Clickability tracking pixel

Social Engineering Scam Hits Washington County Government

Benton County was the target of a $740,000 scam in which thieves pretended to be a building contractor working with that government. The cybercriminals were based in India, officials reported.

by Kristin M. Kraemer, Tri-City Herald / February 10, 2020
Shutterstock

(TNS) — A fraudster who stole $740,000 from Benton County concocted an elaborate scheme with very detailed knowledge of a contractor working on county projects.

It’s a scam that keeps tripping up public agencies.

Ellensburg officials fell for it last year, sending $186,000 to a bogus account.

And a few years ago, Pacific Northwest National Laboratory in Richland fell victim to the same con for $530,000.

“Human beings are trusting and they want to believe the best in everybody and rely on everybody to do a good job, and that’s the thing that these hackers take advantage of,” Kathleen Cooper, spokeswoman for the Washington State Auditor’s Office, told the Tri-City Herald.

“We’re all vulnerable to it in our personal lives and at work too. Just raising people’s conscience of, ‘Don’t click on something that you don’t recognize,’ will go a really long way.”

In the Benton County case, the thief was traced to India. The person went so far as to create an online domain name using the Kennewick construction firm’s name — minus one letter, according to a document filed in U.S. District Court.

And the name on the fake email address was strikingly similar to the name of a real employee with the legitimate company.

The email claimed to be from an accountant with the construction firm.

Employees with the Benton County Auditor’s Office exchanged about 20 emails with the purported accountant over three weeks about a bill the county owed for several building projects.

The document filed recently in federal court reveals what led up to the electronic transfer of $740,000 in November from the county to an Atlanta-based bank.

Secret Service seized money

Just over $23,000 of that was withdrawn from the account in a series of small transactions before SunTrust Bank identified it as a fraudulent account and froze it, the court document shows.

The U.S. Secret Service is investigating the crime.

The $717,200 still left in the account was seized by the Secret Service on Jan. 6.

Benton County went public with the news Thursday that it had been the victim of a “social engineering phishing scam.”

As a result of the investigation, the county now is reviewing its “internal policies and procedures to minimize the risk of a similar incident occurring in the future,” the county news release said.

Benton County Auditor Brenda Chilton could not be reached by the Herald about the incident.

The court filing is a “civil forfeiture of wire fraud proceeds” and is a necessary legal move to help Benton County recover the money that currently is in federal evidence.

“We are continuing to work with federal authorities to have the seized funds returned to us as quickly as possible,” said the county news release.

Claimed to be firm accountant

Benton County has long done business with Banlin Construction for both building construction and road maintenance, including a major upgrade inside the jail in Kennewick.

Also, the firm was just awarded a $13.6 million contract to build a new county administration office building near the Justice Center in Kennewick.

The scam started Oct. 28 with the first email to the auditor’s office. County employees did not notice that the “i” had been dropped from the word “construction” in the alleged Banlin Construction accountant’s email address.

Emails went back and forth between the fraudster and the county office until Nov. 15, when the payment was made.

“It appears the fraudulent email account was intended to mislead Benton County into believing that the fraudulent emails were in fact from Banlin Construction and that the fraudulent individual ... was a legitimate employee of Banlin Construction,” according to the court document.

The federal filing was done by Special Agent Nicholas Provoncha in the Secret Service’s Spokane office and Assistant U.S. Attorney Brian M. Donovan.

Servers, registry in India

Agents were able to determine that emails sent on three dates in October came from IP addresses associated with servers in India, and the public domain registration information for the misspelled “Banlin Constructon” also was done in India.

“The emails from the fraudulent account directed the Benton County Auditor’s Office to change the banking deposit information for Banlin Construction,” the court document stated. “The emails further requested that Benton County expedite their updating of the new, fraudulent banking information and the payment as soon as possible.”

On Nov. 15, county employees transferred the money from Key Bank to the SunTrust Bank account.

It was authorized by the county based on transfer directions received in the emails. The money was for legitimate invoice bills from Banlin Construction for ongoing projects.

After the transfer was completed, the auditor’s office sent a follow-up email to confirm receipt. The person behind the fraudulent email never responded, the document states.

