Could This Happen in Your District? Lessons from the $1 Million Voorheesville Theft

Last week, Voorheesville School District (Albany County, NY) disclosed that cyber criminals executed an unauthorized $1 million transfer from its capital fund. Roughly $750,000 has been recovered, and investigations are ongoing by the New York State Police, FBI, and U.S. Secret Service. The district is reviewing its procedures and expects to rely on cyber insurance if any portion of the loss is unrecoverable. (Source: Times Union)

If Your District Ever Suspects Wire or ACH Fraud

⚠️ Call the bank’s fraud/treasury desk immediately to request a recall or reversal, then contact the receiving bank.

⚠️ File a report with the FBI’s Internet Crime Complaint Center (IC3) and follow any required Suspicious Activity Report (SAR) guidance.

⚠️ Preserve all evidence — emails, approval trails, system logs — and isolate compromised accounts. CISA’s cyber-incident checklist offers step-by-step response guidance.

🔐 Controls Many Districts Still Miss (and Should Adopt)

Banking & Treasury Controls

• Require dual authorization on every EFT (one initiator, one approver), with out-of-band callbacks for new payees, banking changes, or large transfers. (FBI BEC guidance)
• Activate Positive Pay and ACH debit filters/blocks — standard practice recommended by the NYS Comptroller.
• Have someone outside the Business Office staff who initiates payments review online banking activity daily and document alerts.
• Purchasing & Vendor-Master Safeguards.
• Require a vendor add/change form, W-9, and verified callback to a known phone number (not the one in an email request).
• Impose a 24-hour cooling period between any bank-account change and the next payment; a second reviewer must approve documentation.
• Limit non-PO or confirming PO purchases and present those exceptions to the Audit Committee monthly.

Technology & Access Controls

• Use multi-factor authentication across email, financial systems, and banking portals.
• Follow least-privilege access—separate staff who enter payables from those who release payments.
• Provide regular phishing-awareness training and monitor for business-email-compromise (BEC) attempts.
• Maintain routine patching and offline backups in accordance with CISA/MS-ISAC K-12 guidance.
• Policy, Oversight & Insurance.
• Adopt a written EFT/online-banking policy outlining roles, dual controls, callback steps, thresholds, and documentation requirements.
• Maintain a joint Finance/IT incident response plan—identify who contacts the bank, who files reports, and who communicates with the Board and community.
• Review your cyber insurance annually for coverage limits, social-engineering/BEC inclusion, and any required security controls.

🧾 Monthly Oversight Checklist for Boards & Business Offices

• Reconcile all bank accounts monthly; treat payroll and treasury accounts as high-risk and review them daily.
• Provide the Board/Audit Committee with a monthly EFT/ACH activity report showing volume, dollars, and exceptions (with callback documentation).
• Spot-check vendor-master changes and wire/ACH files for evidence of dual approval and verification.
• Review user-access and MFA status in both banking and ERP systems.
• Track phishing-training participation and conduct quarterly simulations, reporting aggregate results to the Audit Committee.

The Voorheesville incident is a sobering reminder that capital and reserve accounts are prime cyber-targets. The theft wasn’t about poor intent — it was about a gap in process that cyber criminals exploited.

Every district — large or small — should pause this week and ask:
“If this happened here, how quickly could we detect it — and could we stop it?”

Because the best control isn’t just technical.
It’s cultural.
It’s awareness, vigilance, and verification — every single time.

In today’s threat environment, “trust but verify” must be policy, not practice.