Disney’s government fell victim to an email phishing scheme that ended up costing about $94,000, documents show.
An employee at Reedy Creek Improvement District believed she was receiving emails from a legitimate landscaping vendor and paid out nearly $722,000. Reedy Creek recovered all of the money except for about $94,000, according to an Orange County Sheriff’s Office incident report.
The sheriff’s office, which is working with the U.S. Secret Service, is still investigating the theft that occurred in February.
Reedy Creek Improvement District — which includes mostly Disney-owned land — acts like a county government and handles services, such as building codes, road construction and fire rescue. Reedy Creek’s administrator was not immediately available for comment.
In February, a Reedy Creek finance employee received an email thread from a co-worker that included messages appearing to be from a landscaping vendor, BrightView Landscapes, the sheriff’s report said. However, it was not the co-worker who was responding. Her email had been hacked.
The email instructed BrightView’s future payments should be sent to the company’s new account with Capital One Bank.
“The document that was attached to email appeared to be legitimate as it also contained the proper BrightView Landscaping logo,” the sheriff’s report said, adding BrightView’s correspondence was also from a person who interacted regularly with RCID.
The finance employee emailed her co-worker back to confirm that she had verified the new account by phone, and the co-worker wrote back that she had, the report said.
“Believing the transaction to be legitimate, the account change was made and two payments were ultimately sent to the Capital One account,” according to the sheriff’s report.
The finance employee received another email from the same co-worker, informing her that BrightView had made a mistake and now wanted to be paid in a Bank of America account instead.
A few days later, a SunTrust representative called the finance employee to verify the payments. The SunTrust employee said her bank was contacted by Capital One because the name on RCID’s payments did not match the name on the Capital One account.
That’s when the Reedy Creek finance employee became suspicious, the sheriff’s report said.
The finance employee realized her co-worker knew nothing about the emails or the account changes. An investigation later revealed somebody unknown had deleted more than 200 emails from the co-worker’s account and then forwarded them to a Gmail account.
The finance employee also contacted BrightView, which said the company had not requested a new account to be used.
The sheriff’s office was contacted Feb. 27, and the Capital One account was frozen. By then only about $722,000 was left in it.
RCID got that money back in an electronic transfer in late March although the government “has suffered a permanent loss of $93,658,” the report said.