Accounting Internal Controls

You are here: Home / Fraud Cases / 1 Email Lead Unalaska to a $2.9 Million Mistake

1 Email Lead Unalaska to a $2.9 Million Mistake

by

Phishing email

You may think that you’ll never fall for a phishing email. However, phishing schemes can be quite sophisticated.

It’s a routine day at the office. You receive an email from a vendor notifying you that their banking information has changed and needs to be updated.

Everything appears to be correct and in order, so you go ahead and make the change updating the bank account information.

Only to realize with quite a bit of embarrassment and almost $3 million later that you have been taken in a phishing email scheme.

Unalaska, Alaska

Unalaska, Alaska
Photo credit: City of Unalaska

Unalaska’s city government found themselves in just this spot. Between May 15, 2019, and July 9, 2019, they inadvertently paid legitimate invoices from an actual contractor to a fraudster.

According to City Manager Erin Reinders, “The city had paid out a total of $2,985,406.10 to a fraudulent bank account as a result of a phishing email scam in which the sender of an email represented themselves as a known vendor and requested a change in payment method.”

How was the phishing email scheme uncovered?

Vendor’s accounting departments can help quickly uncover this type of scheme if they are on top of overdue payments, requiring that clients pay their bills timely or that work will cease.

The legitimate contractor would have notified Unalaska that they were overdue on their payments. They may have even informed them that work would cease if the invoices were not paid.

Unalaska would respond that they had been paid in full and sent them verification of the payments and the dates they were paid out.

The contractor then would have informed them that they never received the payments.

At this time, they would have verified that the bank account information was correct, which would trigger the realization that the bank account number was incorrect—leading to the awareness that the bank account had been updated fraudulently.

“We recognized that we had been transferring funds that were in response to legitimate invoices from a known vendor into an account that was not the vendor’s account,” Reinders said.

Given the short duration of the fraud, it is probable that this is how the scheme was uncovered. However, the exact details of what happened are unknown and have not been disclosed by Unalaska publicly.

FBI was immediately involved.

Fraud detection Fraud Phishing Scheme

After the scheme was uncovered, Unalaska immediately got the FBI involved, the city’s attorney, and the insurance company. A quick response to the fraud helped them in being able to recover most of the money.

On August 22, the city of Unalaska had $2,347,544.43 of the funds returned. The insurance company is expected to cover the remainder of the funds, according to Reinders.

According to FBI Special Agent Steve Forrest, “Unfortunately, these financial schemes are increasing in frequency and sophistication, and we encourage anyone who realizes they have been victimized to follow the example of Unalaska and contact the local FBI office as soon as possible. We have numerous tools at our disposal which, if we are notified promptly, can be utilized to identify the perpetrators and work to recover lost funds. In the case of Unalaska, we were able to recover funds and prevent any future loss, thanks to the timely and thorough response from the city administration. We are continuing to investigate this case in an effort to identify the perpetrators.”

How could this have occurred?

There was a breakdown of internal controls and processes:

  • Internal controls and proper procedures were in place but were not followed,
  • Internal controls were overridden,
  • Or internal controls and proper procedures were lacking for the process of updating vendor information.

Prevention:

In order to reduce the chance of this occurring again, Unalaska needs to:

  • Update their policies and procedures for changes to vendor accounts.
    • Implement a vendor change form
    • Verify with the vendor of any bank account changes via the phone
      • Use the vendor phone number either from their vendor file or online.
      • DO NOT call the vendor number provided in the email.
        • Business email compromise can make the email address appear legitimate when it is actually being spoofed. Best to retrieve the phone number from elsewhere in case this is occurring.
    • Send an email to the vendor informing them that their information has been updated.
      • Emails should NOT be a reply to the original request.
      • Emails should be a new email using the saved email address from your contacts.
  • Train their staff on procedures and internal controls.
  • Create a pop-up notification in the accounting software that prompts the employee to verify that they followed protocol before changing bank account information.

Further Reading:

What is a phishing scheme?

Note: Not all facts, in this case, were made public information. The author took the liberty to speculate on what may have happened to uncover the fraud.