Floyd County School District scammed out of nearly $200,000 in taxpayer funds

A phishing scam has cost taxpayers in Floyd County hundreds of thousands of dollars. Floyd County School Board officials said the district was the victim of a cyberattack that’s now under investigation by local and state law enforcement agencies.

School officials inadvertently wired almost $200,000 to what they thought was a contractor they’d worked with previously and now they’re working with their insurance to try and recover the money.

"Phishing attacks are probably one of the most common forms of cybersecurity attack. Usually, it’s an email that comes in that’s asking you for information," cybersecurity expert Kyle Koza said.

Koza said scammers use those emails to pose as legitimate contacts with the hopes of stealing personal information or money.

"The majority of it is for money. They’re trying to steal money from you. In this case it was a lot of money," Koza said.

An incident report from the Floyd County Police Department lists the Floyd County School District as one of the latest victims. The email they received came in the form of a fake invoice for $194,672.76.

"Paying false invoices is relatively infrequent in my experience, but it does happen," Koza stated.

According to that police report, school officials wired the money in response to an invoice they thought was from a legitimate business called Ben Hill Roofing. The company had completed work on Armuchee High School.

District officials paid the phony invoice on April 29. They made the discovery it was fraudulent a little over a month later. That was when the real Ben Hill Roofing sent its invoice on June 7.

"What probably happened was they got an invoice they didn’t realize was from a spoofed email or an email that looked similar to the vendor that they’re working with and then they went ahead and paid the invoice not knowing that it was falsified," Koza explained.

A spokesperson for the Floyd County Board of Education released a statement that reads in-part:

"We are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds. Because of the cybersecurity measures FCS has put in place over the past few years, school system officials believe this is an isolated incident."

The official offense listed in the police report is theft by taking. The Floyd County Police Department said the investigation into the incident is ongoing. Koza said one of the best way to avoid falling prey to a phishing scam is double-checking to see if it is someone who has had prior communications. If so, is it a different email address than before?

Floyd CountyNewsCrime and Public SafetyData Breaches