Nearly $2 million in taxpayer funding lost in phishing scam targeting Nebraska school district

A Nebraska school district is working to recover $1.8 million lost in a sophisticated phishing scam, Gray’s KSNB news station reports.

“We are committed to keeping our community informed and to taking every possible step to safeguard public funds,” Broken Bow Public Schools wrote in a statement. “Broken Bow Public Schools takes full responsibility for the fact that these safeguards were not in place, as well as full responsibility for this unfortunate circumstance.”

The district sent the funding to a fraudulent account after receiving an email containing “false payment instructions that appeared to come from a trusted vendor,” KSNB explains.

It was related to the district’s ongoing construction project and involved an Automated Clearing House (ACH) transfer sending money between banks electronically. 

Nearly $700,000 of the taxpayer money has been recovered through legal channels and insurance claims, the district said. The Federal Bureau of Investigation, Nebraska State Patrol and U.S. Secret Service have also joined the district in ongoing recovery efforts. 

Although the district declined to comment on specific leads or arrests, it said no tax increases will take place to cover the loss. 

Broken Bow Public Schools said Monday the district experienced a cybersecurity event involving a fraudulent Automated Clearing House (ACH) transfer relating to their ongoing construction project. An ACH is a system used to transfer money electronically between banks. 

More than 800 central Nebraskan students from preschool through 12th grade are enrolled in the district, which has its next board meeting July 21. 

Cybercriminals view school-sensitive information as ‘prime target’ 

As previously reported by The Lion, education has become the most targeted sector for cybercrime – outpacing government, healthcare and telecommunications. 

“The trove of sensitive information stored on an educational institution’s servers makes it a prime target for cybercriminals,” concluded a recent report from cybersecurity group KnowBe4. “While they may not be the most lucrative victims, there are several factors that make intrusion and extortion for ransom easier than organizations or institutions that are financially stronger and better-equipped sectors.” 

Intellectual property, health records and home addresses are just a few of the categories of sensitive information stored by public schools and universities. 

“The most concrete, effective step that an educational institution can take to secure vital and sensitive data,” said KnowBe4’s CEO Stu Sjouwerman, “is to ensure that all individuals who access IT systems are equipped with the proper tools, education and awareness to protect against cyber threats and reduce human risk.”