Police recovered over $300,000 stolen by phishers from Spotslyvania County Public Schools in Spotslyvania County, Virginia.
On 15 August, Virginia State Police announced that it had reclaimed over half the amount of money stolen in a phishing attack against the Spotslyvania County Public Schools. The law enforcement agency subsequently handed over checks totaling $347,010.39 to the Spotslyvania County Government Treasurer’s Office. It went on to state that it would deliver additional checks to the Treasurer’s Office over the following weeks.
Earlier in the month, officials at Spotslyvania County Public Schools gave more than $600,000 to an email account controlled by attackers. For the purpose of this scam, bad actors masqueraded as the contractor who had just finished putting in a $1.2 million synthetic turf football field at Courtland High School. The school district generated this money through a County bond approved by voters.
Virginia State Police said that their investigation into this incident remains ongoing. As quoted in its Facebook update:
State police began the cyber investigation Aug. 1, 2019, and has been working with local and state law enforcement in other states in order to track down the fraudulent deposits made into accounts at multiple banks. State police are still pursuing the case and several individuals associated with the scam. No charges or arrests have been made at this stage of the ongoing investigation.
This attack comes on the heels of a series of other recent security incidents in the education sector. Back in July, for instance, Lancaster University revealed that a successful phishing attack had resulted in a data breach involving the information of its students and applicants. That was just a few days before Gadsden Independent School District (GISD) announced that it was working to recover from a malware infection on its network.
Educational organizations should use the Spotslyvania incident and other attacks to motivate change in their own security posture. One of the key ways they can do this is by educating their workforce about some of the most common types of phishing attacks in circulation today. This resource is a great place to start.