GAINESVILLE, Fla. – Thieves stole $107,625 from the University of Central Florida in Orlando by hacking into a vendor's computers, tricking officials into transmitting money to a different bank account then swamping the school’s email system so it didn’t notice warnings about the fraud, according to a newly released audit.
By the time the university noticed 12 days later that it had been victimized, nearly all the money had vanished. There were no reports of arrests in the case.
A newly released report from Florida’s auditor general spelled out details of the sophisticated theft, which happened in May. Even after the fraud, the auditor said the university was still transmitting payments to vendor bank accounts before they could be verified.
“The university cannot demonstrate that appropriate measures have been taken to reduce the risk of fraud and errors associated with vendor payments,” the auditor general’s report said. The office serves as Florida’s independent auditor under the Legislature.
The university said after the theft that it put new procedures in place to verify when a vendor owes money to ask the school to update its address or bank account. The state auditor looked at 15 such cases and said it found no more examples of thieves trying to trick the school, but it said the university was still sending payments before the new billing information was being verified.
In a response to the new audit, UCF’s president, Alexander Cartwright, said the school agreed with the auditor’s conclusions. He said it “has implemented enhanced procedures to ensure that changes to vendor banking and address information are rigorously documented, authorized and reviewed prior to processing.”
Cartwright also said the university was manually verifying changes and considering hiring an outside firm to verify vendors’ banking and address information. Employees in the finance office went through updated training to detect fraud in late October, he said.
The new audit did not identify the university vendor. It said the school was able to recover $2,394. That left more than $105,000 still missing. The total amount stolen represents a year's in-state tuition for about 17 students at UCF. The university's annual operating budget is about $2 billion.
After the theft, in September, the university said it completed its own, full-blown investigative report that included a detailed timeline about the case. The school said after one week that it could not immediately find the investigative report and has declined so far to turn over a copy under Florida’s public records law.
The university’s media relations office did not respond to phone messages left with four employees who work there.
Here’s how the scheme unfolded over 12 days, according to the state audit:
On May 10, the university’s finance department received an email from a vendor to cancel an $84,625 payment and send the check to a new bank account instead.
University employees did not realize the vendor’s email had been compromised. The transaction was entered into the university IT system and was submitted for approval by the assistant controller on May 15.
On May 16, the university approved the request and sent the original payment plus a $23,000 check to the vendor’s new bank account. The same day, the university's email system was victimized by a spam-bomb digital attack designed to overwhelm inboxes.
On May 17, the university asked the vendor to confirm it had asked UCF to update its bank account information. The vendor replied about one hour later by email warning that the change was unauthorized, but the spam bomb meant that university officials didn’t see the warning until three days later.
On May 20, the university’s finance department asked the bank to send the money back.
On May 22, the bank denied the request because the fraudulent account had insufficient funds.
By then, the money was gone.
The University of Central Florida is the largest public university in Florida by enrollment, with more than 68,000 undergraduate and graduate students. Its main campus is 13 miles east of downtown Orlando. ___
This story was produced by Fresh Take Florida, a news service of the University of Florida College of Journalism and Communications. The reporter can be reached at k.johnsen@ufl.edu. You can donate to support our students here.
Copyright 2024 WUFT 89.1
