Galveston Phishing Gone Bad

The City of Galveston fell victim to a sophisticated business email compromise (BEC) scam, similar to the commonly known phishing email scam, losing $695,000 to a German fraudster and an accomplice. The overseas scammer, using a dating website, manipulated Fawn Ann Sloan, an unemployed woman from Kentucky, into opening a bank account in her name to facilitate the fraud.

The scam targeted a transaction between Galveston and Longhorn International Trucks, from which the city was purchasing three trash trucks for nearly $1 million. The fraudster hacked into the vendor’s corporate email account and instructed city officials to send payments totaling $695,000 to Sloan’s account. Sloan then converted the funds to bitcoin and transferred them to the scammer in Germany.

As a result, the city officials involved received 10-day suspensions. Sloan faces up to 10 years in prison and must repay the stolen $695,000.

This incident highlights the growing risks of relying on email for vendor transactions and communications, a vulnerability that affects both businesses and individuals. To prevent such fraud, verifying an email address as “legitimate” is no longer sufficient. Implementing two-factor authentication for personal and financial accounts is critical. For large or recurring transactions, a simple phone call to a verified contact can provide an additional layer of security and prevent significant financial losses.