How fraudsters stole a $1.3 million check from the town of Cary
AI-generated summary reviewed by our newsroom.
- Bank flagged $1.3M Cary check for payee mismatch; staff approved payment anyway.
- Fraudsters altered SAK Construction check to a different company name.
- Investigators notified FBI about the fraud; police recovered the money
READ MORE
Cary under scrutiny
The town of Cary has been in the spotlight since late November, when Town Manager Sean Stegall was put on administrative leave without any explanation from the town. Stegall resigned Dec. 13, 2025, amid reports of questionable spending. Here is ongoing coverage from The News & Observer.
Expand All
Fraudsters stole $1.3 million from the town of Cary this spring by altering a check meant for a town contractor. The money was recovered after a police investigation, records show.
Questions about the check were raised after former Cary Town Manager Sean Stegall was placed on paid leave in late November over allegations of “over-the-top” spending, a lack of transparency with the full Cary Town Council, and creating “an unhealthy work environment,” Cary Mayor Harold Weinbrecht said during an emergency meeting Dec. 15.
Stegall resigned two days before that emergency meeting, receiving a severance of $194,832.
The News & Observer received a tip about the check and submitted a public records request to the town Dec. 12. The town responded at 6 p.m. Dec. 23. Here’s what the documents show.
Bank flagged check; it was approved anyway
On April 11, an accountant on the town’s staff reported there was a check pending approval through Wells Fargo’s positive pay program.
Positive pay is a fraud prevention measure used by banks to compare checks they receive to a record of the checks issued by the payer.
“Positive pay is the single best fraud prevention tool available,” according to best practices from the Government Finance Officers Association. “If a government’s bank offers a positive pay service and the government chooses not to utilize it, then the government (not the bank) will be liable for fraudulent transactions.”
The Government Finance Officers Association represents public finance officials throughout the United States, and outlines best practices those officials should follow.
“It’s a high amount, and I wanted to reach out to get confirmation on decisioning,” the accountant wrote in an email. “The reason says payee mismatch, so I wasn’t sure if you guys need to pay this or return/cancel this check.”
Documents show the check was meant for SAK Construction, LLC, a pipeline rehabilitation contractor, in the amount of $1,326,095.50. But the name had been changed to ONE STOP #3, LLC.
The accountant noted that a decision was due in four and a half hours or the check would be returned.
“That one is good to let pay!” wrote an accounts payable specialist in the town’s finance department.
A month later, on May 5, an accountant with SAK reached out to the town inquiring about their payment.
Then, according to public records, there was a flurry of emails between staff members and with representatives of the vendor trying to determine the location of the check.
One official asked why a paper check was issued instead of an electronic check.
Another responded that SAK was set up to only receive physical checks through Oracle Financials, a software application used by the town.
The conversations continued into the next day, including in employee group chats, with staff members notifying the bank of possible fraud.
The accounts payable specialist who had verified the check said she didn’t catch that the email asking about it didn’t contain a picture of the check showing that it named the wrong company, and the accountant may not have known to look at the check image.
The staff discussed why the company wasn’t being paid using Automated Clearing House, or ACH, which is the main way organizations transfer funds online.
A supervisor confirmed that the company’s banking information, which would have allowed for such an online transfer, was in Naviline, the town’s previous financial software.
“I can already see that they updated basic info in Naviline in AUGUST, right before moving to Oracle, but the banking was already in there,” the supervisor said. “The banking is in Nav, but not Oracle. Don’t know why.”
The use of checks should either be eliminated or minimized, according to the Government Finance Officers Association’s best practices.
“Fewer and fewer payments by governments are being made by check as more electronic options have been made available, but check payments still exist and have unique control and fraud prevention requirements,” according to those best practices.
In an affidavit to Wells Fargo dated May 6, Cary Finance Director Kimberly Branch wrote the “proper information was submitted via the secured portal. The check appears to have been altered to reflect a different payee.” The affidavit also states that the check file and data were sent electronically to Wells Fargo “via secure server to be printed and mailed by Wells Fargo.”
That’s in line with a Government Finance Officers Association suggestion that governments “may also want to consider outsourcing the check writing function to a bank or other third-party provider” as a best practice when handling physical checks.
The public documents released by the town included a folder called “From PD,” which include a Cary Police Department incident report, showing the incident was reported on May 13, and an unattributed statement.
“An investigation revealed that an unknown individual had unlawfully obtained the town’s accounting information and produced a counterfeit vendor’s check using the town’s account numbers. The fraudulent activity originated from Jacksonville, Florida.,” according to the statement. “Local law enforcement officials in Jacksonville, Florida, were notified of the situation, in addition to the FBI, as Cary Police Department investigators worked through the investigation, and the money was recovered.”
A reimbursement notice, dated May 20, was included in the documents, showing the town recovered all but $10. It didn’t provide a reason for the $10 difference.
Emails sent in August and September show that the town required all finance department employees to attend one of two mandatory trainings organized by Wells Fargo about cybersecurity and best practices to protect against fraud.
The N&O has called and emailed Interim Town Manager Russ Overton and Branch, the town’s finance director, with questions related to the check and the town’s finances, in general, but they have not responded. Weinbrecht, Mayor Pro Tem Lori Bush and Councilmember Carissa Kohn-Johnson did not return phone calls with questions about the check.
Questions emailed to Weinbrecht also went unanswered but were uploaded to the town’s public records portal.
This story was originally published December 24, 2025 at 1:11 PM with the headline "How fraudsters stole a $1.3 million check from the town of Cary."
