FBI, Secret Service join Kentucky investigation into $4 million cybercrime theft

The government of Lexington, Kentucky is working with the FBI and Secret Service to investigate $4 million in federal rent assistance and housing funds allegedly stolen by cybercriminals. 

In a statement to The Record, Mayor Linda Gorton said the city is already taking internal steps to examine how cybercriminals managed to circumvent the city’s internal wire transfer processes to steal the funds. 

“The government is a victim of a crime at a time when it is partnering with agencies across the community to provide critical financial assistance,” Gorton said. “Cybercrime is a growing problem around the world. We must be sure government employees are well trained to detect it.”

City officials added that they currently do not believe any government employees were involved in the theft but Gorton noted that “this is an active investigation and facts continue to emerge.”

Switched accounts

Over the weekend, the city went public with the revelation that on Thursday, investigators discovered that a “sophisticated” criminal operation managed to intercept emails between the city and a local community council that needed the funds.

It was only then that city officials realized they had not been communicating with the Community Action Council but instead had been emailing with cybercriminals who provided their own bank account and made off with the money. 

The city ended up sending three wire transfers with about $4 million to the cybercriminal bank accounts. 

The leader of the Lexington Police Department’s Financial Crimes Unit, Sgt. Brad Williams, said these kinds of thefts — commonly known as business email compromise — have become incredibly common and happen “all the time to businesses, universities, non-profits, governments.” 

“No one is immune,” he said. 

Lexington Commissioner of Finance Erin Hensley said her office worked late into the evening on August 25 to freeze the accounts involved. 

City officials are now trying to recover the funds and have suspended all wire transfers to the Community Action Council until the investigation is finished. They are also working with the council to help ensure it is funded. 

A city spokesperson told The Record that investigators still do not know which group may have been behind the attack or when the emails were switched. 

In May, the FBI said more than $43 billion has been lost through business email compromise and email account compromise scams since 2016 across 241,206 incidents.

BEC scams are popular attacks where hackers compromise legitimate business or personal email accounts through social engineering or computer intrusion before conducting unauthorized transfers of funds.

The FBI noted that there are now variations of the scam involving the theft of employees’ personally identifiable information, Wage and Tax Statement (W-2) forms or even cryptocurrency wallets

Andy Gill, senior security consultant at LARES Consulting, said the numbers in the report are likely the low end of the actual figures given that a large number of incidents go unreported. 

BEC attacks are often conducted by a threat actor phishing their initial target to gain access to email inboxes, Gill said, noting that from there, they will typically search inboxes for high-value threads, such as discussions with suppliers or discussions with others within the company, to initiate further attacks either against employees or external parties.

State and local governments have long faced similar attacks. In 2019, the town of Erie, Colo. was scammed out of $1 million for a bridge project after a fraudster submitted a change of payment request through an online form, according to the Denver Post. 

In May, Portland, Oregon had $1.4 million in city funds stolen through a fraudulent transaction and just last week, Pennsylvania officials managed to recover $10.3 million of the total $13 million stolen from a local community school district.