Recent reports of another social engineering scam, this time at a North Carolina public school system, demonstrates why public entities and companies, alike, need to regularly review their cyber vulnerabilities and potential exposures and ensure that their cyber insurance is properly tailored for their specific risks.
Beginning in November 2018, the Cabarrus County School system received fraudulent wire transfer instructions that caused the school system to divert more than $2.5 million dollars from a construction fund to a bank account they controlled. While the school’s bank was able to return approximately $775,000 of the misdirected funds, the school only received a $75,000 insurance payout to offset the remaining loss, forcing the school system to pay the remaining $1.6 million out of the school’s emergency funds.
The scheme started when Cabarrus County Schools received an email purporting to be from a representative of Branch and Associates, a Roanoke, Virginia-based general contractor that the County had hired to manage construction of a new high school. The scammer communicated using a modified email account and succeeded in convincing County employees to modify the electric funds transfer (EFT) account that had been set up to pay Branch for the construction project. After following the County’s standard procedures to update financial information, including return of a signed EFT change form and updated bank documents in support of the change, the County submitted a $2.5 million payment to the fraudsters using the new EFT information.
The County discovered that something was wrong less than a month later, when an actual representative of Branch called County officials to inquire about a missing progress payment. After realizing that the missing payment may have been sent to the wrong party, the County contacted local authorities, who began an investigation and enlisted help from the FBI. The County notified its bank and submitted a claim with its insurer, AIG. The bank was able to recover approximately $775,000 of the County’s money, but the County only recovered $75,000 in additional funds through AIG. Due to the shortfall, the County was forced to get approval from its board of commissioners to replenish the project’s capital funds account using $1.6 million from an emergency fund set aside for “extraordinary circumstances.”
The Cabarrus County scam is one of many in a long list of unfortunate incidents where cybersecurity safeguards and available insurance fell short. It is unclear from the public reports what kind of insurance policy ultimately responded to the County’s claim or why the insurance payout was limited to $75,000, which was insufficient to cover the remaining shortfall in the capital funds account. The County has reported that it has since implemented new vendor authentication protocols and trained its staff in multiple group and individual sessions under the guidance of an accounts payable consultant. Despite best efforts to prevent scams from happening, however, this recent example involving large, uninsured losses highlights the importance of regularly evaluating cyber exposures and reviewing insurance programs to mitigate the risk of cyber losses and maximize insurance recoveries.