Believing it was working with a trusted contractor to change banking information, Cabarrus County, N.C., paid scammers $2.5 million. The incident highlights yet another way cyberthieves are targeting government.
Officials in Cabarrus County, N.C., recently lost $1.7 million in funds to a social engineering scam, in yet another example of online malfeasance.
Online scam artists posing as representatives from a general contractor were able to convince officials to pay them over $2.5 million — some of which was ultimately recovered, according to the county's website.
Social engineering, the act of manipulating someone into a specific action through online deception, is on the rise, according to the FBI, which reportedly received some 20,373 complaints in 2018 alone. Those complaints amount to $1.2 billion in overall losses.
According to Norton, social engineering attempts typically take one of several forms, including phishing, impersonation and various types of baiting. The scams will typically occur through email.
In the case of Cabarrus County, the imposters first contacted officials in November of last year, pretending to be representatives with Branch and Associates, a Virginia-based contractor responsible for assisting with the construction of a new local high school.
The criminals subsequently convinced officials of a need for a change in bank account information, providing "new banking information, seemingly valid documentation and signed approvals" that aided in the ruse.
When the next vendor deposit was made into the new bank account, the funds were subsequently diverted through a series of other accounts. Officials first became aware of the scam several weeks later after the real vendor contacted them inquiring about a missed payment.
"Construction on the new high school has not been impacted, and the scam remains under investigation by the Cabarrus County Sheriff’s Office and the Federal Bureau of Investigation," the county said, in a recent press release.
County officials were able to retain some funds lost in the incident, with its bank recovering some $750,000 and the county's insurance carrier supplying $75,000. To cover the remaining losses to the project, officials were recently authorized to redirect money from the assigned funds balance that is set aside for extraordinary circumstances.
"The county was not hacked. It was not a cybersecurity [incident]. This is a case of a spoofed identity in which somebody posed as a vendor, provided seemingly valid documentation and signed approvals," said County Manager Mike Downs at a recent meeting of the county's Board of Commissioners describing the incident.
Moving forward, Downs said that the county is working to bolster its security against such intrusions. This has included the hiring of an outside consultant to redesign its accounts payable processes in connection with vendors.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.