Scammers pretending to be Brandt Construction emailed a city of Rock Island accountant to update automatic payment information. After the fraudsters returned a form, the accountant called their company contact to confirm, following the city's usual practices, only to discover it was fake. Scammers, that time, weren't paid.
In Bettendorf, the city’s human resources director fielded an emailed request asking to change City Administrator Decker Ploehn's direct deposit information. When the director, Kathleen Richlen, walked a paper form to Ploehn, he greeted her with surprise. He hadn’t requested a change. Again, the scammers were foiled.
In Rock Island County, scammers impersonating a construction company sent a June 1 email asking the county to update its banking information. The attached documentation looked convincing — a change-account document available on the county’s website and a letter from the vice president of commercial banking at Citizens Bank in Macomb, Ill., verifying account and routing numbers. The county changed the information, and 18 days later wired $97,042 to the fraudulent account. A month later, another $18,061 was sent before the scam was discovered.
Cyberattacks and scam attempts are an increasingly frequent and expensive hazard government organizations must contend with, and they can bilk local governments out of hundreds of thousands of taxpayer dollars.
Most common are the examples above, called social engineering fraud, where scammers target employees, intentionally misleading them into sending money or diverting a payment based on false information in communications such as an email, phone call, fax, or mailing.
According to the FBI’s most recent data, between 2016 and 2019, business email compromises, which target legitimate transfers of funds through email caused more than $26 billion in exposed dollar loss across the globe. Between 2018 and 2019, reports of business email compromises doubled.
In the Quad-Cities, at least three local governments paid out more than $100,000 to scammers. In all three cases, the criminals emailed local government officials pretending to be legitimate vendors the cities worked with.
Rock Island County paid $115,000. LeClaire wired more than $222,000 in a similar case. Moline paid roughly $420,000.
In all cases, the local governments had insurance to cover the losses. LeClaire was responsible for a $5,000 insurance claim, and recovered more than $120,000 wired to a fraudulent bank account, according to a spreadsheet prepared by the LeClaire City Clerk Tracy Northcutt. Moline will be responsible for $10,000 or $20,000 based on how the liability insurance claims work out, according to City Administrator Bob Vitas. Rock Island County's stolen funds will be covered by an insurance liability fund.
Scams are more sophisticated, but strategies can combat cyber criminals
“Municipalities are more and more of a target for cyber criminals,” said Nick Machovec, who works with municipal and business clients on cyber-related insurance for Molyneaux, an insurance agency in Eastern Iowa and Western Illinois.
That could be because public agencies operate on tight budgets, are understaffed, or may not have enough funds to mount costly defenses to system breaches, Machovec said.
Since January 2020, the Iowa Auditor’s Office has issued four advisories to governmental entities alerting them to potential illegal activity. Three urged municipalities to be wary of fake emails. In January 2020, the Auditor's Office warned "several entities" had experienced attempts at cyber attacks, and described situations similar to the Quad-Cities scams. In Iowa, government entities are required to notify the Auditor's Office of fraud, misuse of public monies, and scams.
In more sophisticated social engineering fraud, an email account is compromised months before payment requests are made, allowing the scammers to monitor emails, and time payment requests so financial officers don’t question it, and include company logos and language that doesn’t arouse suspicion.
Although three similar scams happened in the Quad-Cities, Machovec says that isn’t unusual. When public entities get scammed, there tends to be more publicity because it’s public money. Rock Island County held a press conference as soon as it learned about the scam, LeClaire included an item on an agenda relating to cyber theft insurance funds, and Moline officials responded to some questions from reporters.
Private businesses on the other hand, usually keep it quiet.
“It happens to our customers all the time. You just don't hear about it,” Machovec said.
But after news of the cyber attacks was published, several government officials at area municipalities said they reevaluated their internal policies, and added verification to change payment requests involving vendors and employees' direct deposits.
The Quad-City Times/Dispatch-Argus surveyed nine area government entities. Eldridge city officials did not respond. East Moline said in June, it received a fraudulent email requesting a change in direct deposit for an employee, and the city paid about $4,500 fraudulently, which didn't meet the city's insurance deductible.
In one case of a construction company, the CEO, CFO, and controller were emailing for weeks about a payment for a project. The company’s policy requires a signature from the CFO to wire payments. The controller asked the CFO, who had no idea about email string. The email addresses of the CEO and CFO had been compromised.
