County transfers $220K to criminals through email scam, recovers $195K
King County accidentally transferred $220,000 to cyber-criminals through an email scam last year.
Ken Guy, director of Finance and Business Operations, said that the email scam happened when a criminal hacked the email account of King County’s vendors, the Washington Initiative for Supported Employment — an organization that helps adults with disabilities to find employment — and then masqueraded as an employee of that vendor.
Acting as “Jeanne at WISE,” the hacker sent a short email to the county saying that it needed to update its information on file, and asking for the county’s bank routing number. The email had the WISE logo in the signature, but was also filled with grammatical errors.
“On the surface, very quickly glancing at it, it looks legitimate,” Guy said. “Now granted, when you go through the details of it, you see punctuation errors.”
The email was followed by a fax that “looked like it was legitimately from that vendor,” according to Guy.
The county frequently receives such email scams, and they have always been caught in the past, Guy said.
“It was not the fault of any individual county employee,” he stated. “This occurred because we didn’t have sufficient training and controls that were in place, and we’ve since put those into place.”
Now the county has implemented mandatory online training for all employees who work with bank transactions online. As a precaution, any employee receiving a request for banking information must call back the vendor at a previously-used number to ensure the sender’s legitimacy.
Additionally, new technology catches more phishing emails so that they do not even end up in employees’ inboxes in the first place.
“We take any loss of public funds seriously, and we’re sorry this happened,” Guy said.
He explained that through insurance and through other means of recovery, the county has recovered $195,000 of the $220,000 lost.
The FBI conducted an investigation but did not find who did it. The county does not believe a King County employee or vendor is the culprit.