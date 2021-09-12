Over the last few weeks, we've learned of two costly email scams that have conned local governments in the Quad-Cities out of hundreds of thousands of dollars.
In Rock Island County, a scammer posing as a vendor lured the unsuspecting auditor's office into wiring $115,000 in taxpayer money to phony accounts. And in LeClaire, a similar email scam relieved the small city of about $222,000 over a four-month period between November 2020 and February of this year. (About half has been recovered.)
Nobody should be happy when thieves are able to con public money out of local governments, no matter their methods. The public has a right to expect that the stewards of taxpayer funds take great care to guard the money we send to them.
At the same time, these email scamers are becoming ever more clever. As John Johnson, founder and president of the Docent Institute, a Bettendorf-based nonprofit that focuses on cybersecurity education, said, "not everything looks like a Nigerian prince scam."
In other words, these types of scams aren't always easily spotted. Nonetheless, it's something that anybody charged with safeguarding funds should be alert to. We're quite sure that none of our local governments wants to be the third to appear in the news this year for falling for this kind of swindle.
These scams also are becoming more frequent, too. The FBI has warned that these types of Business Email Compromise, or BEC, scams are increasingly targeting governments.
The agency said individual losses have ranged from $10,000 to $4 million. And with the pandemic prompting a shift of a significant part of the workforce to remote work, the risks have only grown greater.
If the incidents in Rock Island County and LeClaire haven't already, they ought to alert other local governments to review the procedures and training they have in place to protect against such scams. And local elected leaders, who have the ultimate responsibility for the wise use and safeguarding of these public funds, ought to be quizzing their administrative staffs about what they have in place to prevent this.
This, of course, isn't just a problem in the public sector. Private individuals and entities also are victims. The FBI's Internet Crime Complaint Center said in its most recent report it got nearly 800,000 complaints in 2020, a 69% increase over the year before.
The agency said that Americans were scammed out of $4.2 billion in online scams, up from $1.5 billion just five years ago. The Business Email Compromise was the biggest category, with adjusted losses last year of $1.8 billion, an increase from the year before. (Adjusted losses include funds recovered by law enforcement or banks.)
It's remarkable how the examples cited by the FBI are so similar to what happened here.
In one example, a county government got taken last fall when it received an email with new payment instructions from a legitimate vendor email address (sound familiar?). After failing to get a $1.6 million payment, the vendor contacted the county, which then referred the vendor to the email address. It turns out, the vendor's email address had been compromised and the payment instructions were fraudulent.
In 2019, the FBI said, a small city government got a spoofed email purporting to be from a known contractor requesting a change in payment method.The city complied, but later was contacted by the legitimate contractor saying they had not requested the change. The adjusted loss: $3 million.
Government and private experts say that additional training can help, alerting workers how to spot these types of scams and teaching them how to respond. The FBI even has a video about business email scams. The FBI also has a laundry list of commonsense tips, such as skepticism about unexplained urgency regarding payments; last minute changes and unsolicited requests to verify information.
Then, there is this commonsense advice: that employees verify all payment changes and transactions in person or via a known telephone number.
Of course, this kind of advice seems obvious once a scam has been perpetrated. And it's easier to practice this type of diligence in an office that hasn't been devastated by budget cuts.
In LeClaire, we're told, steps already have been taken to put in place additional safeguards, such as multi-factor authentication and other security software applications. Rock Island County also has been investigating the circumstances of the theft there.
Again, we hope other local governments are paying attention — and that they aren't the next to fall for these scams.
