Cyber security expert says phishing scam “very targeted”
ABC-7 is looking into phishing scams after the city was duped out of millions of dollars.
During a news conference Wednesday afternoon, city officials revealed a person or group pretending to be a vendor scammed the city out of about $3 million for the streetcar project by using a phishing scam.
Dr. Mark Sutter, the city’s chief financial officer, said the first payment to the phony vendor was for about $300,000 and a second payment was for about $2.9 million.
Professor Luc Longpre with UTEP’s Computer Science program has been teaching courses on cyber security for more than 20 years now. He says phishing scams can be hard to detect, as they’ve gotten more sophisticated over the years. Phishing is when criminals pose as a legitimate person, business or agency to commit fraud. In this case, the fake vendor used email contracts to scam the city.
Professor Langpore says it depends on how the city’s network is set up, but whenever there is any type of scam, there’s a possibility another one can happen.
“As soon as you have some amount of money is some account, and you have a process to be able to spend that money somewhere and somebody cracked your system, then they’ll take advantage of that process and take the money, it depends on how much money was in the account,” Professor Longpre said.
During Wednesday’s news conference, Sutter said the city has recovered about half of that money: nearly $1.6 million from the $2.9 million, and $292,000 from the $300,000 payment.
Despite recuperating some of the money, the city is now taking extra precautions moving forward in paying its vendors, by mailing paper checks until further notice.
The city sent a notice to its Accounts Receivable Department notifying them of the change stating “the city has temporarily suspended the issuance of payments via ACH.” ACH is an electronic network for large payments and financial transactions, the same system that allowed for the diversion in the scam.
Dr. Sutter tells Abc-7 the city is now in the process of making sure all ACH files are fine, and haven’t found anything else within their system to be compromised. He says the city will continue to use paper checks until they’ve gotten further into the investigation.
“With a paper check, we’re mailing that to an address that’s on file that was created when the vendor first got their contracts, so we know we’ve got a good address. And the creation of the paper check itself, is an added security environment because we know that someone has to cash that check, somebody has to endorse it, so there’s a whole paper trail that’s created that’s a little bit easier for law enforcement to follow if we needed to do that,” Dr. Sutter said.
Dr. Sutter tells Abc-7 they don’t think their systems were compromised at all, but wouldn’t elaborate on what they believe was the cause. He adds changing their system isn’t necessary because the system wasn’t hacked.
“It’s not like we’re discovering something that we oh we need to change something, the systems are governed by how the software is setup, the divisions on duty, so all of those controls are in place and this is one of those rare circumstances where a scammer was able to succeed,” Dr. Sutter said.
Professor Longpre says phishing scams of this magnitude are calculated. Longpre says whoever is responsible for the city scam had the intention to exploit the city and found a way to get in and the city didn’t have enough control to detect the intrusion.
“It could be anyone, we don’t have a profile of who is doing this, it could be local people, it could be foreign people. And it could be local people that do it from a foreign site and they go to some other country where the laws on this are weaker so that if they are found, the less liable bad consequences. It’s like unorganized crime,” Longpre said.
Longpre adds it’s extremely important for entities and businesses to develop a written security policy for employees to follow to avoid future threats, something Dr. Sutter tells Abc-7 city employees do already follow.
The scam is still under investigation.