Hilliard, Ohio, a suburb of Columbus, suffered an email phishing attack in December that cost the city over $218,000 and the jobs of two city employees. In early December, the city accounting department received emails pretending to be a third-party vendor of the city. The emails convinced an account assistant to change the bank account routing numbers associated with the vendor. A few days later, the city paid a bill they thought was going to the third-party vendor but instead went to the criminal.
“Our investigations have shown the loss of funds was a result of human error in not following established protocol,” City Manager Michelle Crandall said in a statement. “This scam did not involve any breach of the city’s network, systems, or data.”
The city manager said verification protocols were in place to change third-party banking information, but they were not followed. The financial director contacted the police about the incident but waited 35 days to disclose the mistake to the city.
“Unfortunately, phishing is a rapidly growing problem, and government agencies are common targets,” Crandall said. “In 2022 alone, the Anti-Phishing Working Group observed more than 1.2 million phishing attacks, with nearly one-fourth of these scams aimed at the financial sector.”
Criminals convincing financial departments to change bank routing information is a common phishing tactic. It’s possible the third-party vendor suffered a Business Email Compromise (BEC), and the financial department thought they were corresponding with a trusted email contact. In other cases, criminals may use an email address similar to the one they are spoofing but use a different domain, or the employee’s name may be misspelled. In all cases, employee education is the first step in preventing attacks. Financial and HR departments are most often targeted and should be first on the list for security awareness training. In this case, the city manager said protocols were in place, but they were able to be bypassed. Software tools can require approval before banking routing information can be changed to prevent human error.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.
