Article Read Time
The first sign wasn’t a cyber security red alert. It was a normal phone call.
It came in on a Wednesday afternoon, the kind of afternoon where everything felt slightly behind schedule, and no one could remember the last time they ate lunch at a normal time.
Janelle in Accounts Payable picked up the call expecting the usual: a vendor asking when a check would go out, a department needing a purchase order number, someone confused about a line item.
Instead, she heard the project manager for the courthouse renovation. Friendly voice, familiar name.
“Hey,” he said. “Just checking on that draw payment. We’re not seeing it.”
Janelle pulled up the record, already half answering. “It went out in this week’s batch,” she said. “It’s posted as released. Amount was… four point four million.”
Saying it out loud made it feel heavier. Not impossible, counties move money, but heavy.
There was a pause, not long, just long enough to change the temperature in the room.
“That isn’t right,” the project manager said. “We didn’t get anything, and… we did not change our bank account.”
Janelle blinked at her screen. “We received the bank change form,” she said quickly, because the words came automatically. “It came from your office.”
“No,” he said, firmer now. “That’s not us.”
Her hand tightened around the mouse. Her eyes went back to the email thread that had started earlier in the week. It looked perfect. Same project name. Same signatures. Same phrasing she’d seen a hundred times. Even the little politeness markers, “Appreciate you,” “Sorry for the hassle,” felt familiar.
Marie, her supervisor, stepped into the doorway at the exact moment Janelle’s face shifted from mild confusion to something else. Marie didn’t need the details. She could see it.
Janelle covered the phone and whispered, “He says the contractor didn’t change banking. The money went to a different account.”
Marie didn’t shout. She didn’t panic. She did the thing leaders do when their brains are racing faster than their voices.
“Hang up politely,” she said. “Tell him we’re investigating. Then call Evan.”
Evan, the county’s full-time IT person, arrived with his laptop and the kind of weary focus that comes from being the only one who gets called when something breaks. He didn’t argue. He didn’t ask why he wasn’t invited earlier. He asked two questions, immediately and in plain language:
- “When did the bank change request come in?”
- “Was it verified by phone using a number you already had?”
No one answered the second question right away. The silence answered it.
Marie said, “It looked legitimate. It was in the thread. It referenced the right project.”
Evan nodded once, like he’d seen the same movie too many times. “Okay,” he said. “Let’s treat this like fraud until proven otherwise.”
That’s how the county’s response began: not with certainty, but with the awful knowledge that if they were wrong, they’d be embarrassed—and if they were right, they might be ruined.
The Immediate Cyber Security Scramble
The next hour was a blur of phone calls, most of them starting with the same sentence:
“We need to stop a payment.”
The bank put Marie on hold. When the banker came back, the tone was polite, professional, and cautious, like someone who didn’t want to promise anything.
“Do you know if it was an ACH or a wire?” the banker asked.
Marie didn’t. She had never needed to care before. The county’s payment system was a tool, not a battlefield.
They dug through the details. Transaction numbers. Dates. Approval logs. The bank asked for documentation.
Marie pushed, “Can you reverse it?”
There was another pause, and then the banker said the words people use when they’re trying to soften a blow:
“We can attempt a recall. But if the funds have already moved, recovery becomes difficult.”
Difficult. Marie heard “unlikely.”
By the time they got to the recall process, the county had already lost more than money. They’d lost time. They’d lost the one thing fraud cases need most: early detection.
Janelle sat frozen at her desk, staring at the email thread like it might change if she stared hard enough. It didn’t.
Somewhere else in the building, the sheriff’s office was dealing with calls, reports, and jail operations. The clerk’s office was dealing with citizens. The county attorney was dealing with deadlines.
And now all of them were being pulled into the gravity of a mistake made in a quiet office with a perfectly normal email.
The Internal Cyber Security Chain Reaction
Leadership got looped in that same afternoon.
The finance director first. Then the Judge-Executive. Then the county attorney. Then the sheriff. Then, department heads who didn’t normally get involved in accounts payable.
The meeting didn’t feel like a meeting. It felt like a collision.
“How could this happen?” someone asked.
The question wasn’t cruel. It was desperate. People wanted the comfort of a clean answer: one bad actor, one dumb mistake, one technical glitch.
But the truth didn’t offer comfort.
Evan put the email thread on a screen. “This doesn’t look like a technical hack,” he said. “This looks like someone impersonating a vendor and blending into your normal process.”
Someone else asked the question that always comes next: “But we have IT.”
Evan’s voice stayed calm. “IT keeps systems running. Cyber security is about preventing criminals from using our normal work against us.”
The Judge-Executive stared at the amount written on the notepad in front of him: $4,400,000.
It didn’t feel real yet. It felt like a number from someone else’s story.
Then the contractor called again, and this time the voice on the speakerphone sounded less friendly and more afraid.
“We have payroll on our end,” the contractor said. “We have subcontractors waiting. We’re not trying to be difficult, but we need to know what’s happening.”
The county attorney said what had to be said: “We’re treating this as a crime. We need to document everything.”
That led to a new list of cyber security tasks, all urgent, all happening at once:
- Freeze vendor banking changes
- Pull every email related to the project
- Identify who approved what and when
- Contact the bank’s fraud department
- Contact law enforcement (state and federal)
- Review insurance coverage
- Preserve logs and records
- Prepare for public scrutiny
- Keep the county running while doing all of the above
It was like trying to repair an engine while driving down the highway.
Law Enforcement and the Cold Cyber Security Reality
By the next morning, an FBI agent was on a call. His tone wasn’t shocked. That was the scariest part. He sounded like this was Tuesday.
“This is a common fraud pattern,” he said. “Social engineering. Vendor impersonation. The criminals don’t need to hack the county’s network if they can hack the county’s trust.”
He asked a few questions that hit like punches:
- “Did you verify the bank change using a known number?”
- “Do you have a written process for bank changes?”
- “Do you require two-person verification for high-dollar payments?”
- “Do you use out-of-band confirmation for payment changes?”
The county had answers, but they were not the answers you wanted.
They had policies on paper. They had habits in practice. The habits were faster than the policies.
The FBI agent said something that made Marie feel sick:
“In most cases, the money moves quickly through multiple accounts. The faster we act, the better. But I want to be realistic with you.”
He didn’t have to finish the thought. Everyone heard it anyway.
The Second Cyber Security Shock
The second shock came later, after the initial scramble.
Evan noticed something unsettling. The vendor emails weren’t just good—they were threaded. The criminals had managed to insert themselves into an ongoing conversation in a way that felt seamless.
He didn’t say “breach” right away. He said, “We need to assume someone saw internal email traffic.”
That changed the whole atmosphere.
Because losing money is a cyber security crisis. But realizing someone may have been watching internal communications turns a crisis into a threat.
Now the county had to consider:
- Are there other payments at risk?
- Are there other departments being targeted?
- Are passwords compromised?
- Are criminals still inside email accounts?
Evan started forcing resets. Locking down access. Checking sign-ins. Trying to do it carefully so he didn’t break county operations while securing them.
Everyone wanted certainty. Evan couldn’t give it.
He could only give the truth: “We need to treat this as ongoing until we prove otherwise.”
That Friday, Lindon County still had to operate the jail. Still had to answer 911 calls. Still had to keep court filings moving.
But inside, the county’s sense of normal was gone.
Not because the computers stopped working.
Because the county realized a stranger could look exactly like business as usual.
At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things. Contact us today or sign up for a free consultation.