California City Loses $600K in Wire Transfer Phishing Scheme

California City Loses $600K in Wire Transfer Phishing Scheme

In a news conference in March of 2022, Fresno California mayor, Jerry Dyer, confirmed that the city had been a victim of a phishing scam back in 2020. The phishing attack involved two invoices from a city contractor for construction work relating to one of the Fresno police stations. The first invoice was sent in January 2020 with the follow up sent two months later. The invoices looked identical to former invoices actually sent by the contractor previously except for one detail. The bank account number had been modified. The city responded to each invoice with a wire transfer payment that together totaled $613,737. Although the fraud was committed two years ago, the attack was never publicized. It was only after a recent public records request made by a local newspaper that the mayor called a press conference to confirm the attack and explain why it had been kept secret. The Fresno City Council first learned of the incident in 2021 when the mayor’s office requested additional funds to cover the shortfall. It is believed that a city council member shared an email pertaining to the incident with the local paper.

The attack was discovered in April of 2020 only because the contractor threatened to abandon the project and walk off the site due to lack of payment. The incident was immediately reported to the Fresno Police Department. The case was eventually handed over to the FBI in November of 2020. The FBI requested that the mayor at the time keep the incident concealed to aid the investigation. Incoming mayor Dyer was first briefed about the phishing attack just prior to taking office at the start of 2021. The FBI believes that the city of Fresno was just one of several cities that fell victim to similar attacks, possibly from the same criminals. In 2019, the city of Ocala, Florida directed $742,000 to a fake bank account after receiving a construction invoice. About the same time, the city of Naples, Florida lost $700,000 in a similar attack. Just last year, the Erie County government in Pennsylvania was fooled by a phony construction invoice for $108,000.

The mayor’s office announced that the city has taken steps to prevent similar incidents from occurring again. A new policy requires that the city confirm all large invoices by phone. While the city did have an insurance policy to cover such types of losses, it has not opted to file a claim for the attack yet. Later in 2020, the city paid the contractor the money owed.

According to the FBI, $221 million was lost to wire transfer fraud in 2019. Fortunately, there are basic steps you can take to prevent such attacks.

• Create a policy that requires that all invoices exceeding a certain dollar amount are authenticated by a phone call. The invoicing party should be contacted using a number used previously if possible. Phone numbers for new vendors should be retrieved using an Internet search. Never blindly call the phone number listed on an invoice.

• Wire transfer requests made by internal personnel should also be confirmed by a phone call. Some companies require a secret password or confirmation phrase to be exchanged when authenticating the party making the request.

• Establish a policy that requires a call-back verification process when setting up new payment instructions or payment modification requests from existing vendors.

• Develop a dual control process for the payment of large invoices that requires the participation of at least two employees.

• Implement an email security solution that utilizes malware filtering, blacklists, sandboxing, and advanced learning tools to identify and eradicate suspicious emails, attachments, or embedded links.

• Conduct regular cybersecurity training programs that emphasizes the need for your employees to remain vigilant. It should educate them and give them the basic skills improve the cyber hygiene by identifying suspicious or inconsistent emails or activity. Such training classes can be simple online courses that require only ten minutes or so and build upon each other.

• Review your insurance policies to confirm that incidents such as wire fraud are covered and understand what the details are.

Ensure your Incident Response Readiness in the event of attack. Review your security and risk profile.