Flagler County Sheriff Rick Staly this afternoon confirmed that the amount of money the Flagler County school district lost in a wire-transfer phishing scheme is $719,583, but that “it’s close to 100 percent long gone.”
The district made the payment on Sept. 22. Its fraudulent nature was not detected until Tuesday morning–11 days later, an eternity of comfort for phishing scams to evade controls and make it out of the country.
The school district and its contractor building the $22.6 million expansion at Matanzas High School, for which this was to be a payment, in effect were caught in the sort of Nigerian-Prince phishing scheme innumerable Americans fall prey to by carelessly or inadvertently clicking on the wrong email or making hazardous downloads from the web.
With little hope of recovering the money, the district is exploring different avenues of making up some or all of the money through its insurance carrier or other means. Kristy Gavin, the school board’s attorney, said the district’s bank, its insurer–the North East Florida Education Consortium–and the vendor’s carrier may play a role in the possible recovery, though none of that is certain as policies are being examined to see what is covered by whom. “There’s a lot of moving parts of funding recovery,” Gavin said.
But the Matanzas expansion will not be delayed, Gavin said today, and payments will continue to be made. The project is continuing, with HA Contracting Corp. of Miami-Dade as the general contractor.
The $719,583 payment was for work already accomplished. Design costs aside, the project’s construction phase is to cost $18.75 million, with a 10 percent (or $1.875 million) as contingency, which now could potentially cover some of the lost money.
The Sheriff’s Office released a significantly redacted incident report that fills two-thirds of a single page
It is still not clear who was responsible for making the transaction to a bogus recipient, which was done through what’s called an electronic wire transfer (EFT) through the Automated Clearing House (ACH).
FlaglerLive has learned that the fraudsters somehow managed to spoof impersonate the vendor’s email, but it’s not clear if this was at the vendor’s end or at the district’s end, though from the wording of the incident report, it appears to be at the district’s end. What is clearer is that somehow, somewhere, inadvertance, lax procedures or a combination of the two enabled a relatively common scheme to target an unusually large sum.
The district’s finance department issued the payment on Sept. 22. On Oct. 2–Monday–the contractor contacted the district and told staffers they had not received “After some communications between Flagler County School personnel and [the contractor] it was determined the Flagler County School District was a victim of fraud and law enforcement was contacted,” the sheriff’s incident report states.
On Tuesday, a very brief, terse statement from the district was issued late in the day to say that the Sheriff’s Office and the FBI were involved. In fact, the sheriff is leading the investigation. Sheriff Rick Staly said today that while there was some contact with federal agencies, they are only on standby if the Sheriff’s Office needs help.
“There’s a ton of work that has to be done,” the sheriff said today after a press conference outside the Sheriff’s Operations Center in mid-afternoon. Other than the more precise sum of the money lost, the press conference summarized what FlaglerLive reported on Tuesday evening.
The sheriff said that while at this point the criminal investigation is taking nothing off the table, there was “no indication” of criminal intent on the district’s side, but he stressed that “it’s unlikely the money will be recovered.” Gavin today again confirmed what a spokesperson had said yesterday: no district personnel has been relieved of duty in any way as a result of the fraud. Internal financial procedures, which have have had their issues well before this incident, are again being examined for.
In late September, Fort Lauderdale lost $1.2 million in a similar scheme as the city was financing a $144 million construction project, a new police station built by Moss Construction. “It wasn’t just an email, like, ‘Hey, this is Moss Construction. Send me $1.2 million,’ It was followed up with full documentation, multiple paperwork,” Fort Lauderdale Mayor Dean Trantalis told a CNN affiliate in the city, which may hint at the method used in Flagler’s case. George Mayo, a resident addressing the Flagler County Commission at its Monday morning meeting, more than a day before the school district’s revelation, alerted the commissioners of the scheme.
The Flagler County School Board met for a three-hour workshop on Tuesday. It did not discuss (and was not yet aware of) the fraud, its focus again more on firing Gavin–one of a small handful of remaining top staffers with deep institutional history of the district–than on finding some stability in a district wracked by a series of upheavals. The three board members who want Gavin fired–Will Furry, Sally Hunt, Christy Chong, the majority that fired the previous superintendent–have not disclosed why they want Gavin fired beyond vague grievances about trust, but somehow seem in agreement that she must and will be.
Even before the board learned of the fraud after the meeting, Superintendent LaShakia Moore, who participated in the three-hour meeting (as Gavin was investigating the fraud elsewhere in the building) was aware that she already had the second major crisis on her hands, on her short watch, just weeks after the controversy of Bunnell Elementary’s segregated assemblies that drew national attention. Moore has yet to sign the contract making her the permanent superintendent. There are no indications that she is eying that closing window as an escape hatch.
