Cybercrooks managed to transfer over three million dollars out of the bank accounts of the Duanesburg Central School District over the course of three days in December. The bank managed to recover $2,5 million of the stolen funds, but $500,000 are still missing.
Duanesburg is a town in Schenectady County, New York, with a population of under 6,000. The Duanesburg Central School District serves around 1,000 students and has an annual budget of under $15 million.
District officials learned of the fraudulent transfers when a NBT Bank employee called them on Dec. 22 to confirm several pending overseas transfers totaling $759,000. After stopping the unauthorized transactions, the bank also notified the district that an additional $1,190,400 was transferred out of its accounts on the previous day and another $1,862,400 on December 18.
The district contacted the FBI and the New York State Police, who immediately opened an investigation into the incident. Meanwhile, the bank got in touch with overseas financial institutions and was able to recover $2.5 million of the illegally transferred money.
"Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds," the district officials wrote in a letter to parents and community members.
The circumstances that led to the compromise of the bank account are yet to be determined, but chances are that it started with a malware infection, like in many similar cases reported last year. However, there are certain aspects of this incident that suggest the fraudsters are not very skilled in such hits.
For starters, the money was transferred in high amounts. In previous cases, the attackers kept transfers under $10,000 to avoid automated systems flagging them. Furthermore, the money was transferred directly to overseas accounts, which made it possible for the bank to recall it. Skilled fraudsters transfer the stolen money to the accounts of local individuals known as "money mules," who then withdraw and wire it outside of the country. Wire transfers cannot be reversed.
As a precaution, the district closed all of its accounts and opened new ones with restrictions for online access. It is not clear what these restrictions are, but the FBI and the American Bankers Association recently recommended that online banking be made from dedicated computers. We encourage performing such tasks from computers that run alternative operating systems and not Windows.