Cyber Incident Victim: Scott County Schools
Date:
Apr 2019
Location:
United States of America
Summary
Scott County Schools fell victim to a $3.7 million online scam after receiving a fraudulent email impersonating a legitimate vendor, which diverted payment intended for services rendered. The district discovered the fraud when the actual vendor reported non-payment of an invoice, prompting an FBI investigation into the incident. This resulted in significant financial losses due to the successful deception.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Scott County Schools publicly disclosed on April 24, 2019, that it had fallen victim to a fraudulent financial scheme resulting in a $3.7 million loss. The incident was discovered after an undisclosed vendor contacted the district regarding an unpaid invoice for services rendered approximately two weeks prior. Superintendent Dr. Kevin Hub confirmed the district initiated an internal review upon learning of the missing payment. This investigation revealed that the district had been deceived by a fraudulent email impersonating the legitimate vendor. The sophisticated email deception led district personnel to inadvertently divert payment to accounts controlled by malicious actors instead of the intended recipient. Scott County Schools promptly involved federal law enforcement upon confirming the fraud. The FBI assumed primary investigative responsibility for the case, though no suspect details or technical compromise vectors were disclosed publicly. District officials did not specify whether the fraudulent communication involved compromised email accounts or spoofed domains mimicking the vendor’s identity.
The financial impact totaled $3.7 million, representing one of the largest publicly reported business email compromise losses affecting a U.S. school district at that time. No evidence suggested student or employee data was compromised during the incident, as the attack exclusively targeted financial transactions. The district did not disclose whether any funds were recovered or if cybersecurity protocols were modified following the discovery. Superintendent Hub’s public announcement provided minimal operational details about the payment systems involved or the transaction approval workflow that allowed the fraud to occur. The FBI’s ongoing investigation prevented the district from releasing additional specifics about the forensic findings or international transaction trails. Scott County Schools’ disclosure marked a rare public acknowledgment of a substantial financial cybercrime against an educational institution, with the incident attracting regional media attention through WKYT’s initial reporting.