The Alamance-Burlington School System was the victim on an online fraud earlier this fall that initially cost the school system more than $302,000 in capital funding through a phishing scam.
While there has been no public mention or discussion of the scam, The Alamance News learned of the fraud as a result of documents provided to the newspaper electronically by the school system in response to a public records request for information about intra-board communications with each other and to and from the school’s superintendent.
Phishing is an online scam that usually targets consumers by sending emails – which appear to be from legitimate sources such as banks, mortgage companies, or utility providers – but, in reality, are imposters seeking to intercept payments and/or capture sensitive information such as bank account routing numbers, according to the Federal Trade Commission.
In the school system’s case, the fraudsters posed as one of the school system’s longtime contractors, Central Builders of Mebane, and intercepted $302,463 in capital funding.
Superintendent Dr. Dain Butler said Tuesday in an interview with The Alamance News that ABSS has since recouped its losses.
Asked why there has been no public mention of the fraud that at least temporarily drained $302,463 from the school system’s coffers – and given heightened scrutiny of capital funding for ABSS – the superintendent seemed to agree that there needs to be a public conversation about what safeguards have been adopted to deter future fraud.
“As soon as I was informed of it, I informed my board,” Butler told the newspaper Tuesday. “As far as taking it to the board meeting, I think it should be clear it happened to us. We can do that, but again, [the money’s] been accounted for.”
While the initial loss of $302,463 represents about 10 percent of the $3.3 million the school system receives each year in county “Pay/Go” capital funding, school board chairman Sandy Ellington-Graves said she wasn’t sure whether the intercepted funds had come from county capital revenue for ABSS.
“It is my understanding that we’ve been reimbursed,” Ellington-Graves said Tuesday in a phone interview with The Alamance News. “I think it was recovered quickly, and additional safeguards have been put in place to ensure it doesn’t happen again. The board was properly notified, and it was quickly recovered.”
The school board’s chairman recalled in the interview the payment, which had been intended to go to Central Builders, was to cover a portion of a more than $1 million contract approved earlier this year for construction of a new track and stormwater improvements at Cummings High School.
ABSS officials inadvertently learned of the phishing scam and subsequent $302,463 loss on September 19 of this year, based on a portion of thousands of pages of emails that the school system furnished last week in response to a public records request from The Alamance News.
ABSS chief finance officer Kim McVey notified the school system’s administration of the fraudulent payment – believed to have been made via a direct deposit to Central Builders – in a September 20 email, which was among the documents that the school system furnished last week.
“My Accounts Payable staff received an email on August 28, 2023 to add direct deposit to Central Builders,” McVey wrote in her September 20 email. “Central Builders had previously been paid by check. The information looked legit, so she added the checking account information and we paid them on September 8, 2023 a total amount of $302,463.98. This is the only payment we have made to them as Direct Deposit.
“Central Builders reached out to accounts payable yesterday, wondering if we had any invoices to pay them and this is when this was discovered,” the CFO explained in her email.
McVey also reported to her superiors at Central Office that she immediately called American National Bank to begin the claims process in order to recoup the funds. “They will be sending documentation for me to sign this morning to move forward on their end,” she wrote. “There is no guarantee the money is still sitting in that fictitious account.
McVey elaborated in her email that she had contacted the school system’s insurer to determine whether ABSS had any type of coverage for this type of fraud and was waiting to hear back about the next steps for the claims process.
“I will also be seeking additional guidance on steps we can take to be even more proactive in verifying this kind of information,” McVey wrote. “We are supposed to be following up with the vendor by phone (different number from the one in email) to seek verification of the information we received.”
Uptick in cyberattacks on N.C. government agencies
Local government agencies in North Carolina have increasingly become targets for fraud in recent years.
Late last month, the city of Hendersonville, in western North Carolina, announced a data breach that city officials believe was limited to employee data, including Social Security numbers. Hendersonville’s city manager said in a November 29 statement that it did not appear customer data had been captured in the cyberattack.
Closer to home, Alamance Community College officials announced earlier this year that student data had been exposed during the MOVEit cyberattack in May, which had actually targeted the National Student Clearinghouse reporting and research system, along with more than six dozen other government entities, organizations, and companies across the globe.
In April of this year, the North Carolina Housing Finance Agency reported to the State Bureau of Investigation that the agency had been the victim of $2.7 million in theft through money transferred to a fraudulent account, multiple news outlets reported at the time.
Alamance County’s Register of Deeds office confirmed in early January that its website had been offline for several weeks due to a December 2022 cyberattack on Cott Systems, a data and records management provider that hosts the county’s website, as well as those for Register of Deeds’ offices in numerous other N.C. counties.
Mebane city officials revealed in January 2020 that the city’s network had blocked 4.3 million attempted intrusions by robots, malware, and other cybersecurity threats during the fourth quarter of the previous year.
In August, the chief risk officer for the N.C. Department of Information technology (NCDIT) said that N.C. public school systems are becoming an increasingly attractive target for cybercriminals, following nine cyberattacks on educational systems this year, multiple news outlets reported at the time.
The documents that ABSS furnished last week were in response to the second of two public records requests that The Alamance News filed with the school system in September and October.
The first request, filed September 11, sought communications and other documents related to the discovery of mold, sent to and from school board members and other ABSS officials from June 10 through the date of the request.
ABSS has not yet fulfilled the first public records request or a second public records request that the newspaper filed on October 20.
The second public records request was for all communications – including emails and text messages – to and from the then-six sitting school board members and the superintendent between September 11 and October 20. So far, ABSS has furnished emails from school board members Ryan Bowden, Chuck Marsh, and Dr. Charles Parker.