Officials Work to Recover Lost Funds
Nueces County battles $2M in losses after a costly email phishing scam struck the courthouse, siphoning nearly $2 million. Confirmed during a Sept. 8 news conference, the attack has county leaders scrambling to recover funds while reinforcing safeguards against future threats.
How the Scam Unfolded
According to Interim Auditor Constance Sanchez, the scheme began when a fraudulent email tricked county staff into misdirecting payments. In total, officials identified five incidents, three of which led to financial losses.
- The first involved $56,850, and officials successfully recovered it.
- The second transferred $999,214.12, and officials expect to retrieve the amount with Frost Bank’s assistance.
- The third, a staggering $937,777.10, remains under investigation.
Sanchez explained that while the bank believes the third transaction may also be recoverable, the process could take up to 120 days.
Immediate Security Measures
County leaders wasted no time implementing safeguards. Officials suspended all wire transfers to halt additional fraudulent attempts, and they will now issue most payments using paper checks until the investigation concludes. Payroll remains the only exception.
Sanchez told reporters, “We ran a check last week and will continue issuing paper checks until the investigation concludes.” County officials contacted vendors and suppliers who requested payment method changes during the past year, and they stopped another fraudulent transaction before the county lost funds.
New Policies to Strengthen Oversight
Moving forward, Nueces County will enforce stricter verification procedures. Any vendor or supplier requesting a payment change must now authenticate the request in person.
Sanchez emphasized that the auditor’s office updated procedures and trained staff to recognize red flags. “Going forward, any future changes in payment type method by any vendor or supplier will require in-person contact for authentication,” she said.
How the Attack Worked
The scam used a technique known as business email compromise (BEC). Fraudsters impersonated legitimate vendors to reroute county funds into fraudulent accounts. At least one employee unknowingly clicked on a fraudulent email, enabling the attackers to redirect payments.
Though employees undergo annual cybersecurity training, Sanchez admitted there had been no written policy outlining disciplinary action in such cases. Officials have now corrected that gap.
Timeline of Events
The first known incident occurred in July, but officials only pieced together the scope of the fraud in recent weeks. Since then, Nueces County battles $2M in losses through recovery efforts with law enforcement and the county’s banking partners. Sheriff J.C. Hooper confirmed that employees must complete yearly cybersecurity training, underscoring the importance of vigilance in preventing similar attacks.
Reporting Fraud
Officials urged residents to remain alert and report suspicious activity. Suspected fraud can be reported directly to federal authorities by calling 1-800-CALL-FBI (1-800-225-5324).
What Comes Next
Although officials expect to recover significant funds, county leaders remain cautious. The process could take months, and the full financial impact will not be clear until the investigation concludes. In the meantime, Nueces County is reshaping its approach to electronic transactions to prevent history from repeating itself.
The incident reveals the vulnerabilities related to digital communication and the need for strict security measures in public offices that handle taxpayer money.