Brunswick County loses $4 million in email phishing scheme
Secret Service, US Department of Justice working to recover stolen funds
BRUNSWICK COUNTY, N.C. (WECT) - It’s the same kind of scam that WECT routinely warns viewers about. But this time, the target was a local government agency, and the fraudsters took millions of dollars from Brunswick County before someone realized the county was being scammed.
The US Government is working to recover some of the $4,026,180.07 stolen from Brunswick County between October 16, 2020 and November 25, 2020. The County never announced the theft publicly, but WECT discovered court filings from February 22, 2022 that detail how the scheme unfolded.
Assistant United States Attorney Matthew Fesak filed a “forfeiture in rem” complaint, attempting to seize funds recovered from four different bank accounts federal investigators say the fraudsters used to siphon money from the Brunswick County Government. Special Agent Mack Yates of the United States Secret Service (USSS) has been assigned to the case, and filed a declaration describing how criminal fraudsters got the money.
“On Friday, December 4, 2020, the USSS Wilmington North Carolina Resident Office (RO) was advised by Detective Clarissa Reece of the Brunswick County Sheriff’s Office that the County had been affected by a BEC [Business Email Compromise] and had suffered a total estimated loss of $4,026,180.07,” the narrative of what happened begins.
“On approximately April 14, 2020, a fraudster targeted the Accounting Department of the Brunswick County Government. A member of the County’s Accounting Department received a fraudulent spoofed email from ‘Thomas Howell,’ who is a known employee of the TA Loving Company, a legitimate contractor who provides services to the County. The fraudulent, spoofed email address used by the fraudster inserted an extra hyphen to the email domain name; otherwise, the address appeared identical to Mr. Howell’s real email address,” the declaration continues.
The fraudulent email contained a request to update the bank account and routing information for TA Loving Company. It contained “identical fonts, margins, and diction as legitimate email correspondence between TA Loving Company and the County.”
A county accounting employee who received the initial email was suspicious, and quickly contacted the CFO of the TA Loving company, who confirmed the email was not legitimate. However, the fraud attempt was not reported to law enforcement. Court documents do not say if other county employees were warned of the scheme, but on September 23, 2020, a second fraud attempt was made. The guise was similar, with the email coming from an alleged employee at TA Loving.
The second time, the fraudsters were successful.
“The email was not identified as fraudulent by the County, and County personnel subsequently updated TA Loving Company’s deposit records to reflect the requested account information. Over the course of the following months, the County automatically deposited payments for legitimate contracts into [a PNC bank account], the fraudster’s illegitimate account...,” court documents read.
The first payment was for $155,555.25 on October 16, 2020, followed by a $391,269.61 payment on October 30. In November, the payments were for significantly more money: $1,521,268.40 on November 6, and another $1,958,086.81 on November 25.
The scheme began to fall apart when TA Loving Company reached out to Brunswick County on November 25, requesting to be paid for overdue invoices. They informed county personnel they had not changed their bank account information, and the September 23 request for the county to change their wiring information was not made by them.
Once criminal investigators began looking into the matter, they discovered the bank account the fraudsters had instructed county employees to wire the money to was actually owned by a Pennsylvania limited liability corporation, “Dixie Delish Kitchen LLC.” The account was opened in August 2020, and was dormant until it received the payments from Brunswick County. Upon being alerted to the fraudulent activity associated with the account, PNC bank froze the funds. But at that point, much of the money was gone.
Special Agent Yates obtained a warrant for the balance of the account, and PNC provided him with a cashier’s check for $2.2 million of the money. Further investigation revealed the remaining funds had been transferred to nine other entities, “all of which appeared to hold illegitimate shell accounts” according to Yates. The money eventually made its way to three separate accounts at Bank of America. Because the funds were connected to a wire-fraud scheme and possible money laundering, Yates was able to get those funds frozen, too, and obtained a cashiers check for $211,337.97 from one account, 138,831.07 from a second account, and $219,373.39 from a third account.
The remaining $1,226,021 has been unrecoverable to date.
The US government is now attempting to take over the recovered funds through asset forfeiture. Brunswick County received $250,000 in insurance money following this loss, and said it hopes to recover most of the remaining money through forfeiture proceedings.
“This situation did not hinder the County’s project with T.A. Loving, nor impair its ability to meet all of its financial obligations. Brunswick County turned the matter over to law enforcement immediately upon discovery. The County also took appropriate action regarding personnel involved in the matter. T.A. Loving has received full compensation for all work completed to date. No initiatives or positions have been nor will be eliminated or affected due to this [financial loss],” Brunswick County Spokeswoman Meagan Kascsak told WECT.
“We understand that the theft of $4 million through a phishing attempt is concerning; that’s why we have taken additional steps to protect the organization from future risks. Brunswick County has a strong financial condition and was able to cover the difference through the fund balance without any impacts to services or our overall financial stability. It was important that Brunswick County follow the recommendations of law enforcement concerning this matter as immediate public disclosure could have helped the responsible parties avoid capture and find ways to harm other organizations more discreetly through phishing,” Kascsak added in response to concerns that this is the first the public is hearing about this.
To prevent this from happening again, Brunswick County acquired a third-party vendor management software that initiates and manages all invitations for vendors and verifies names, tax information, addresses, bank account ownership, etc.
Research from the USSS and the FBI indicates that Business Email Compromise cases totaled over $32 billion in losses in 2019 alone. Experts believe the number is greatly underreported for fear of public image and legal action.
Copyright 2022 WECT. All rights reserved.