Cybercrimes causing state agencies to lose millions of dollars, I-Team finds

RALEIGH, N.C. (WTVD) -- The ABC11 I-Team first uncovered $2.7 million missing from a state agency tasked with increasing affordable housing options in North Carolina. Now the I-Team discovered this isn't the only instance of stolen tax dollars.

The North Carolina Finance Housing Agency (NCHFA) reported $2.7 million worth of theft to the North Carolina State Bureau of Investigation (SBI) in April, according to records obtained by the ABC11 I-Team.

The agency filed a report of "fraud / false pretense or swindle" with the Raleigh Police Department the same week. The police report obtained by the I-Team further describes the incident as "money via wire transfer to a fraudulent account."

This isn't the only incident of theft reported to the SBI.

Since 2016, 30 other public agencies have collectively reported more than $2 million worth of theft directly related to funds.

Digging further the I-Team found nearly half ($958,000) was related to cybersecurity or electronic-related incidents.

Many of these incidents targeted state universities.

In 2020, Appalachian State University reported $58,000 stolen related to electronic fraud. The university told the I-Team that "six fraudulent student registrations requested a refund to their accounts, which were traced to bank accounts outside of the United States. We were able to recover $30,414."

The same year, UNC-Chapel Hill was the victim of "fraud related to wire/computer," according to a UNC police report. The police report shows initially $1.1 million was affected but police were able to recover $970,000.

In 2018, a phishing email at UNC Pembroke led to the theft of $4,000.

"In this case, one employee did not change their password and their email was compromised, resulting in a change in their direct deposit details and the loss of their paycheck," a university spokesperson explained.

Since the incident, the university updated its procedures around changes in direct deposit to decrease future incidents.

It's not just education systems, the North Carolina Indigent Defense Services was contacted by a person pretending to be an existing vendor. The offender set up a new account with the agency and was able to steal an estimated $11,000, according to SBI data.

NCDHSS initially lost $86,000 in 2019 to electronic fraud. A spokesperson for the agency said the funds were issued to an "unlawful beneficiary." Two months later the money was able to be recovered.

SBI data shows that close to a fourth of the money stolen since 2016 has been recovered.

The I-Team found other incidents of theft that did not involve cybercrimes including fraudulent invoices and checks and a contracted employee stealing cash from a drawer, and checks stolen in the mail.

Torry Crass is the state's chief risk officer and works with the N.C. Department of Information Technology. His team usually works alongside law enforcement when state agencies report theft related to cybersecurity.

He said that despite these cases, he believes taxpayers' dollars are safe.

"I would say yes. And the reason is, is because those are very isolated incidents that do come up and there are protections in place," he explained.

Crass said those protections include security to protect against attacks and phishing awareness training.

"Of course, we need to do more. Obviously, there's always going to be a risk," Crass admitted.

North Carolina does have a statewide security policy to help manage and mitigate cyber risks and contracts with companies to regularly assess agencies' security risks.

He said members at NCDIT are constantly working with law enforcement to stay knowledgeable about current cyber risks.

"We're always looking at ways to improve and whether or not the technology and tools and processes that we have in place are the right ones to address the threats that we're seeing and where maybe there is a gap where we're open and trying to change those things to stay ahead of this as much as possible," Crass said.

Many of the institutions reported sending money to fraudulent accounts. Crass admitted this type of theft can be more difficult to recognize and prevent.

"The attackers can go out there, start up a website and impersonate an organization. We work with law enforcement. When we find those things, we report those in, so that way they can take action to try and take those sites offline where possible," he explained.

Crass said the top cyber threat that state agencies continue to face is ransomware attacks.

"It is something that we're watching regularly to try and make sure that we have good controls in place, that we're doing things that can help reduce the risk that someone's going to be impacted there," Crass said.

Crass offered a few tips for state agencies, other businesses, and even individuals to ward against any financial loss through cyber security breaches.

He said awareness training remains vital, report any attack immediately, and if you do get a request from a business asking to send money, research the business and even call it to verify the request.