable (AP) consultant Debra Richardson to redesign its vendor processes and review vendor files. Richardson is one of the nation’s leading experts in reviewing and strengthening vendor setup and maintenance authentication techniques, internal controls and best practices to reduce the potential for fraud.
Cabarrus County’s new vendor authentication process is now in place and staff has participated in multiple group and individual trainings recommended by Richardson. External checks were also added to validate data received by the County.
No further information is available at this time due to the ongoing investigation.
Anyone with information can contact the Cabarrus County Sheriff’s Office at 704-920-3000 or firstname.lastname@example.org.
About social engineering and business email compromise (BEC)
According to the Federal Bureau of Investigation (FBI), social engineering is the act of psychologically manipulating people to take action to inadvertently provide access to protected information or assets. In this case, the conspirators used business email compromise (BEC). BEC targets businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out through social engineering and/or computer intrusion techniques to conduct unauthorized fund transfers.
January 16, 2018
· Cabarrus County sets up an electronic funds transfer account for Branch and Associates, general contractor for the West Cabarrus High School construction project.
November 27, 2018
· Cabarrus County Schools receives and responds to a socially engineered email from an imposter posing as a representative of Branch and Associates and requesting changes to the account.
· The conspirators continue to correspond with Cabarrus County by email. County employees follow processes, including requesting a signed updated EFT form and signed bank documentation in support of the change.
December 4, 2018
· The conspirators submit the completed form and documentation, posing as a contact at Branch and Associates.
December 21, 2018
· The County submits the $2,504,601 payment to Branch and Associates through EFT.
January 8, 2019
· Cabarrus County Schools receives an email and Cabarrus County receives a phone call from a valid representative of Branch and Associates inquiring about a missed payment.
· Cabarrus County contacts the Cabarrus County Sheriff’s Office, which launches an investigation into the business email compromise. The Sheriff’s Office notifies the FBI, which accepts the case.
· The County notifies SunTrust, the County’s bank, and follows their recommended protocols.
· The County works with its insurance broker, Gallagher, and files a claim with its insurance agency, AIG.
· The Cabarrus County Information Technology department initiates cybersecurity incident response and finds no breach in security.
· The County halts vendor payment setup for those who receive payment via EFT. Officials verify all vendors with any banking changes over the previous six months.
February 6, 2019
· Debra Richardson begins a three-month process, validating existing vendor data and redesigning the County’s vendor registration and maintenance processes.
February 12, 2019
· Bank of America recovers $754,652.05.
February 22, 2019
· Bank of America recovers additional funds of $3,934.78 and $17,931.57.
March 20, 2019
· The County sends $776,518.40 to Branch and Associates. The transaction is confirmed.
May 8, 2019
· Cabarrus County receives a $75,000 insurance claim payment.
May 22, 2019
· The County sends $1,728,082.60 to Branch and Associates. The transaction is confirmed.
July 29, 2019
· The Board of Commissioners approves the transfer of $1,653,082.60 from a portion of the Assigned Fund Balance set aside for extraordinary circumstances to the Capital Projects Fund.
· The investigation continues.