Lexington officials discovered the theft late last week when the intended recipient of the funds, the nonprofit Community Action Council, reported not receiving the money, according to a news release from the city. Lexington officials have asked local police to investigate the incident.
“Police believe a person or persons outside government directed an electronic funds transfer into a private account,” the city said. “Initial information shows no criminal involvement of City or Community Action Council employees.”
BEC attacks have historically impersonated employees at a targeted organization. But cybercriminals are increasingly posing as third parties to intercept funds, as they apparently did in the Lexington case, said Crane Hassold, a former behavioral analyst at the FBI.
“These types of attacks can be especially impactful to state and local governments that may do business with dozens, if not hundreds, or different vendors,” Hassold, who is now director of threat intelligence at cybersecurity firm Abnormal Security, told CNN.
Many of those vendors are likely smaller companies, he added, that “aren’t able to dedicate resources to defending against the initial compromise that leads to attacks like this.”