IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Rock Island County, Ill., Loses $115K Via Phishing Email

A phishing email pretending to be the message of a legitimate contractor tricked the auditor's office in Rock Island County, Illinois, to wire $97K to a bank account. The scammers also landed an additional payment of $18K.

phishing scam
Shutterstock
(TNS) — It took only one email from scammers to get the Rock Island County auditor's office to wire $97,000 to a fraudulent bank account.

Six weeks later, an additional payment of $18,000 was wired, bilking the county out of some $106,103 before the account was frozen with $9,000 still in it.

Emails obtained through a Freedom of Information Act request by the Dispatch/Argus and Quad-City Times show how easy it was for criminals to steal money from the county by simply asking for the funds to be wired.

Someone alleging to be a legitimate contractor with whom the county does business duped the auditor's office into wiring the money to a "new bank account" June 1. The theft of funds by wire fraud was caught by the county's financial institution, which notified officials. The Rock Island County Sheriff's Department began investigating the theft July 28.

On the morning of June 1, an email from someone impersonating the "controller" of a Rock Island contractor on the county's P25 radio project emailed Deputy Auditor Amanda Van Daele. Portions of the emails were redacted identifying the legitimate company that was used as bait.

"Good morning Amanda, hope you are doing well," the email read. "This is to inform you that (redacted) Construction, Inc. have recently made some company financial changes and moved all of its banking to a new bank. Please see attached and kindly update our new ACH information in your system immediately to ensure timely payment of current and future invoices in your possession. Let me know if you need anything else."

The scammers attached an electronic funds transfer form available on the county's website. Also attached was a letter from the vice president of commercial banking at Citizens Bank in Macomb, Ill., verifying the account and routing numbers of the bank account in which the money was to be transferred.

Van Daele replied 14 minutes later.

"Your information has been updated in our system and will be reflected in the June payment," she wrote.

The following day on June 2, the scammers emailed Van Daele again, saying there was an error in the account number and to please use the new one being provided. Van Daele replied that the information had been updated.

On June 11, the scammers emailed Van Daele again and asked if there were any invoices "currently being processed or authorized for payment for (redacted) Construction at this time?" Van Daele replied 45 minutes later that $97,042 would be paid June 18.

The scammers replied, "Thank you for the update. Have a great weekend."

On June 14, the scammers contacted Van Daele again, asking for their banking information to be updated a third time and provided a letter from the vice president of commercial banking for Wells Fargo Bank. Van Daele replied, "the information has been updated."

After the payment of $97,042 was sent, the scammers emailed Van Daele July 13, asking if there were any more invoices that would be processed for payment. Van Daele replied that $18,061 would be processed on July 23.

In the scam's fallout, County Board Chairman Richard "Quijas" Brunk sent an email Aug. 13 to Rock Island County Auditor April Palmer and copied County Administrator Jim Snider, State's Attorney Dora Villarreal and Sheriff Gerry Bustos, requesting for Van Daele to be placed on administrative leave.

Brunk then sent the series of emails between Van Daele and the scammers to county board members before the Aug. 17 board meeting. Brunk also laid out the timeline of the bank fraud, noting several "red flags," suggesting Van Daele should have followed up with a phone call.

County board members voted 22-1 in a vote of no confidence for Palmer, asking for her resignation and the termination of Van Daele. Bob Westpfahl cast the opposing vote. A forensic audit of the auditor's office also was approved.

But Palmer is an elected official and cannot be terminated, and the county board has no authority over Van Daele since she reports to Palmer.

"Things are remaining the same at this time," Palmer said Thursday. "There will be more information to come."

Palmer confirmed that Van Daele was placed on administrative leave "for six business days until I was informed I could bring her back. I was taking direction and doing everything I was asked, and I continue to do so."

Kurt Davis, information systems director for Rock Island County, said the county was the victim of an attempted wire fraud in August 2020, but county offices stopped it. He said the recent wire fraud was not a failure of any cyber protection.

"This was a cybersecurity issue only in the fact this was an email the county received," Davis said. "We have in place spam filtering that provides protection against spam, malicious email and protection against viruses within emails; virus and phishing protection on the workstations; and protection against ransomware."

Palmer sent Davis an email Aug. 19 seeking to understand the situation.

"I was led to believe email scams are a part of cybersecurity," Palmer wrote. "So you are confirming that nothing would have flagged 'the email as spam or a security risk.' If you would not have caught it as trained (information technology) personnel, then how could I or my staff be responsible for not catching it? Your staff member did not catch it either before changing the vendor in (the database)."

John Johnson, president of the Docent Institute, a nonprofit that offers education on cybersecurity and other technology, said employers needed to educate their employees on best practices.

"When anything comes of high value and it doesn't feel right, you need to call that office and ask to speak to that person," Johnson said. "People will email and call and pretend to be someone else. I think the awareness of what a phishing email looks like and validation what their email looks like is necessary."

"Just pick up the phone and give them a call," he said. "When the risk is higher and there is a high financial cost, you need to verify it."

©2021 Quad City Times, Distributed by Tribune Content Agency, LLC.
Special Projects
Sponsored Articles
  • How the State of Washington teamed with Deloitte to move to a Red Hat footprint within 100 days.
  • The State of Michigan’s Department of Technology, Management, and Budget (DTMB) reduced its application delivery times to get digital services to citizens faster.

  • Sponsored
    Like many governments worldwide, the City and County of Denver, Colorado, had to act quickly to respond to the COVID-19 pandemic. To support more than 15,000 employees working from home, the government sought to adapt its new collaboration tool, Microsoft Teams. By automating provisioning and scaling tasks with Red Hat Ansible Automation Platform, an agentless, human-readable automation tool, Denver supported 514% growth in Teams use and quickly launched a virtual emergency operations center (EOC) for government leaders to respond to the pandemic.
  • Sponsored
    Microsoft Teams quickly became the business application of choice as state and local governments raced to equip remote teams and maintain business continuity during the COVID-19 lockdown. But in the rush to deploy Teams, many organizations overlook, ignore or fail to anticipate some of the administrative hurdles to successful adoption. As more organizations have matured their use of Teams, a set of lessons learned has emerged to help agencies ensure a successful Teams rollout – or correct course on existing implementations.