Crimes like the cyber fraud that struck Scott County Schools for $3.7 million last week, are part of a growing trend of crimes using the internet to target businesses and government agencies, said Scott Hall, executive director of the Georgetown/Scott County Revenue Commission. Hall also assists the FBI as a member of InfraGard, a public-private partnership which focuses specifically on such attacks.
“It is called businesses email compromise where somebody spoofs a company’s email from say a chief financial officer and sends it to clients and asks for money to be wired to an account,” Hall said. “It is more sophisticated and made to look like a legitimate invoice from a vendor, but it is a fake. The FBI says they see it frequently, and I can see how it would happen.”
The FBI focuses on 16 critical infrastructure sectors most likely to be subject to physical or cyber terrorist attacks including: chemical, communications, dams, emergency services, financial services, government facilities, information technology, transportation systems, commercial facilities, critical manufacturing, defense industrial base, energy sector, food and agriculture, waste and waste water.
While money was the target in the Scott County Schools’ cyber fraud, critical data is just as often the target of cyber thieves, often called hackers.
On April 24, Scott County Schools received fraudulent counterfeit documents from a vendor’s email address, according to a school system press release. The email portrayed itself as working for a vendor and had the school system’s electronic transfer paperwork filled out and attached, asking for an invoice to be paid to its account.
The investigation into the $3.7 million theft is ongoing, said Superintendent Dr. Kevin Hub. The school district does pay several vendors with electronic transfers and has been doing so for several years, Hub said. School board policy states “the board authorizes the District and schools to accept electronic receipts and make electronic payments in accordance with Accounting Procedures for Kentucky School Activity Funds and applicable laws and regulations.”
The theft of school system funds has alerted other local government officials to such dangers, and increased their diligence.
“We always start with what is the risk and that usually depends on what information you have and keep,” said Andrew Hartley, Georgetown’s chief administrative officer. “The city is considered a low risk because we keep a lot of information, such as account payables information, in the clouds. Nobody is fool-proof, but we don’t store data with Social Security numbers, we’ve beefed up firewalls and we back up the systems several times a day.”
There is a process in place to ensure checks are going to the right people, said Stacey Clark, Georgetown’s finance director.
“Vendor payments are done by paper check, although there are a few done by automated transfers like utilities and payroll,” she said. “Checks are required to have two signatures. And we have a system with Central Bank where we upload batches of checks with the amount and number and they double check what we send them with what clears.
But we prefer a paper check environment.”
City council members get a record of the checks that were paid out, and that serves as another set of eyes checking to see if anything looks out of the ordinary, said Mayor Tom Prather.
The city carries cyber insurance throughout the Kentucky League of Cities. Part of the coverage, called Data Breach and Privacy Liability, covers funds transfer or wire fraud, Clark said.
Like Georgetown, Scott County Government prefers the benefits of old-fashioned checks, said County Treasurer Michele Ray.
“The fiscal court is under Kentucky Revised Statutes (KRS) to not allow wire payments at all,” she said. “So there are no electronic payments out of the accounts, period. Invoices have to be approved by members of the fiscal court, except for utilities like water and sewer. Once approved, checks are run and they have to have two signatures — me and Judge Covington.
“Everyone says it is so old school, but it has benefits and we can’t waiver from it because of the KRS.”
Like Georgetown and the school system, the county has cyber insurance as part of its county insurance policy through the Kentucky Association of Counties, said Stacy Hamilton, Scott County executive secretary and fiscal court clerk. The policy is $1 million per claim and was implemented in July of 2015, she said.
The Revenue Commission, which collects tax revenues for the city, county and school system, recently had a risk assessment, checking physical protection, such as doors and alarms, and cyber protections, Hall said.
The Revenue Commission pays its bills by paper check, requiring two signatures, and asks to receive paper invoices.
“The risk was very low because we are a smaller organization and we don’t deal with the numbers of, say the school system does,” he said. “We are looking at a cyber risk insurance policy as well.”
Involvement with InfraGard helps him stay on top of current scams and types of fraud and he relays that information to other local entities, Hall said. He is the deputy sector chief for government facilities with the FBI’s local InfraGard.
“I get information from the FBI to keep up with these kinds of attacks, so it is very helpful to know ahead what could happen.”
Steve McClain can be reached at firstname.lastname@example.org.