TR says
IMO, It’s an inside job with the person connected to the bank account. Just my guess.
David Gardner says
It sounds like there are a lack of good internal controls to prevent this situation. This would include good IT controls. If that is not possible, invoices received via email should be rejected outright.
Jay Tomm says
IT has nothing to do with this. The problem here is staff not doing their job. If this was vetted properly & the controls were in place for different people to verify funding requests this would not have happened. This is a finance dept & user error problem. IT can only do so much.
David Gardner says
I agree if IT can”t identify fraud emails, then email shouldn’t be used as a vendor invoicing vehicle. I worked for a company in Boston where AP demanded vendor invoices be mailed. All emails were rejected.
Purveyor of Truth says
It is alarming that a school district financial official with the responsibility of managing millions of taxpayer dollars would fall victim to this common scam.
The finance world is generally well aware of these wire transfer scams. If you’ve ever wired money in the process of closing on a home purchase, you probably received the warning about these types of scams in the wire transfer instructions.
melly c says
The outlet reporting this story is making it sound like it was a common wire transfer scam. Clearly, there’s more to it than that, judging from the input from the Ft Lauderdale folks noted in the article.
Victim blaming is so tiresome, please stop it!
Jake says
I loathe the fire them all crowd but heads should roll.
There should be cyber security training (knowb4 for example) as required for every employee.
I have to do it not just for my employer , but redundantly for clients for which I work.
The lack of institutional control here is inexcusable.
To be fair I do not know there is not training in place but it is reasonable to surmise that if there was sufficient control and training, they would have stated so.
SOMEITGUY says
As a Sr manager in IT over systems and security, it’s time to clean house. There is a total breakdown of security and user education. This falls on IT and policies in place.
An ACTUAL IT Guy says
Oh really Mr Sr Manager in IT? Tell all us dumb monkeys exactly where IT broke down here? In a government entity no less that is notorious for pathetically underpaying IT talent and subsequently getting what they’re paying for, but I digress. No this is human process error, and/or internal human fraud involvement. All the AI and ML in the world can’t always fix stupid. Either process controls aren’t in place that keeps a single human from self authorizing and processing nearly a three quarter million dollar payment, OR there is someone internally participating in the fraud. IT did not, without human interaction, enter payment details and click the send button. This is 100% human error and/or fraud. If the person that clicked send was following internal protocol and process, then their boss and boss’s boss needs to go. If not, then they need to be fired and prosecuted. I don’t see anywhere where IT did anything wrong, utilizing the tools in place designed to deliver or not deliver phishing messages.
AnotherActualITManager says
You are exactly correct. Couldn’t have worded it better, myself. I am an I.T. Manager, with 30 years in Information Technology, in the government sector. I have seen these Invoice Scams carried out over a FAX. How is the I.T. guy supposed to know that an Accounting Clerk pulled an ACH change form off of a fax machine and initiated a change and hit the button to release nearly a million dollars in payments? Where were the accounting controls? On a transfer that big, at least two or three accounting personnel should have reviewed the transfer. I train my employees to pick up the phone and call the vendor that is submitting the ACH change form and ask them if it is legitimate. Don’t call the number on the Invoice. Call the actual contractor that provided the service. Heck, call the number on the RFP bid, or whatever. Also, many times, the email is sent to an individual in the county, such as a Utilities Director and the Utilities Director forwards the fraudulent request to their contacts in the Finance Department and says “get this paid for me”. People accuse I.T. of spying on them all day long and freak out over MDM controls on their portable devices, then they complain that we quarantine too many of their emails and take to long to review and release the emails from quarantine. God forbid we ask them to sit through Security Awareness training twice in a year. But, when something goes wrong, WE SHOULD HAVE KNOWN.
JimboXYZ says
Not too long ago (August 2023) Palm Coast wanted to do forensic audits. I would think these projects, considering the magnitude of the transfers for progress payments would be handled similarly to a real estate purchase ? Escrow accounts for the progress payments to be deposited & ultimately distributed to the contractor(s) ?
Bazinga says
Despite the expected MAGA booger eating bullshit that “Jimbo[..]” likes to sling around, this is perhaps the most since he’s ever made to date. Must be going on over 8 hours of sobriety. Good for you.
JimboXYZ says
Not that we don’t have our own share of domestic frauds, but an open border & the “Nigerian Scams” are now crossing the borders, like Fentanyl. The human race continues to disappoint. Transactions of this magnitude needs to be handled at the Director’s level, it’s what they get paid the big bucks for, what else do they have to do ? That’s still no ironclad guarantee that there won’t be a problem, but it does greatly reduce the likelihood f it. Then you have names to fire.
