What do Sedgwick County government, the city government of El Paso and the Community College System of New Hampshire have in common?
All three lost hundreds of thousands of dollars to fraud this fall. In each case, someone posed as an existing vendor contracted for construction work. The scammers used e-mail to contact the government. And all three cases were made public within a week of each other.
The similarities end there. The scams affected three vastly different entities. They released information to the public about the incidents at different paces. And, unlike Sedgwick County, the other two organizations have announced they have recovered much of the lost money.
But there’s a common thread of online fraudsters taking aim at entities that do public contracting, where information about contracts and contractors can be easier to find – and exploit.
Auditor offices in several states warned local government officials last summer about scammers.
“Phishing scam e-mails are diverse, have varying strategies and unique objectives, and try to appear like legitimate requests so that unsuspecting individuals will click on links, provide private information or send the fraudster money,” according to a fraud prevention alert from the Arizona auditor general’s office.
New Hampshire colleges
The College Community System of New Hampshire includes seven community colleges in the Granite State.
In August, the FBI issued an alert about online scammers using fraudulent e-mails to target colleges in the Boston area. The scammers portrayed themselves as existing vendors that were construction companies.
Spokeswoman Shannon Reid said the system was initially contacted via e-mail by a fraudulent entity in early October.
$130,000 Amount the New Hampshire college system lost to fraud
“We were contacted by an entity representing to be an existing vendor, to whom we make regular progress payments on an ongoing project,” an Oct. 31 statement by the colleges read. “The vendor’s practice had been to be paid by a hard copy check.
“The communication was a request to transition to electronic funds transfer via the Automated Clearing House (ACH),” the statement continued. “The request was accompanied by what appeared to be proper, complete and authentic documentation. We processed the ACH information and paid the vendor.”
The total loss was $130,000. The system did not publish a statement until after the weekend.
“We needed to get enough information to put out a statement about it,” Reid said.
The Oct. 31 statement discussed the initial contact, the ACH misdirection and an effort to review the system’s procedures. Reid said the community college system wanted to be as transparent as possible as a public entity.
We made a conscious decision to be very up front about this. To the extent that this is happening in the region, we wanted to make sure that other entities were aware of it and therefore could be on guard against this specific approach.
Shannon Reid, Community College System of New Hampshire spokeswoman
“We made a conscious decision to be very up front about this,” Reid said. “To the extent that this is happening in the region, we wanted to make sure that other entities were aware of it and therefore could be on guard against this specific approach.”
The New Hampshire State Police and the FBI were brought into the investigation.
The system announced on Nov. 22 that it had recovered nearly the full amount –$124,000 of the $130,000 – by working with its bank.
We’re grateful that the process worked out the way it did.
Shannon Reid, Community College System of New Hampshire spokeswoman
“That was the positive end to that story,” Reid said. “We’re grateful that the process worked out the way it did.”
City of El Paso, Texas
The city government of El Paso, Texas, announced on Nov. 2 that it had changed its vendor payment process and was issuing paper checks to its vendors.
The changes stemmed from “a phishing scam that involved fraudulent e-mail contacts,” according to a city news release.
In early October, staff members discovered the city had potentially lost around $312,000 to a phishing scam. After reporting it to law enforcement, the city started an internal investigation.
$2.9 million First misdirected payment for streetcar project
$312,000 Second misdirected payment for city projects
$3.2 million Total lost to scams
In mid-October, officials discovered an additional misdirection of funds that totaled about $2.9 million.
City officials called a news conference to address the scam after The El Paso Times published a story about someone posing as a vendor to obtain payment from the city.
“The city did not immediately inform the public about the phishing scam at the request of law enforcement to allow for an appropriate investigation and to increase the possibility of recovering the funds,” according to the city’s Nov. 2 news release.
The city did not immediately inform the public about the phishing scam at the request of law enforcement to allow for an appropriate investigation and to increase the possibility to recovering the funds.
City of El Paso, Texas, statement
On Nov. 29, the city released some redacted e-mails at the request of the mayor and city council to “enlighten the community about the events related to the misdirection of approximately $3.2 million,” according to another city news release.
The first misdirected payment happened on Sept. 28. The $2.9 million in state funds was supposed to pay for a project managed by the Camino Real Regional Mobility Authority, an independent entity created by the city to handle transportation projects.
The payment was meant for the city’s downtown streetcar project, according to the El Paso Times.
The second misdirected payment happened on Oct. 4 and was $312,000 for city projects.
About $1.9 million of the $3.2 million had been recovered by the end of November.
Sedgwick County, Kansas
Open records requests filed by The Eagle in the past month and a half have revealed parts of the timeline in Sedgwick County’s fraud case.
The county received a Sept. 18 e-mail that appeared to be from a vendor asking that billing information be changed for future ACH withdrawals.
Then the county sent an electronic payment of $566,088.90 through the Automated Clearing House on Oct. 7, with Wichita construction company Cornejo & Sons the intended recipient. The payment was for a preventive road maintenance project on 53rd Street between Andale and Maize.
$566,088.90 Amount Sedgwick County lost to fraud
A county spokeswoman confirmed that payment never reached Cornejo & Sons. County staff discovered the transaction was fraudulent on Oct. 25.
Sedgwick County announced on Oct. 26 that a fraud incident of about $566,000 had occurred, on Oct. 27 that the FBI would join the investigation and on Oct. 28 that the government’s finance department was affected by the fraud.
There has not been a statement or official update since. County Manager Michael Scholes said in early December he didn’t want to release information that would jeopardize the investigation.
Sheriff’s Lt. Lin Dehning said there were no updates to share on the case, including whether any of the county’s funds had been recovered.
“It is still an active investigation,” he added.
‘Arising from the public contracting process’
Reid said Sedgwick County’s incident sounded similar in timing and method to her organization’s incident.
“The similarity here with the county is it’s a public contracting environment,” she said. “There’s a fair amount of information available (online).”
In a public contracting environment, governments like cities and counties ask the private sector to provide goods or services. Businesses respond to those requests with bids or proposals. Governments then approve spending money to contract for the work to be completed.
After two counties in Utah were victims of e-mail phishing scams, the Utah State Auditor’s Office issued a warning about scammers attacking local governments.
This targeted e-mail scam thrives on familiarity, using information publicly available on an entity’s website – such as names, titles or other references. This familiarity often makes the recipient of the e-mail less vigilant in verifying the requests.
Utah State Auditor’s Office alert
“This targeted e-mail scam thrives on familiarity, using information publicly available on an entity’s website – such as names, titles or other references,” according to the June 29 alert. “This familiarity often makes the recipient of the e-mail less vigilant in verifying the requests. The scam also thrives on urgency, indicating that the payment must be made immediately.”
The Oct. 31 statement from the Community College System of New Hampshire said it fell victim to fraud “by use of the internet.”
This appears to be an emerging strategy made possible because of vulnerabilities arising from the public contracting process, where there is publicly available information about contracts, allowing criminal actors to falsely and convincingly represent who they are.
Community College System of New Hampshire statement
“This appears to be an emerging strategy made possible because of vulnerabilities arising from the public contracting process, where there is publicly available information about contracts, allowing criminal actors to falsely and convincingly represent who they are,” according to the statement.
“Escalation of criminal strategies must be met with increased education and vigilance.”