Phishing-scam training has become a commonplace requirement in many workplaces these days. But not everyone is adhering to its lessons.
When emails from a fake paving company landed in the inbox of an accounting assistant working for a small Ohio city last month, the assistant was hooked.
The author pretended to be an existing vendor and persuaded the finance worker in the Columbus suburb of Hilliard, Ohio, to change bank-routing information for the vendor.
A day later, the city paid that account $218,992.06. Taking such actions is part of the standard work of an accounting assistant, but there is a verification protocol that was not followed.
City Manager Michelle Crandall said in a written statement thatthe city is committed to finding the perpetrator.
“We also are performing a thorough review of our finance department’s accounts payable protocols, including determining why a required protocol that could have prevented this scam from being successful was not followed.”
The city’s human resources department also is investigating with the assistance of legal counsel.
“Our investigations have shown the loss of funds was a result of human error in not following established protocol,” Crandall said. “This scam did not involve any breach of the city’s network, systems, or data.”
Phishing rapidly growing problem
On Feb. 6, Crandall placed the finance employee and Finance Director David Delande on paid administrative leave. Delande, who had more than five years in the post, was fired Monday, in part because he waited 35 days to inform his superiors about the incident. The assistant has resigned.
Crandall said it is important that the City be as transparent with the community as possible while ensuring the ongoing police investigation is not negatively impacted.
The city also has filed an insurance claim to recoup the taxpayer funds.
“We carry insurance on this kind of thing,” said David Ball, city spokesman. “We haven’t heard back on what will be covered.”
“Unfortunately, phishing is a rapidly growing problem, and government agencies are common targets,” Crandall said. “In 2022 alone, the Anti-Phishing Working Group observed more than 1.2 million phishing attacks, with nearly one-fourth of these scams aimed at the financial sector.”