My two cents says
I feel bad for the person who pushed the send button on the payment. I mean, they are human just as you and I and anyone could unfortunately fall for one of these scams – that’s why these scams are out there. However – that person was likely operating under rules and procedures they did not create or set: there was NOT sufficient training, procedures, and preventative measures in place when playing with such large sums of money – that are so easily subject to fraud. The whole process just seemed very cavalier and asking for this outcome if you asked me, and the County needed to have done better financially.
With that said, recovery of money “through its insurance carrier or other means”… the ‘through other means’ concerns me. We all know insurance will find a way to cover from 10% – 0%. I don’t think ‘through other means’ is suggesting t-shirt sales and candy bar sales at the GSB to make up the difference..
This is a very, very unfortunate situation for everyone. Let’s just please learn from this, and move on.
Thomas Hutson says
There is an application offered by banks called Positive Pay which would help prevent this type of fraud.
Just a thought says
Thank you My two cents. This poor person will probably lose their job for something for which they weren’t trained. You are the only voice of reason among all these “experts.”
Randy Bentwick says
The good news is they will not be able to afford books now so the children are safe from the gays.
Unbelievable says
I just want to know, HOW IN TF did this go ‘undetected’ for 11 DAYS?!
Me says
Why wasn’t this detected SOONER? Sounds very suspicious to me.
Wow says
This happened to the town of Peterborough NH not too long ago. Same exact thing. They lost 2 million.
Not sure if they ever recovered any but the feds got involved.
https://www.govtech.com/security/new-hampshire-town-scammed-out-of-2-3m-by-cyber-criminals?_amp=true
Nephew Of Uncle Sam says
LaShakia Moore might want to think real hard before signing her contract for I would almost guarantee the gang of 3 dysfunctional Board members will try to use this against her and anyone else they so please.
dave says
Small town, BIG PROBLEMS. One would hope some federal investigation (FBI handles wire fraud) takes place for this as it no doubt crossed state lines for these transactions. This is just to big for our local Sheriffs Dept.
Skibum says
This is exactly how some of the most common fraud scams work people!!! Despite warning after warning from fraud experts to consumers and businesses alike, fraudsters continue to rake in billions of dollars simply because of laziness or carelessness when these situations arise. Whether you are paying bills from your personal bank checking account or credit card, or are responsible for submitting invoice payments from a business or government account, DO YOUR DUE DILLIGENCE and remain wary of phishing scams like this one that sends you an email saying the pay to address or account # has changed. DON’T just go ahead and assume it is legit and change the information. How much time does it take to pick up the phone and call using the contact number(s) you already have, NOT what the suspicious email or text sends you. Speak to someone in person and ask if their pay to address or account info has been changed recently. In almost every case, the answer will be NO! They need to know that fraudsters are attempting to have their payment sent to a fraudulent account so they can put out a warning notice to others. Once the money has been sent or transferred wirelessly or online, most likely it is gone forever because so many of these fraudulent phishing scams occur from locations outside the U.S. It pays to be wary and suspicious, as the school district has now become the latest scam victim to learn this valuable lesson.
Land of no turn signals says says
A fool, in this case FOOLS and his money are soon parted.No biggie it’s only tax payer money they can just increase tax’s to make up the loss.
Idiots says
I work for St Johns County and every month every employee is required to perform online Phishing techniques which are constantly being updated and we are educated on what to watch for
But they were to consumed with firing their own attorney to even realize what was happening
Local says
Calm down people! It’s tax dollars. Now they can get more next year. Win win for the local government.
Do they provide a class at the local colleges on phishing . Sounds like a way to make a lot of money fast with no repercussions.
James says
$715,000… That’s a whole lotta chicken McNuggets.
Just think. This could all have been prevented if they paid their vendors/contractors in McDonald’s gift cards.
Just my opinion.
Butt nugget guy says
It is a GOOD thing this is just your opinion… Are you really suggesting FCSB buys tens of millions of dollars of nuggets…..to pay contractors with nuggest??? OMG.. LMAO… lets get to buying the butt nuggets…
James says
McDonald’s gift cards… for McNuggets, Big Mac’s, Quarter Pounders, Cheese Burgers… whatever.
Could throw in some Chick-fil-A cards as well.
Or perhaps (in this case) even some for Home Depot.
Hey, whatever works.
endless dark money says
If you havent noticed phishing and identity theft schemes have increased significantly in complexity over the past few years. You rarely hear about someone actually being prosecuted for these crimes. I know many of you think its all Bidens fault but there is a large gap actually over a million identity theft instances just in 2022. also since most these are national or international schemes the govt cant decide whos supposed to do what. Maybe allowing companies to sell your info to the highest bidder wasnt the best option.