Cabarrus County officials said a social engineering scam diverted a $2,504,601 vendor payment made by the county.
Still, $1,728,082.60 remains missing.
Officials said the county intended to send the money to Roanoke, Virginia-based Branch and Associates, Inc., which serves as the general contractor for construction on West Cabarrus High School, a new school for the Cabarrus County School District.
County officials said construction on the new high school has not been affected, and the scam remains under investigation by the Cabarrus County Sheriff’s Office and the Federal Bureau of Investigation.
According to county officials, the investigation revealed that conspirators posed as representatives of Branch and Associates and targeted employees of Cabarrus County Schools and Cabarrus County Government in a series of emails that began on November 27, 2018.
Legitimate requests to update bank account information are routine, but county officials said that in this case, the request to change Branch and Associates’ vendor banking information was made by conspirators.
They provided county staff with new banking information, seemingly valid documentation and signed approvals, officials said.
“The county was not hacked. It was not cyber security,” Cabarrus County Manager Mike Downs said. “This is a case of a spoofed identity in which someone posed as a vendor and provided seemingly valid identification and signed approvals.”
County officials said the conspirators then waited for the county to transfer the next vendor payment. After the funds were unknowingly deposited into the scammers’ account, they were diverted through multiple different accounts, the investigation revealed.
The county received a courtesy notification of a missed payment from Branch and Associates on January 8, 2019. County staff then confirmed that the electronic funds transfer (EFT) cleared in December.
The county notified SunTrust, the bank from which the funds were transferred, and followed their recommended procedures, and officials said Branch and Associates notified Bank of America, the bank to which funds were transferred, which froze $776,518.40 of the $2,504,601 that remained in traceable accounts. Cabarrus County also consulted with its insurance vendors.
The $776,518.40 in recovered funds were paid to Branch and Associates on March 20, according to county officials.
The remaining balance of $1,728,082.60 was paid by the County to Branch and Associates on May 22.
The Cabarrus County Board of Commissioners restored funding for the construction project with the approved transfer of $1,653,082.60 to the Capital Projects Fund on July 29. The funds for the transfer came from a portion of the county’s Assigned Fund Balance set aside for extraordinary circumstances. The County is eligible to receive any future funds recovered though the investigation.
“It is important for our community to know that our finance staff is an incredible team of dedicated and trustworthy employees who were victimized by a scam,” Downs said. “They were accountable for their actions, responded with urgency and played a critical role in assisting law enforcement in establishing our new processes.”
A Rising Issue
According to county officials, in recent years, the FBI has seen a steep increase in the amount and sophistication of socially engineered business email account compromise (EAC) scams. The FBI’s 2018 Internet Crime Report indicates the agency received 20,373 BEC/Email Account Compromise complaints with adjusted losses of over $1.2 billion last year.
Cabarrus County hired Oklahoma-based accounts payable consultant Debra Richardson to redesign its vendor processes and review vendor files. Richardson is one of the nation’s leading experts in reviewing and strengthening vendor setup and maintenance authentication techniques, internal controls and best practices to reduce the potential for fraud.
Cabarrus County’s new vendor authentication process is now in place and staff has participated in multiple group and individual trainings recommended by Richardson. External checks were also added to validate data received by the county.
“We are now at the point in the investigation where we can share the information on the processes taken to secure and defend our resources,” Downs said. “In response to this situation, the county contacted authorities immediately, who opened an investigation, followed recommendations and protocols of our financial institutions, hired a top account receivable consultant to demonstrate extensive knowledge about the topic and understanding of the effective business practices.”
Anyone with information can contact the Cabarrus County Sheriff’s Office at 704-920-3000 or email@example.com.
About Social Engineering And Business Email Compromise (BEC)
According to the Federal Bureau of Investigation (FBI), social engineering is the act of psychologically manipulating people to take action to inadvertently provide access to protected information or assets. In this case, the conspirators used business email compromise (BEC). BEC targets businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out through social engineering and/or computer intrusion techniques to conduct unauthorized fund transfers.
“Cabarrus County and our employees understand the importance that it is our duty to protect the assets of our county,” Downs said. “We do not take this responsibility lightly. We have invested in a total overhaul of our AP processes which limits our vulnerability. It also sets our finance department up for success in the future.”
January 16, 2018
- Cabarrus County sets up an electronic funds transfer account for Branch and Associates, general contractor for the West Cabarrus High School construction project.
November 27, 2018
- Cabarrus County Schools receives and responds to a socially engineered email from an imposter posing as a representative of Branch and Associates and requesting changes to the account.
- The conspirators continue to correspond with Cabarrus County by email. County employees follow processes, including requesting a signed updated EFT form and signed bank documentation in support of the change.
December 4, 2018
- The conspirators submit the completed form and documentation, posing as a contact at Branch and Associates.
December 21, 2018
- The county submits the $2,504,601 payment to Branch and Associates through EFT.
January 8, 2019
- Cabarrus County Schools receives an email and Cabarrus County receives a phone call from a valid representative of Branch and Associates inquiring about a missed payment.
- Cabarrus County contacts the Cabarrus County Sheriff’s Office, which launches an investigation into the business email compromise. The Sheriff’s Office notifies the FBI, which accepts the case.
- The county notifies SunTrust, the County’s bank, and follows their recommended protocols.
- The county works with its insurance broker, Gallagher, and files a claim with its insurance agency, AIG.
- The Cabarrus County Information Technology department initiates cybersecurity incident response and finds no breach in security.
- The county halts vendor payment setup for those who receive payment via EFT. Officials verify all vendors with any banking changes over the previous six months.
February 6, 2019
- Debra Richardson begins a three-month process, validating existing vendor data and redesigning the County’s vendor registration and maintenance processes.
February 12, 2019
- Bank of America recovers $754,652.05.
February 22, 2019
- Bank of America recovers additional funds of $3,934.78 and $17,931.57.
March 20, 2019
- The county sends $776,518.40 to Branch and Associates. The transaction is confirmed.
May 8, 2019
- Cabarrus County receives a $75,000 insurance claim payment.
May 22, 2019
- The county sends $1,728,082.60 to Branch and Associates. The transaction is confirmed.
July 29, 2019
- The Board of Commissioners approves the transfer of $1,653,082.60 from a portion of the Assigned Fund Balance set aside for extraordinary circumstances to the Capital Projects Fund.
- The investigation continues.