While nearly all the money was recovered, the Washington state auditor's office recommended the Port strengthen its verification procedures and provide staff "adequate communication and training" on cybersecurity risks.
The two phishing incidents occurred in October and December 2021, resulting in $572,683 in public funds being transferred to fraudulent bank accounts over a series of eight payments.
In both incidents, the Port's Office of Equity, Diversity, and Inclusion forwarded phishing emails to the Port's accounts payable department or another employee for processing.
The Port was able to recover all but $50,000 of the lost funds, with $356,520 coming from the bank and $166,163 from crime insurance coverage.
The state auditor's office noted in its report that staff did not "consistently or adequately" follow preexisting procedures to protect electronic funds transfers and missed "key red flags" for phishing schemes, like misspellings in the email address and body, and the bank declining transfers due to closed accounts.
The Port said it hadn't had a cyber crime loss in the 15 months before the 2021 incidents and that involved staff attended a mandatory training afterward, according to the auditor's report. The training is now an "annual mandatory refresher," the Port said.
"Despite the robustness of controls in place, the human element can become a factor in any well-designed internal control environment," the Port said in the report.
Port spokesperson Peter McGraw said the Port quickly took steps to tighten its payment procedures to prevent future attempts of theft.
According to the report, the Port of Seattle sent a total of more than $1.6 billion to vendors in 2021 and 2022. Statewide, over $28 million in public funds has been lost since 2016 due to phishing, the report says.
©2023 The Seattle Times, Distributed by Tribune Content Agency, LLC.
