Federal law enforcement has arrested a Georgia man and charged him with having perpetrated an e-mail spoofing scheme that cost a county 566,000 USD.
The United States Attorney's Office in the District of Kansas announced one charge of wire fraud against George S. James, 48, of Brookhaven, Georgia following a criminal investigation into an e-mail spoofing scheme involving Sedgwick County.
On 23 September 2016, the county received an email from what looked like the CEO of Cornejo & Sons, LLC. Cornejo is a Kansas-based construction company that had completed some work on a road project for Sedgwick County, so county officials were expecting to hear from them. The email came with a form that requested the county make an electronic payment to a Wells Fargo Bank in Georgia.
Sedgwick County processed the payment on 7 October 2016. But it soon learned Cornejo never received the funds. Instead James had fraudulently received the money through an account for "Rapid Repairs and Consultants" he owned at the Georgia Bank.
A statement released by the Department of Justice provides more information about this scheme:
"The criminal complaint alleges the scheme involved providing false information over the Internet to the county’s Automated Clearing House. The fraudulent email caused the county to change the information it kept on file for the Cornejo company’s financial institution and bank account. The email request was sent from firstname.lastname@example.org to AP_invoices@sedgwick.org."
Cornejo's actual domain is cornejocorp.com, not cornejocorp.net.
Sedgwick County soon after filed a complaint with police, who launched an investigation into the incident. Officials followed the electronic trail to James, who now faces 20 years in prison and a maximum fine of 25,000 USD if convicted.
Had it inquired about the new payment details directly with Cornejo via phone, county officials would have realized someone was scamming them. With this in mind, it's important for entities like Sedgwick County to create security policies that protect them against payment fraud. They should then make sure they educate their employees about these policies via the help of a third-party policy management software.
Does this type of solution sound of interest to you?