PENDER COUNTY — Pender County officials admitted Monday a “perceived legitimacy” of fraudulent emails led staff to bypass security protocols, resulting in a $667,131 loss going undetected for weeks, despite a direct warning from the intended vendor.
Last month it was revealed, the county government was scammed out of six figures, now under investigation by the FBI and SBI. During a Jan. 5 presentation to the county commissioners, county staff provided a timeline of the security failure.
READ MORE: Pender County pays $650K in vendor scam, questions left unanswered
The security breach began in late September when an outside party successfully impersonated the county’s raw water vendor, the Lower Cape Fear Water and Sewer Authority. According to County Manager Colby Sawyer, who started his new role with Pender at the first of December, said the county received a $581,975 invoice from the legitimate vendor in mid-September. On Sept. 29, a fraudster impersonating the LCFWSA emailed the county requesting a change to the banking information.
County staff made the change on Oct. 1 and sent the payment to the fraudulent account the following day.
The loss went undetected for two months, even after the real LCFWSA emailed the county on Nov. 17 to inquire about the missing funds. Sawyer admitted the November email went unaddressed by county staff.
“I’m going to own it here as staff, that message was either not seen or it wasn’t responded to,” Sawyer stated. “We don’t know if it was seen or it wasn’t. There was no read receipt sent back, so we don’t know that that message was ever seen.”
Unaware of the error, the county continued to send smaller, monthly water payments to the scammers through early December. These recurring charges for raw water purchases included a $28,261 payment sent on Nov. 13 and a final $29,761 payment sent on Dec. 4.
The fraud was only realized by county staff on Dec. 12 when LCFWSA officials emailed again regarding the unpaid invoices. That evening staff filed an IC3 report, which is the FBI’s process for reporting cybercrime and digital fraud.
“A lot of balls started rolling at the same time,” Sawyer said. “Our IT team put their cyber security protocols into place, we started making phone calls to the SBI and the FBI to get the IC3 reports filed. Essentially, we threw the book at it to make sure we were secure on our end.”
Finance director Meg Blue revealed the county had a protocol in place to verify vendor bank account changes, though the policy was not followed in this instance. The county’s policy required staff to verify any bank account changes by checking with the specific department that works with the vendor, and by calling a verified phone number from the vendor’s official website to talk to a real person in their accounting office. To prove they were talking to the right person, staff were instructed to ask the vendor to confirm recent invoice numbers and payment dates.
“In this particular instance, again, we trusted the communication because of the perceived legitimacy, and that phone call was not made,” Blue told commissioners.
She asserted “no tax dollars” were involved because the money was drawn from the county’s enterprise fund — revenue generated through utility billing — rather than general property taxes.
Eager to prevent a similar incident in the future, Commissioner Brent Springer asked about the age of the county’s financial software and whether it needed to be updated. IT director Marcel Miranda confirmed the county has since updated its accounting software, Munis — which the county has used since 1999 — to include a “multi-stage approval workflow.” Any future changes to a vendor’s banking information will now require three levels of approval and trigger warnings when a vendor’s information is edited in the system.
“If you change one letter in a business’s name,” Sawyer said, “it generates about nine notifications that Meg has to approve, and then I have to approve.”
Sawyer noted the county has been “heavily engaged” with bank officials, insurance, and legal counsel to trace the funds. The county also brought in a “cyber strike team” from the North Carolina Local Government Information Systems Administration to verify network security and placed all relevant documents into a digital hold to preserve evidence for federal and state investigators. Additionally, staff have undergone “enhanced phishing training” to better identify impersonation attempts in the future.
Beyond the existing FBI and SBI investigations, county officials have invited the North Carolina State Auditor’s Office to conduct a full review of its books and cybersecurity protocols at no cost to the county. The state will perform a comprehensive financial audit of the county’s records while its cybersecurity team conducts a deep-dive into Pender’s network security to identify any vulnerabilities.
Have tips or suggestions for Charlie Fossen? Email charlie@localdailymedia.com
At Port City Daily, we aim to keep locals informed on top-of-mind news facing the tri-county region. To support our work and help us reach more people in 2026, please, consider helping one of two ways: Subscribe here or make a one-time contribution here.
We appreciate your ongoing support.
