Business email compromise (BEC) scams are siphoning millions from US local governments, and fraudsters are only getting smarter. Cybercriminals impersonate vendors, officials, and even government employees to divert taxpayer funds straight into their own pockets. If you think your city or county is immune, think again—these jaw-dropping cases prove otherwise.
Here’s how hackers tricked officials into handing over millions.
Arlington officials fell prey to a sophisticated cybercrime operation. Criminals compromised an official email account and sent convincingly real wire transfer instructions to city staff. Before anyone realized what had happened, the funds had been rerouted into fraudulent accounts. Officials are now working with law enforcement to tighten their security protocols.
Lexington’s finance team wired $4 million to a fraudster after receiving fake payment instructions. The scam only came to light when the intended recipient flagged the missing funds. While the city managed to recover part of the money, the breach exposed gaps in its verification process, leading to stricter protocols.
A fraudulent vendor payment scheme tricked Mississippi officials into wiring $2.7 million to criminals posing as a legitimate contractor. The scam exploited weak internal verification processes, prompting the county to ramp up employee training and security reviews.
Scammers manipulated email conversations to impersonate a trusted contractor, convincing officials in Peterborough to send $2.3 million meant for a school and bridge project to fraudulent accounts. Despite efforts to recover the funds, the money was never retrieved, leaving taxpayers to foot the bill. Read more on the fraudulent payment request.
Cabarrus County transferred $1.7 million to fraudsters posing as a known vendor. Attackers altered bank details in official invoices and sent them via compromised email accounts. By the time authorities realized what had happened, most of the money was gone.
City officials in Blaine mistakenly wired $1 million to BEC scammers who impersonated a vendor. The fraudsters gained access to email conversations, changed payment instructions, and convinced staff to process the transfer. The city later admitted it lacked cyber insurance to cover the loss.
Portland fell victim to a BEC attack that allowed scammers to redirect a city payment to their own account. Officials have not disclosed the exact amount lost, but the incident forced them to implement stricter authentication protocols to prevent future breaches.
Officials in Fort Lauderdale transferred funds to fraudsters after falling for a phishing email. The city ultimately recovered $1.2 million, but the attack exposed significant security vulnerabilities, leading to new phishing awareness training and fraud detection investments.
Cybercriminals targeted a Minnesota city’s sewage project, tricking officials into wiring $1 million to fraudulent accounts. The attack took advantage of weak internal controls, prompting a city-wide review of vendor verification procedures.
Eagle Mountain officials were caught in a cyber scam that drained $1 million from city accounts. Fraudsters leveraged sophisticated email impersonation techniques to alter financial transactions. The city is now collaborating with cybersecurity experts to prevent future incidents.
Nonprofits are prime BEC targets—see real attacks and what finance leaders must do to protect funds, data, and mission-critical operations.
Manufacturers are top targets for BEC scams. See 6 real cases that expose how attackers steal millions—and what finance teams must do to stay protected.
See how 5 real BEC scams stole millions from healthcare orgs—what finance leaders must know to stop attacks that target payments, data, and operations.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
