$4M in city’s federal housing funds stolen through email scam
Local and federal law enforcement are investigating a scam in Lexington, Kentucky, which allegedly saw criminals send bogus wire transfer information to city staff.
An investigation is underway in Lexington, Kentucky, after criminals stole around $4 million in federal housing funds from the city through an email scam.
City officials said a “sophisticated criminal operation” stole the money by inserting themselves into communications between the city and the nonprofit Community Action Council. City employees received an email they thought was from the CAC providing new bank information, but it was from the criminals.
Lexington sent three wire transfers of around $4 million in federal rent assistance and transitional housing funds to the scammers. The city believes that there was no criminal involvement from either its staff or employees of the local CAC, but it noted the investigation by the Lexington Police Financial Crimes Unit and local FBI and Secret Service offices is ongoing and facts could change.
Mayor Linda Gorton ordered an investigation of the city’s wire transfer processes through its Division of Internal Audit, and while wire transfers to CAC have been suspended until the investigation is complete, the city is working to recover the funds it lost.
“The government is a victim of a crime at a time when it is partnering with agencies across the community to provide critical financial assistance,” Gorton said in a statement. “Cybercrime is a growing problem around the world. We must be sure government employees are well trained to detect it.”
This attack came months after an FBI announcement that more than $43 billion has been lost between June 2016 and December 2021 through the compromising of business and other email accounts, which targets those who perform transfer-of-funds requests. The FBI noted at the time that the scam is not always associated with the transfer of funds, with scammers asking for employees’ personal information, tax forms and other documents.
And these kinds of attacks are a long-standing problem for state, local and tribal governments, according to FBI data published last year. The FBI said these types of scams have “significantly impaired operational capabilities and imposed considerable resource strain” on governments. The scams have included phishing attacks and the spoofing of contractors’ and vendors’ email addresses, the FBI said.
In response, the FBI called on IT administrators to consider a number of steps including conducting internal phishing awareness campaigns, requiring multifactor authentication and encouraging a “skeptical cyber posture” among employees.