Cyber Incident Victim: Cabarrus County

In July 2019, Cabarrus County, North Carolina, fell victim to a business email compromise (BEC) scam that resulted in the loss of $1.7 million. Attackers impersonated representatives of Branch and Associates, the legitimate contractor constructing a new high school for the county, via phishing emails. These emails falsely notified county staff that the contractor’s bank account information had changed and provided fraudulent documentation appearing to validate the request. County personnel processed the banking information update without additional verification. The scammers deliberately delayed further action until the county’s next scheduled vendor payment of $2,504,601 was transmitted to the compromised account on or before July 29, 2019. The theft went undetected for nearly three weeks until Branch and Associates contacted the county regarding an overdue payment, prompting internal investigation.

Financial institutions recovered $776,518.40 of the stolen funds after the county alerted SunTrust (the originating bank) and Branch and Associates notified Bank of America (the receiving bank), which froze traceable remaining amounts. The county’s insurance policy covered only $75,000 of the loss, forcing officials to reallocate $1,653,082.60 from reserves designated for extraordinary circumstances to fulfill contractual obligations. Cabarrus County publicly disclosed the incident, cooperated with an FBI investigation, and consulted insurance providers. The attackers exploited publicly available information about government contracts and contractor relationships, a tactic also observed in a contemporaneous $800,000 BEC scam against Griffin, Georgia’s municipal water treatment system. According to Financial Crimes Enforcement Network data referenced in the incident’s aftermath, monthly BEC-related suspicious activity reports had nearly tripled between 2016 and 2018, underscoring the prevalence of such schemes targeting public entities.