Phishing, Americas, Content, Vertical markets

Kentucky School District Recovers $3.7M from Phishing Incident

A school district in Kentucky has recovered the $3.7 million stolen by a hacker in a cyber wire fraud scam last week. The wire fraud was related to a phishing incident at the school, according to officials involved in the case.

“Scott County Schools is pleased to announce the full and complete recovery of all funds feared lost last week due to wire fraud,” Superintendent Kevin Hub said in a statement on Tuesday, April 30, the Lexington (KY) Herald Leader reported. “The full amount of $3,704,338.76 has been returned to Scott County Schools. With the recovery of the money, we will not need to make an insurance claim.”

Phishing for Profit

School officials last week said the district had been tricked by an email from a hacker posing as a vendor claiming that payment on an invoice from two weeks earlier had not been made. Apparently, the bogus email activated an automated payment account that the hacker used to drain millions from the school district’s bank account. The hacker reportedly targeted the vendor with which the school district spends the most money annually. The hack did not extend to the district's financial data system or the student data management system, officials said.

Dr. Kevin Hub
Dr. Kevin Hub, Superintendent, Scott County Schools

"This is a process that we use currently in Scott County Schools,” Hub said at the time. “It's a way that we pay our vendors. And it was in this specific case, a single case, that we can verify, and this fraudulent email and fraudulent documentation is what caused this crime to happen."

Hub subsequently huddled with the Kentucky State Police and FBI agents in Lexington but it was the Kentucky Bank that recovered the money for the school district. The hacker remains at large somewhere in the U.S., Hub said. “The money remained here domestically, that’s why our partners at Kentucky Bank were able to effectively return every nickel to us,” he reportedly said.

The school district has already conducted an internal investigation and determined that staff members followed the proper procedures. “Our internal investigation found no wrongdoing on any of our staff members, but yet we were a victim of this wire fraud,” Hub said.

School districts nationwide are subject to cyberattacks and this isn’t the first time one has been duped by a wire fraud scheme. Last November, Galloway Township Public Schools, a New Jersey public school district, lost $200,000 in an incident involving fraudulent wire transfers. Since 2016, at least 350 cybersecurity incidents have been publicly documented by U.S. K-12 schools, according to the Parent Coalition for Student Privacy.

Amid such attacks, numerous MSSPs and MSPs have extended beyond anti-phishing technologies to also offer security awareness training services. The services typically include phishing tests and corrective measures to help employees spot and avoid phishing email links.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.