Texas police and the FBI have launched an investigation into an email phishing scam in which $2.3 million was stolen from Manor Independent School District, the district announced Friday.
The scam marks one of the most costly recorded attacks of its type against a K-12 school district. It trumps an incident in 2018 against Crowley ISD near Dallas, Texas, that resulted in the loss of nearly $2 million, while a scam hitting Scott County Schools last April cost that district $3.7 million.
There were three fraudulent transactions made as part of the scam, Manor Police Department Det. Anne Lopez told CNN. Though no other information was provided, the initial description is consistent with a type of scam using phishing emails known as a “business email compromise,” in which a fraudulent actor fools someone with access to an organization’s finances to route payments to a new account under the guise of paying for services under an existing and legitimate contract.
Manor ISD, which is located just outside of Austin, Texas, and serves about 10,000 students, said Friday the investigation remained ongoing, but authorities are following several “strong leads” in the case. District officials could not be reached for comment on Monday.
“Manor ISD appreciates the Manor Police Department working together to communicate this to our community,” the district said in a Facebook post Friday.
Both phishing emails and business email compromise attacks are on the rise. There were about 20 publicly disclosed phishing attacks against K-12 education agencies in 2018, according to the K-12 Cybersecurity Research Center. Business email compromise attacks, according to the data security company Mimecast, can easily slip past email security protections and increased by 269 percent across all sectors in 2018.
This story was corrected after publication to indicate that this was not the most costly business email compromise affecting a school district.