Aerial view looking into the city center urban core of downtown Lexington, Kentucky.
CNN  — 

About $4 million in federal funding intended for housing assistance in Kentucky was stolen after someone directed that money to a private bank account, officials of the City of Lexington said.

Lexington officials discovered the theft late last week when the intended recipient of the funds, the nonprofit Community Action Council, reported not receiving the money, according to a news release from the city. Lexington officials have asked local police to investigate the incident.

“Police believe a person or persons outside government directed an electronic funds transfer into a private account,” the city said. “Initial information shows no criminal involvement of City or Community Action Council employees.”

It’s the latest example of a popular fraud scheme known as business email compromise (BEC) that, FBI data says, costs Americans much more than any other type of online crime. The bureau received nearly 20,000 BEC complaints last year with estimated losses of $2.4 billion. The second most costly digital crime type, investment scams, tallied about $1.5 billion in estimated losses.

BEC scammers have defrauded everyone from elderly Americans living off pensions to young professionals who are house hunting. The US Secret Service, which investigates financial crime, has looked to work more closely with US companies to intercept fraudulent transfers before they are made.

BEC attacks have historically impersonated employees at a targeted organization. But cybercriminals are increasingly posing as third parties to intercept funds, as they apparently did in the Lexington case, said Crane Hassold, a former behavioral analyst at the FBI.

“These types of attacks can be especially impactful to state and local governments that may do business with dozens, if not hundreds, or different vendors,” Hassold, who is now director of threat intelligence at cybersecurity firm Abnormal Security, told CNN.

Many of those vendors are likely smaller companies, he added, that “aren’t able to dedicate resources to defending against the initial compromise that leads to attacks like this.”