Yavapai County announced Monday, Feb. 2, that it had fallen victim to a business email compromise scam but has recovered nearly 98% of the $868,982.14 in stolen funds, likely from the county’s Public Works Department, that were redirected into a fraudulent bank account.
“The investigation began after cybercriminals successfully infiltrated the email system of a trusted third-party vendor currently contracted with the county,” according to Yavapai County. “Posing as the vendor, the attackers were able to redirect a scheduled payment via direct deposit into a fraudulent bank account.”
This is an active investigation, so Yavapai County Board of Supervisors Communications Manager David McAtee said he could not comment about any potential charges, nor provide details on the timeline of how taxpayer’s money ended up in the wrong account.
“We have a contract with a company that does road paving, and they filed a request for payment, and in that request, asked for us to change the account number that the payment went to,” McAtee said.
The county processed the payment change request, transferring $868,982.14 to what appeared to be the vendor’s new account.
Business email compromise scams are designed to exploit routine vendor payment processes by impersonating official partners.
“It triggered a warning by the bank, so that was immediately frozen, and then [YCSO] got involved,” McAtee said. “Our sheriff’s detectives started investigating, and found out that the owner of this account could not provide the information that they stated they could in the application for the account’s creation. So the bank froze their assets and then transferred us back the remaining amount that was left in the account.”
“In response to the incident, Yavapai County is currently: Conducting internal and third-party forensic evaluations of all digital systems, implementing enhanced verification protocols for all financial transfers strengthening ‘dual-authentication’ requirements for vendor communication,” according to the press release.
As of Tuesday, Feb. 3, $18,787.69 has not been recovered, McAtee said.
“I am incredibly impressed with … getting back 97.8% of this,” McAtee said. “I think that’s just unheard of these days. But we’ll have to wait and see if the remaining is returned.”
“Business Email Compromise is a sophisticated scam targeting both businesses and individuals performing a transfer of funds,” the FBI’s Internet Crime Compliant Center stated. “The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques resulting in an unauthorized transfer of funds.”
Nationwide IC3 received 21,442 business email compromise complaints, resulting in nearly $2.8 billion in loss, according to its 2024 annual report.