“There are businesses every day that are getting nailed by this scam,” said Dan Molyneaux, CEO of Molyneaux. “There are different levels of sophistication and control and awareness. But it's just a matter of if you're the unlucky one.”
Paul Rouse, president and owner of Rouse Consulting Group, said there are some cost-effective steps for protecting your company from cyber attacks. There’s no way to make anyone 100% secure, Rouse said the goal is to adopt as many practices as reasonable to make the client a more difficult target to attack.
“I give the analogy of the bear in the woods,” Rouse said. “If you and I are walking through the woods, I don't have to be faster than the bear. I just have to be faster than you. And it's kind of a funny analogy to it, but you want to make yourself as hard of a target as possible so that they just move on to somebody easier. They're looking for easy money in a lot of ways.”
- Calling a separate, trusted phone number to verify payment information when there’s a request for a change in accounts or for significant money transfers.
- Checking in person when making internal transfers like direct deposit changes.
- Implementing Multi-Factor Authentication, which requires two pieces of information to log into an account. It's often a password and a second, independent log-in approval sent to your phone. Research from Microsoft and Google suggests that Multi-Factor Authentication can prevent nearly all account breaches. The CEO of Colonial Pipeline, which experienced a ransomware cyberattack in May, told a Senate Committee the company was breached because of a no-longer-in-use V.P.N., a technology that organizations use to allow employees to access networks from home, didn't require Multi-Factor Authentication.
- Continuous training for employees. One example Rouse recommended was sending tests of fraudulent links that mirror a scam to train employees to be skeptical of unknown links, and especially for allegedly urgrent requests from the sender.
Rouse, said cyberattacks and scams were becoming increasingly more sophisticated and easier to undertake.
"Really in the last decade, the focus has, I don't want to say shifted, it's included everybody, whether it's the individual at home, a small organization, up to the big guys, and the skill required to launch many of these attacks has come down," Rouse said.
With more people working from home and relying on email and digital communication to complete work, Machovec and Molyneaux said that absolutely lessens the ease of in-person verification, and makes it easier for cyber criminals to take advantage of emailed communications.
Ransomware a threat globally
Ransomware attacks, where criminals lock users out of data and demand paid ransom, get more media attention. One happened to the City of Baltimore in 2019, and the city elected not to pay the roughly $80,000 ransom. Officials estimated the cost of lost or delayed revenue and costs of restoring systems to be $18.2 million according to the Baltimore Sun.
A survey of 1,200 companies hit by ransomware attacks in 2020 and 2021 found 53 of those were municipalities, the No. 9 industry with most ransomware attacks, according to research by NordLocker, a file encryption software company.
“There's almost this trend of where they (clients) feel like it couldn't happen to them,” Machovec said. “And that's feedback that I get from pretty much every municipality that I work with. But I say, ‘You know, I think the City of Baltimore would probably have said the same thing to me had I gone through the process with them…These are large, large cities, and if they can get breached, so you can you.”
Rise in cyber insurance prices
With more frequent and more expensive cyberattacks in recent years, cost of cyber insurance has increased sharply for businesses and public-sector organizations, according to a report from the Government Accountability Office to Congress this year. Premiums increased 10-30% from the third to the fourth quarter of 2020.
More businesses and organizations are electing to get cyber insurance according to the report, but insurers’ appetite and capacity for underwriting cyber risk has declined, especially in higher-risk industries such as education, health care, and public-sector industries. According to the report, that’s because of increasing losses from cyberattacks, the threat of future attacks, and the overall conditions of the market.
Machovec said of his company’s clients who renewed cyber insurance in 2021’s first quarter, the premium price rose 27% on average. That’s driven by the company’s 79% increase in cyber-related claims, Machovec said.
Many local government officials at the three entities that experienced fraud emphasized little taxpayer money would be lost because insurance would cover it.
But Molyneaux said premiums are typically affected by losses, so taxpayers could be paying more in the future.
But in investigating a significant loss, Molyneaux said an insurance company will emphasize what they learn about the internal controls of the organization and what could make them a riskier client.
“In this environment, claims absolutely affect future premiums,” Molyneaux said. “But you could have a major breach from a very sophisticated criminal where you did everything right, and the insurance company impact might be less than a minor breach, where the insurance company comes in and says, ‘Oh, gosh, yeah, we would have never written you if we knew that you were doing this or not doing this.’”