Federal officials say the SunTrust Bank account is in the name of Kelly A. Simpson, and neither SunTrust nor Simpson are associated with Banlin.

The Secret Service was notified Dec. 6 by Benton County officials and the Benton County Sheriff’s Office.

Federal investigators spoke Dec. 16 with an investigator for SunTrust Bank, which only has branches along the East Coast.

The bank investigator confirmed the fraudulent activity, but only caught it after the cyber criminal withdrew about 3 percent of the deposit.

Protect against cybersecurity threats

As soon as Benton County officials suspected a potential loss of public funds, they did what is required of them by state law and contacted the State Auditor’s Office in December, confirmed Cooper.

The state agency decided that since the Secret Service already is involved, it will wait for that investigation to be completed and use those reports in the next county audit. That will save public resources by not doubling up on the investigation.

The audit report that will address the theft from Benton County likely will not be issued until 2021 since counties are on an annual audit cycle.

The current issue falls under its review of internal policies and procedures, making sure the local government has checks and balances in place to catch any errors, said Cooper.

The State Auditor’s Office knows local governments are facing ever-evolving cybersecurity threats, and has been taking steps to help agencies protect themselves.

In recent years, the office added an evaluation of internal controls dealing with electronic funds transfers, or EFTs, as part of the regular audit risk assessment, she said.

Cooper said the state office recognizes local governments and public education institutions are facing a lot of challenges in the cybersecurity realm because it’s coming at them from everywhere.

On top of that, agencies have a lot of sensitive information that people must divulge in order to do business or go about their daily lives.

Washington state Auditor Pat McCarthy has made it an office priority and reorganized resources to focus on auditing local governments’ cybersecurity posture.

In 2019, the office completed cybersecurity audits on seven local governments and worked with nine more. The Legislature gave the office a boost for the 2019-21 biennium by recognizing the value of those performance audits and appropriating $2.8 million.

“There are more than 2,000 local governments in the state of Washington so our waiting list is quite long,” said Cooper. “But this is something that started in the office in 2014 and we had to sort of ramp up our own expertise.”

And finally, the office’s small Center for Government Innovation team created a #BeCyberSmart campaign to help government employees realize they all have a duty to help protect their systems and data, instead of leaving it up to the information technology department.

Tips from the Center for Government Innovation include: never install software or connect hardware without IT permission; use strong passwords; think before clicking on links or popup boxes; verify a stranger’s identity; and delete questionable emails, even from someone you may know.

“Local governments are facing more and more of these attacks and nobody is safe. If you have an email address and computer connected to the Internet, then hackers are looking for you,” said Cooper. “All of us have a role to play to make sure that the information that we receive is protected.”

Similar fraud schemes

The scam is not that different from one that hit the city of Ellensburg last August.

The city received an email from someone claiming to be the accountant for an existing vendor and requesting that the next payment for an ongoing construction project be made by electronic transfer.

The city had been sending the vendor paper checks, but the email requested that payments instead be made by electronic transfer to an account at a Wells Fargo Bank branch in Texas.

City staff unknowingly sent almost $186,000 to the fraudsters.

The Daily Record reported in October that the money was recovered, other than a bank handling fee, because the city discovered the cyber attack immediately and contacted Wells Fargo.

And in late 2016, the Department of Energy’s PNNL in Richland sent $530,000 to a bogus account after receiving an email that it needed to change electronic payment information for a local construction firm.

The payment was meant for Fowler General Construction of Richland, which had a contract to build a $9.8 million Collaboration Center on the PNNL campus in Richland.

PNNL did not check with its contractor before making the change.

Battelle, which holds the DOE contract to operate PNNL, covered $430,000 of the fraudulent payment. Investigators were able to recover the remaining $100,000 with help from the bank where the money was sent.

The investigation was led by the Department of Energy Office of Inspector General. The theft became widely known in the Tri-Cities after it was part of a whistleblower lawsuit.

©2020 Tri-City Herald (Kennewick, Wash.) Distributed by Tribune Content Agency, LLC.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

E.REPUBLIC Platforms & Programs