IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cyber Fraud Prompts Butte Schools to Change Vendor Policy

Butte School District will no longer pay vendors by direct deposit but by check only, after a cyber thief stole $1.1 million by using detailed information to pose as a vendor in an email requesting payment.

fraud
(TNS) — After a "highly sophisticated social engineering attack" swindled Butte School District out of $1.1 million dollars in May 2022, the district is taking steps to prevent it from happening again.

"We are diligently working to continuously improve cybersecurity protocols on an ongoing basis," Butte School District superintendent Judy Jonart said.

She reiterated in an interview with the Standard that the attack on the school district was "extremely sophisticated," and that she was told as much by both FBI and Homeland Security agents and third-party investigators from the district's insurance company.

The most important measure the school district has taken, according to Jonart, is a change in policy to no longer pay vendors by direct deposit, but by check only.

The school district received an email in 2022 that appeared to be from its main contractor, Langlas & Associates Inc., requesting direct deposit rather than check payment for construction work done on East Middle School, Jonart said.

Thinking the request was legitimate, the district complied.

The email actually came from a cyber thief using detailed information illegally obtained from an unknown source, Jonart said. When school officials learned of the theft, the FBI, along with Homeland Security were notified.

Jonart said it's still not clear how the thief accessed the information used to pull off the fraud, as a forensic investigator found the school district's accounts weren't subject to unauthorized access that would've led to the fraudulent wire transfer.

Jonart said transaction approval requests always go through the district's financial department. Its transaction processes, she said, get an internal audit every year and the department has always been told it has "proper internal controls in place." She said the district will be meeting with its auditor to review the processes and see how and if they can be improved.

When asked if anyone faced disciplinary action as a result of the cyber theft, Jonart said she wasn't at liberty to discuss personnel matters.

The FBI categorizes what happened to Butte School District as Business Email Compromise, which it defines as "one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business— both personal and professional."

According to the FBI, the Internet Crime Complaint Center received complaints with claimed losses exceeding $2.4 billion in 2021.

Although it can seem unthinkable when it happens so close to home, Butte School District is not the first in the country to lose money to the tune of millions of dollars to BEC.

In January 2020, news outlets reported that Manor Independent School District in Texas lost $2.3 million in three separate email transactions made in November 2019 that were part of a BEC scam.

In April 2019, Scott County Schools in Kentucky lost $3.7 million dollars when it thought it was paying a vendor via email for services rendered. The funds were recovered shortly thereafter.

In August 2019, Portland Public Schools almost lost $2.9 million to a BEC scam when a scammer posed as a contractor who'd worked with the district. Luckily, the school district discovered the fraud and was able to stop the payment before it hit the fraudulent account.

In August 2022, Virginia Commonwealth University was scammed out of almost $470,000 in a BEC attack. A citizen of the United Kingdom was later extradited and pleaded guilty to the crime.

Following negotiations, Butte School District agreed on an $837,500 settlement with Langlas to get local subcontractors and vendors paid while Homeland Security and the FBI continued their investigation. This was about $262,000 less than originally agreed upon.

Langlas was paid from interest payments from metals mine funds, insurance proceeds, along with the school district's legal allocation.

Jonart said the use of the money from these resources will have "no direct effect on any citizen taxpayer or student programs."

Langlas will share in any money recovered if the district recovers a sum larger than the amount paid by the district to Langlas.

Going forward, all new and current employees will also be required to complete fraud training and get re-certified in the courses annually.

Jonart said the modules cover a variety of topics, including training about ransomware, how to identify phishing, safe computer use, internet privacy and how to prepare and respond to any kind of cyber attack.

She said the trainings will be continuously updated and that a committee comprised of Jonart, the district's IT director, IT manager, HR director and director of finance is working to identify which modules of training will be assigned to each position.

"The district safety committee will be presented with this as well," Jonart said.

The school has also implemented a couple of free programs to check the district's network security.

"We have to pay attention to cyber security as much as we pay attention to physical security," Jonart said.

One program is through the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency, to identify any ongoing problems in the school's cyber infrastructure and correct them.

"And that's a good thing to continuously look at," Jonart said. "It will identify any kind of vulnerability. We've done it a couple of times in the past and it didn't find anything."

The other is a free service through the district's insurance.

Another thing the school district did is add multi-factor authentication to its accounts, which is one thing the FBI website recommends people do to protect themselves from BEC attacks. Multi-factor identification means that someone must use two identification methods to access an account.

The FBI also suggests:

  • Being careful what you share online or on social media, such as pet names, schools you attended, links to family members, and your birthday.

  • Not clicking on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one a potential scammer is providing), and call the company to ask if the request is legitimate.

  • Carefully examining the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.

  • Being careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.

  • Verifying payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.

The FBI also recommends being "especially wary if the requestor is pressing you to act quickly."

©2023 The Montana Standard (Butte, Mont.). Distributed by Tribune Content Agency, LLC.