CONCORD – Social engineering and phishing scams are becoming more prevalent among companies and organizations.
The Cabarrus County Government disclosed Monday night that they are still missing more than $1.7 million after a social engineering scam diverted a $2.5 million vendor payment made by the county.
To protect their future assets, the county hired Oklahoma-based accounts payable consultant Debra Richardson to train staff and redesign its vendor processes and review vendor files.
She consults, trains, provides tips and gives directions to accounts payable teams on how to avoid sending out a fraudulent payment.
In Cabarrus County, Richardson said she is helping the government with authentication techniques, internal controls and best practices in vendor setup and maintenance to protect the county’s vender master file from future fraud.
She has informational blogs and podcasts on her website at www.debrarrichardson.com.
“It’s become a very big issue. Business email compromise, which is a form of social engineering, is a billion dollar industry,” Richardson told the Independent Tribune. “AP (accounts payable) is still a low-hanging fruit because it is still very operational and it is easier for phishers and fraudsters to get those emails by accounts payable if they don’t have training and processes in implemented.”
Cabarrus County Manager Mike Downs said at Monday’s commissioners meeting that the county intended to send the money to Roanoke, Virginia-based Branch and Associates, Inc., which serves as the general contractor for the construction of West Cabarrus High School.
Downs added that an investigation revealed that conspirators posed as representatives of Branch and Associates and targeted employees of Cabarrus County Schools and the Cabarrus County Government in a series of emails that started on Nov. 27, 2018.
County officials said legitimate requests to update bank account information are routine, but county officials said that in this case, the request to change Branch and Associates’ vendor banking information was made by conspirators.
Conspirators provided county staff with new banking information, seemingly valid documentation and signed approvals.
Only $776,518.40 was recovered.
According to the FBI, social engineering is the act of psychologically manipulating people to take action to inadvertently provide access to protected information or assets. In this case, the conspirators used business email compromise (BEC). BEC targets businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out through social engineering and/or computer intrusion techniques to conduct unauthorized fund transfers.
The county then turned to Richardson for advice.
“I teach and train accounts payable teams that handle vendor setup and vendor maintenance,” Richardson said. “I train them on how to protect their whole database of vendors from fraud.”
Richardson said scammers aim for accounts payable employees because they can be easy target.
She trains them a three-step process – authentication, validation and management.
“You’ve got a team that is really an operational team, so they have quotas, they are moving fast,” Richardson said. “It’s hard to see, when you are moving quickly, those phishing emails and it’s easy to be taken in which is why that authentication, validation and management process works because it implements authentication and internal controls and best practices so that if you have someone who missed something, it still will not result in a fraudulent payment.”
Cabarrus County’s new vendor authentication process is now in place and staff has participated in multiple group and individual trainings recommended by Richardson, according to county officials. External checks were also added to validate data received by the county.
“It is revitalizing or revamping their processes to adhere to the authentication validation and management,” Richardson said. “Once I did that, I trained the team on how to implement and how to do that daily process of authenticating and validating and maintaining those vendors in the vendor master file.”
Anyone with information on the social engineering scam is asked to call the Cabarrus County Sheriff’s Office at 704-920-3000 or firstname.lastname@example.org.