Fresno lost over £460,000 to a phishing scam in 2020, a loss that might have been prevented if Finance Department employees had followed city policy, according to a Fresno County grand jury report issued last week.
A Fresno Bee investigation report from March 2022 revealed an information leak. It revealed that the City of Fresno had been the victim of a £300,000 scam. However, days later, Mayor Jerry Dyer disclosed that the stolen amount was £460,302.75.
According to grand jury report:
Policies designed specifically to guard against this kind of fraud were not followed which made it possible for two large payments, made over the course of several months, to be sent to a false bank account.
In 2020, a scam was covertly detected at City Hall. The public first learned about it in early 2022, when a Fresno Bee reporter confirmed the illegal payments. Mayor Jerry Dyer declined to comment at the time, citing the need to protect an FBI investigation.
Only a few months after taking office as mayor of Fresno, Dyer became aware of the hoax. During his first week in office, he reported the event to the Fresno City Council. He confirmed the loss of money and stated that internal investigations had ruled out an inside job.
A few months later, the city dismissed its controller, although officials disputed reports that the scam was the cause. In charge of ensuring financial integrity, directing spending policies, and handling bill payment, the municipal controller leads the finance department.
How did Fresno city fall for a £460,000 scammed invoice?
According to the reports, the scammers had scammed multiple cities and were a part of a global criminal group. They pretended to be the building business and sent the city enormous, fake invoices to take advantage of the construction of the new southeast district police station in Fresno.
The construction of the new police station began in April 2019. The original contractors clearly asked that payment be made in physical cheques. Scammers approached the city’s finance department by email in January 2020. They posed as the contractors’ accounting specialists and demanded a modification in the monthly payment arrangements.
First, scammers pretended to be an authorized vendor who was already doing business with the City of Fresno. Usually, this vendor asks for payments in the form of paper checks. An important red flag, though, was that the scammers requested these checks be turned into electronic payments.
Employees told the grand jury that this kind of request was not very common. Typically, the city verified contractor payments using a form known as an “automated clearing house”.
Nevertheless, in the two incidents that led to the £460,000 scam, this process was not followed. If the clearing house form had been used correctly, it would have caught the fraudsters’ usage of many bank accounts from various locations.
Furthermore, staff members in the financial department were expected to request a second permission before making any significant payments, although they occasionally neglected to do so.
The report states that to verify a vendor’s validity, the city has put in place a regulation requiring calls to the number on file. As artificial intelligence and clever criminals grow, the grand jury suggested steps to protect city funds and highlighted the rising cybersecurity risk.
In addition to adopting Department of Defense policies, the grand jury suggested the city:
- Require the director to double-check certain payments.
- Hire a firm to test the city’s system for phishing attacks.
- Implement more double-checking procedures.
The grand jury set deadlines for some recommendations until the end of 2024 and others for the following year. Mayor Jerry Dyer claimed that many of the grand jury’s recommendations had already been implemented. He also said that the city had recruited a new controller and was providing regular training.
At Phishing Tackle, we know all too well that security technology is often left incorrectly configured, as demonstrated by our free Domain Spoofing Test, which currently gets past around 50% of users security systems.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.