Cyber Incident Victim: St. Johns County

In July 2023, St. Johns County staff engaged with an entity they believed represented a legitimate construction company based in Loxahatchee. The communication originated from an unusual email address (@dbehdd.co), which lacked the standard ".com" domain typical for established businesses. The fraudulent actor, impersonating the real company, informed the county via email that they would no longer accept check payments, citing issues with unclear or bounced checks from clients. Instead, the scammer requested digital transfers to streamline financial processing. Complying with this request, the county electronically transferred $551,000 to the fraudulent account. In September 2023, a second payment totaling $612,000 was sent to the same bogus entity before the scheme was uncovered. The real company, using a ".com" email address, notified the county that it had not received any contract payments, prompting a utility manager to identify the fraud in a September 27 email.

The St. Johns County Sheriff’s Office and the U.S. Secret Service initiated a joint investigation, though no further details were released due to the active status of the case. By early October, the county successfully reversed the $612,000 transaction through bank intervention, recovering a portion of the stolen funds. Clerk of Court Brandon Patty reported the total loss at $1.1 million, with approximately $500,000 still unrecovered as of early October. Patty confirmed the attack method as business email compromise (BEC), where attackers infiltrate email communications to alter banking details during payment processes. The county implemented secondary financial controls, initiated an internal process review, and planned third-party verification of payment requests to prevent future incidents. Insurance claims were filed to recover remaining losses, with Patty emphasizing ongoing efforts to safeguard taxpayer funds while pursuing full restitution.