E-mail phishing caused county to lose $566,000

E-mail phishing is how Sedgwick County government lost more than $500,000 to fraudulent activity, according to a document inadvertently made public this week.

The county received a Sept. 18 e-mail “that appeared to be from (a) vendor asking that billing information … be changed,” according to a property loss notice filed with Lexington Insurance Company in late October.

The new information was for “future ACH withdrawals.” That refers to the Automated Clearing House, the electronic network for financial transactions in the United States.

Sedgwick County, referred to in the document as the “insured,” then sent a payment of more than $500,000 after receiving notice to pay.

The county “then learned from (the) vendor that they had not received payment,” according to the notice.

The sequence of events described is known as phishing, when someone impersonates a reputable business to trick someone else into giving out personal information, such as passwords or bank account information.

“Legitimate businesses don’t ask you to send sensitive information through insecure channels,” the Federal Trade Commission advises.

In this case, the county sent an electronic payment of $566,088.90 to Wichita construction company Cornejo & Sons through the Automated Clearing House on Oct. 7. The payment was for a preventive road maintenance project on 53rd Street between Andale and Maize.

However, that payment never reached Cornejo & Sons.

The county discovered the loss on Oct. 25, when public works administrative assistant Julie Williams told accounts payable manager Cynthia Dodson that Cornejo & Sons had called, saying they never received the money.

Dodson is listed as the person who discovered the loss in a proof of loss document filed with Zurich North America, an insurance company the county has been working with on the insurance claim.

How info was released

The complete, unedited release of the Oct. 28 property loss notice was not on purpose, county legal staff members say.

On Dec. 7, The Eagle sent Sedgwick County a request under the Kansas Open Records Act. The newspaper asked for e-mails between the county and its insurance agent and insurance company related to the $566,088.90 loss. It also asked for claims filed and the county’s insurance policies.

The documents were received on Dec. 9.

Some information was redacted by Sedgwick County, citing an exemption under the Kansas Open Records Act for the ongoing investigation by the sheriff’s office and the FBI.

For instance, the property loss or damage description was redacted in the version of the notice originally received by The Eagle.

After a story ran in The Eagle, KWCH requested the same documents. However, the version of the documents KWCH received included the property loss description in its entirety, unredacted.

The county subsequently released a complete version of the document to The Eagle.

Assistant County Counselor Jon Von Achen said the information should have been redacted in the version sent to KWCH.

He said the open records exemption still applies to other documents requested by The Eagle, meaning the criminal investigation into the fraud is still ongoing.

This story was originally published December 15, 2016 at 3:04 PM with the headline "E-mail phishing caused county to lose $566,000."