July 29. Cabarrus County officials released details of a social engineering scam that diverted a $2,504,601 vendor payment made by the County. Of that total, $1,728,082.60 remains missing.

The County intended to send the money to Roanoke, Va.-based Branch and Associates Inc., which serves as general contractor for construction of West Cabarrus High, a new school for the Cabarrus County Schools District.

Construction on the new high school has not been impacted, and the scam remains under investigation by the Cabarrus County Sheriff’s Office and the Federal Bureau of Investigation, according to county officials.

Cabarrus County Commissioner Diane Honeycutt said it was a “very sophisticated” scam.

“We take this incident very seriously and appreciate that staff responded quickly to secure and protect assets—more than $776,000 was recovered. The County also hired a national expert to overhaul our vendor processes and staff has participated in multiple trainings. We have learned from this incident and will do everything we can to prevent this from happening again,” she said.

More than 20,000 business email compromises were reported to the FBI in 2018.

Conspirators posed as representatives of Branch and Associates and targeted employees of Cabarrus County Schools and Cabarrus County Government in a series of emails that began on Nov. 27, 2018.

Social engineering is the act of psychologically manipulating people to take action to inadvertently provide access to protected information or assets. In this case, the conspirators used business email compromise (BEC). BEC targets businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out through social engineering and/or computer intrusion techniques to conduct unauthorized fund transfers.

Legitimate requests to update bank account information are routine. In this case, the request to change Branch and Associates’ vendor banking information was made by conspirators. They provided County staff with new banking information, seemingly valid documentation and signed approvals. The conspirators then waited for the County to transfer the next vendor payment. After the funds were unknowingly deposited into the scammers’ account, they were diverted through multiple different accounts, the investigation revealed.

The County received a “courtesy notification” of a missed payment from Branch and Associates on January 8, 2019. County staff then confirmed that the electronic funds transfer (EFT) cleared in December, county officials said.

The County notified SunTrust, the bank from which the funds were transferred, and followed their recommended procedures. Branch and Associates notified Bank of America, the bank to which funds were transferred, which froze $776,518.40 of the $2,504,601 that remained in traceable accounts. Cabarrus also consulted with its insurance vendors, according to a press release.

The $776,518.40 in recovered funds were paid to Branch and Associates on March 20, 2019. The remaining balance of $1,728,082.60 was paid by the County to Branch and Associates on May 22, 2019. The Cabarrus County Board of Commissioners restored funding for the construction project with the approved transfer of $1,653,082.60 to the Capital Projects Fund on July 29, 2019. The funds for the transfer came from a portion of the County’s Assigned Fund Balance set aside for extraordinary circumstances. The County is eligible to receive any future funds recovered though the investigation.

A growing problem

In recent years, the FBI has seen a steep increase in the amount and sophistication of socially engineered business email account compromise (EAC) scams. The FBI’s 2018 Internet Crime Report indicates the agency received 20,373 BEC/Email Account Compromise complaints with adjusted losses of over $1.2 billion last year.

Cabarrus County hired Oklahoma-based accounts payable (AP) consultant Debra Richardson to redesign its vendor processes and review vendor files. Richardson is one of the nation’s leading experts in reviewing and strengthening vendor setup and maintenance authentication techniques, internal controls and best practices to reduce the potential for fraud.

What’s next

Cabarrus County’s new vendor authentication process is now in place and staff has participated in multiple group and individual trainings recommended by Richardson. External checks were also added to validate data received by the County.

Anyone with information can contact the Cabarrus County Sheriff’s Office at 704-920-3000 or [email protected].

Timeline

January 16, 2018

· Cabarrus County sets up an electronic funds transfer account for Branch and Associates, general contractor for the West Cabarrus High School construction project.

November 27, 2018

· Cabarrus County Schools receives and responds to a socially engineered email from an imposter posing as a representative of Branch and Associates and requesting changes to the account.

· The conspirators continue to correspond with Cabarrus County by email. County employees follow processes, including requesting a signed updated EFT form and signed bank documentation in support of the change.

December 4, 2018

· The conspirators submit the completed form and documentation, posing as a contact at Branch and Associates.

December 21, 2018

· The County submits the $2,504,601 payment to Branch and Associates through EFT.

January 8, 2019

· Cabarrus County Schools receives an email and Cabarrus County receives a phone call from a valid representative of Branch and Associates inquiring about a missed payment.

· Cabarrus County contacts the Cabarrus County Sheriff’s Office, which launches an investigation into the business email compromise. The Sheriff’s Office notifies the FBI, which accepts the case.

· The County notifies SunTrust, the County’s bank, and follows their recommended protocols.

· The County works with its insurance broker, Gallagher, and files a claim with its insurance agency, AIG.

· The Cabarrus County Information Technology department initiates cybersecurity incident response and finds no breach in security.

· The County halts vendor payment setup for those who receive payment via EFT. Officials verify all vendors with any banking changes over the previous six months.

February 6, 2019

· Debra Richardson begins a three-month process, validating existing vendor data and redesigning the County’s vendor registration and maintenance processes.

February 12, 2019

· Bank of America recovers $754,652.05.

February 22, 2019

· Bank of America recovers additional funds of $3,934.78 and $17,931.57.

March 20, 2019

· The County sends $776,518.40 to Branch and Associates. The transaction is confirmed.

May 8, 2019

· Cabarrus County receives a $75,000 insurance claim payment.

May 22, 2019

· The County sends $1,728,082.60 to Branch and Associates. The transaction is confirmed.

July 29, 2019

· The Board of Commissioners approves the transfer of $1,653,082.60 from a portion of the Assigned Fund Balance set aside for extraordinary circumstances to the Capital Projects Fund.