The city of Fresno, California, fell victim to a phishing scam in 2020, resulting in a loss exceeding $600,000, which could have been prevented if employees in the Finance Department had adhered to city policies, according to a report released by a Fresno County grand jury on Thursday.
According to the report, construction on a new police substation in southeast Fresno commenced in April 2019. The contractor initially requested payment in the form of physical checks.
In January 2020, the Fresno Finance Department received an email from the scammer, who the city mistakenly believed to be an employee of the construction company, requesting payments via automated clearing house transfer instead. Over the next few weeks, the department authorized two electronic payments to the scammer totaling $613,737.
The city uncovered the scam when the construction company threatened to cease work due to non-payment, the San Joaquin Valley Sun reported.
Subsequent investigations determined that those behind the scam were part of an international organized crime syndicate.
“The perpetrators never submitted fraudulent invoices,” stated the report. “It appears they simply searched the internet for large construction contracts awarded by local governments. Using real data obtained from City Council agendas and minutes, they identified this particular contract, utilized publicly available information, and carried out a successful phishing scheme on unsuspecting city employees.”
The report highlighted that city staff failed to notice numerous red flags indicating fraud. The fraudulent email addresses ended in “.us,” whereas the contractor’s email addresses ended in “.com,” and the scammers provided multiple bank account numbers located in different states.
“This, too, did not prompt city staff to recognize the fraud,” the report noted.
The grand jury determined that Finance Department employees had not followed protocols that could have prevented the fraud. Staff did not authenticate the automated clearing house form to confirm that it was actually from the vendor of record.
Additionally, they did not have another staff member review the transfer, a mandatory step for all large disbursements.
The grand jury reported that the electronic payment procedure was “largely unwritten at the time of the incident.”
“Training for managing these significant money transfers was conducted verbally, and it seems that not all Finance Department employees were adequately trained,” the report stated.
“Without strict adherence to and enforcement of new and existing internal controls,” it warned, “there is a high likelihood of similar losses occurring in the future.”
