The city of LeClaire is still working to recover $102,000 from scammers who posed as three vendors the city works with.
In total, $222,373 in LeClaire city funds were directed to three fraudulent accounts through “cleverly disguised and modified emails that resembled legitimate emails from legitimate vendors,” interim City Administrator Ed Choate wrote in an email to the Quad-City Times.
The scam occurred over a four month period from November 2020 to February of this year.
LeClaire has recovered about $120,618, Choate said, by freezing the accounts. Choate said the city is continuing to work with the FBI, the city's bank, and its insurance carrier to recover and/or reach a settlement for the remaining about $102,000.
In two of the three situations, Choate said, the city discovered the cyber attack because the actual vendors contacted the city to alert officials that they hadn’t received payment. In the third case, the city clerk discovered the fraud and contacted the vendor.
The cyber attack is similar to one that happened in Rock Island County, in which a scammer pretending to be a legitimate contractor asked county officials to wire money, amounting to $115,000, to a new bank account.
Choate wrote that the city, FBI, and the city’s local financial institution fraud team, “immediately engaged a cyber security firm to conduct a ‘deep-dive’ forensic analysis and incident response investigation on the city’s entire I.T. system and to ensure the servers and emails were no longer compromised.”
The city installed multi-factor authentication and other security software applications, Choate said, to prevent email compromises in the future. And documents and training for ACH transactions, an automatic payment system, were implemented by the city with help from their financial institution and the Iowa Department of Management.
“This was simply human error involving a situation where most people, who being preoccupied with busy daily schedules and activities, would have executed the very same way,” Choate wrote in an email. “It was determined that no formal, personnel disciplinary actions were warranted or administered.”
Choate was city administrator for 42 years before announcing his intention to retire at the end of 2021, staying on for the transition. The new city administrator, Chris Ball, started in February but parted ways after a six-month evaluation. Choate was reinstated temporarily while the search for a new city administrator gets underway.
John Johnson, founder and president of the Docent Institute, a Bettendorf-based nonprofit that focuses on cybersecurity education, said a simple step of taking the time to make a call or send an email to someone you trust before completing high-dollar transfers is a low-cost way to prevent scamming.
And, he says, not all email spoofs are easily distinguishable from legitimate requests.
“Not everything looks like the Nigerian prince scam,” Johnson said. “…If you check your spam folder, 90% of it is obvious, but sometimes they do just enough research, they have a logo, and they look legitimate.”