IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Chester, Pa., Lost $400K to Phishing Scheme Over Summer

The incident, which was just recently revealed to the public, saw Chester Councilman William Morgan allegedly send an estimated $400,000 to an unknown scammer during a phishing incident in June.

Ransomware Cyber Security Email Phishing Internet Technology Lock Vault Protection 3d illustration
(TNS) — City Receiver Michael T. Doweary is pressing Chester City Council for answers on what he deemed an "extremely troubling" incident in which Councilman William Morgan allegedly sent an estimated $400,000 to an unknown scammer during a "phishing" incident in June.

Doweary sent Mayor Thaddeus Kirkland and council members a memo Monday seeking additional information on the June 8 transfer, which was first revealed in an Oct. 21 press release from the city.

Doweary said he was not made aware of the transfer until the morning the release went out.

He wants to know who else knew, when they knew, and why he was kept in the dark for so long.

Gone phishing

The Oct. 21 release indicated someone with the city — later determined to be Morgan — received an email June 8 from a hacker posing as an insurance broker regarding a monthly insurance invoice.

Morgan, the city's director of accounts and finance, was engaged in email conversations at the same time with the actual insurance broker concerning the same invoice, according to the release, and the hacker was using information that was "almost identical" to the emails received from the broker.

"Due to the email chains occurring at the same time with almost identical information, a payment was issued," according to the release. "A wire payment was initiated in June to the posing insurance broker for the employees' workers compensation insurance."

The release stated that the incident was discovered during an internal review of monthly invoices, but did not provide a date for that review.

The release also said the Chester Police Department was notified along with Chester's Information Technology consultant, the insurance broker, and Santander Bank and Chase Bank — the sending and receiving banks, respectively — but there was likewise no timeline provided.

Police Commissioner Steven Gretsky said Oct. 21 that he had been made aware of the payment a few weeks prior, roughly two months after it happened, and that it was being investigated. James Nolan, chief of the Delaware County District Attorney's Office Criminal Investigation Division, said at that time that he was unaware of the incident.

Checking all the boxes

"From our end, the memo kind of speaks for itself about what we've been made aware of and the questions that the receiver has," said Doweary Chief of Staff Vijay Kapoor. "They really boil down to, No. 1, given the city's extreme financial condition, why were we not informed about a $400,000 payment until three months after city officials discovered it. And the other real main question we have ... is why was the District Attorney's office — who specializes in these matters, who was helping the Chester Upland School District in a cybercase — not contacted until last week, which is more than three and a half months after city officers were contacted about this?"

Morgan said Tuesday that he discovered the fraud about a month after the transfer had taken place. He immediately filed a police report, and contacted the two banks involved, the IT company and the broker.

Morgan said he did not go straight to the receiver about the incident because he wanted to be able to present all pertinent information about exactly how the transfer took place, what steps were taken to investigate it and whether the city could get the money back.

He said he heard from Santander Bank about three weeks to a month ago that it likely could not recoup the money.

"It was really just an internal investigation," said Morgan. "Once we knew that we wouldn't be able to recoup the funds, I wanted to notify all of council."

Doweary says in the memo that he met with Kirkland and Morgan on Oct. 26, during which Morgan reported that he had filed a police report after learning what happened and that the report had been forwarded to the Federal Trade Commission.

Doweary indicated he received a copy of that police report, dated July 12 and taken by Officer David McClain, who is assigned at City Hall.

Morgan said he remembered filing the report and notifying the other players at about the same time, so likely on or around that same date.

"I know all representatives that should have been contacted were contacted to say, 'Hey, this has happened, do what you need to do as far as going through your processes and procedures,' " Morgan said. "I followed my chain on my end as far as notifying everybody I needed to notify."

Morgan said he has no say in how police procedures are carried out, so whether CID or another agency was contacted is out of his hands. But he did file the initial police report when he learned of the fraudulent transfer.

Gretsky said Tuesday that Morgan's report had been given to the patrol division, as per normal procedure, and that Detective Capt. Matthew Goldschmidt had been investigating.

Gretsky said he reached out to Nolan personally to assist last week after learning of the amount of money involved. Nolan confirmed he did get the case last week and assigned it to a detective on Oct. 27, but had no other information because that investigation has only just begun.

Goldschmidt will continue to assist, said Gretsky.

Other attempts

"I appreciate the work that Councilman Morgan has put into his efforts in catching this before it got real, real bad," said Kirkland. "I'm quite sure that Councilman Morgan was trying his best to find out if, in fact, this was really happening to the city. He wanted to make sure before he informed everyone else that this was real and not some kind of fake situation."

Kirkland said Chester is currently investigating whether the transfer is covered by insurance. City Solicitor Ken Schuster did not return a call for comment.

There had been other attempts to breach the system, Kirkland said, but he could not recall if they happened before or after the June transfer. All other attempts had been intercepted before they could do any harm, he said.

Morgan said at least two other phishing attempts were caught in September and TechGuides Inc., the city's IT provider, was directed to block those email addresses and make sure there hadn't been any breaches in the system.

A person answering phones at TechGuides on Tuesday said the company would have to get permission to discuss Chester's current security situation. TechGuides didn't respond further.

Morgan said IT security for Chester has been moved to the front burner as a result of this incident and the city hopes to spend American Rescue Plan Act funds to work on that infrastructure.

Kirkland also said the city is working with Chief Operating Officer Leonard Lightner to upgrade its technology security and hopefully ensure no other attempts get through.

Every dollar matters

Kapoor noted the receiver indicated in September that Chester is facing a potential deficit of $46.5 million next year, and that projection had not changed as of October.

"Every dollar matters over here," he said. "A $400,000 impact is big on the city. Given the city's financial condition, every year we try to manage that, at a minimum, the city doesn't run out of money and then a $400,000 hit is very big for the city's cash flow. This is a material hit to the city and it's something we need to know about so we can make some adjustments."

Doweary's memo notes that a Commonwealth Court judge in March ordered Morgan and his team to share "any future correspondence or information they receive relating to the city's finances with (the) receiver and the Interim CFO," Chenora Burkett.

"Clearly, a non-budgeted approximately $400,000 payment is information relating to the city finances," the memo said.

Kirkland said that whether the information was provided in a time that suits the receiver or not, he has now been briefed and the matter is in the hands of the proper officials to investigate.

He added that even when county council knew right away that it had been the victim of a hacking scheme last year, it still eventually ended up having to pay a $500,000 ransom to get key systems back in place.

"You're darned if you do and you're darned if you don't," he said. "From the receiver's perspective, it would have been great if we could have informed them earlier. However, earlier, later, $400,000 was transferred and it was caught, and no more money has been transferred. In hindsight, should something have been said earlier? Possibly so, but it still would be $400,000 gone."

Kirkland acknowledged that alerting the receiver or other authorities earlier may have made a difference, however. Treasury Secretary Stacy Garrity said at a press conference in August that her office was able to begin clawing back $10.3 million for the Chester Upland School District that was almost lost in a similar scheme only because her employees began investigating on a Friday rather than waiting until the following Monday.

"It may have," Kirkland said. "We don't know. It may have given them that ability. That's a question that should be posed to them. ...The hope now is that this opens our eyes a little better, as well as other groups or agencies or municipalities, to keep our eyes open a little wider looking for these types of criminal activities."

© 2022 Daily Times, Primos, Pa. Distributed by Tribune Content Agency, LLC.