Cybercriminals managed to divert $2.5 million in a business email compromise (BEC) scam targeting Cabarrus County, North Carolina. $1.7 million of that has not been recovered and remains missing.
The attack started at the end of November 2018, when employees of Cabarrus County Schools and Cabarrus County Government received emails pretending to be from Roanoke, Virginia-based Branch and Associates, Inc., the general contractor for construction of West Cabarrus High, a new school for the Cabarrus County Schools District.
Posing as representatives of Branch and Associates, the conspirators sent a series of emails to request the update of bank account information. The attackers provided new banking information, seemingly valid documentation and signed approvals.
Next, the conspirators simply waited for Cabarrus County to make the next vendor payment, which was of $2,504,601. As soon as the funds arrived in their account, the scammers started diverting them through multiple different accounts.
The scam was discovered on January 8, when Branch and Associates sent a courtesy notification of a missed payment. SunTrust, the bank from which the funds were transferred, and Bank of America, the bank to which funds were transferred, were notified.
While $776,518.40 of the funds remained in traceable accounts and were recovered, $1,728,082.60 of the total remains missing.
Authorities were also notified on the scam, and the investigation into the incident continues. Cabarrus County says that construction of the new high school has not been impacted.
Both the number and sophistication of socially engineered BEC scams have increased over the past several years, reports published by the FBI’s Internet Crime Complaint Center (IC3) earlier in 2019 show.
Losses associated with BEC scams in the U.S. reached $1.3 billion last year alone, and the number of received complaints also went up, the FBI revealed. Between October 2013 and May 2018, this type of fraud caused potential losses of more than $12 billion globally.
Earlier this year, Agari detailed a new type of BEC fraud, where scammers attempt to divert funds by adding fictional accounts to company payrolls. This allows attackers to siphon off smaller, but continuous, amounts of money.
The fight against BEC has intensified as well, with authorities worldwide joining forces to dismantle large networks of scammers.