Phishing scam hooks Fresno for $600K

Fresno County Grand Jury investigation finds warning signs were missed in 2020 ruse that scammed the city for over $600,000

Sanger West High School staff members and graduates perform a special choir number near the conclusion of the school’s inaugural commencement ceremony at Save Mart Center in Fresno the afternoon of June 7. (Albert on AdobeStock)
Darren Fraser
Published June 11, 2024  • 
11:00 am

FRESNO COUNTY – In its latest report, the Fresno County Grand Jury published the results of its investigation into a 2020 phishing scam that swindled the city of Fresno out of more than $600,000.

In December 2018, the Fresno City Council approved a contract for the construction of a police substation in southeast Fresno. KIassen Corporation of Bakersfield was awarded the contract in the amount of $6,405,000. The project broke ground in April 2019.

The building contractor asked to be paid in installments via check. According to the report, in January 2020, the city’s finance department received an email from someone claiming to be an account specialist for the company. This individual requested that payment be made electronically by Automated Clearing House (ACH), which is a routine and familiar practice. The process resulted in the establishment of a new bank account to receive funds.

The finance department emailed the individual an ACH form who completed and returned the form via email. Again, according to the report, nothing about the request raised concerns from finance department staff.

On Jan. 30, 2020, the department authorized an electronic fund transfer (EFT) in the amount of $374,473. On March 5, 2030, the department authorized a second EFT in the amount of $289,264. The two requests, totaling $613,737, were transferred to the new account.

Everything appeared aboveboard. It wasn’t.

RED FLAGS

A phishing scam is the practice of sending fraudulent communications that appear to come from a legitimate and reputable source, which is usually done through email and text messaging. According to the Grand Jury report, the scam against the city could have been prevented had the finance department followed its own internal control policies and practices. These are both written and unwritten.

When a vendor requests payment via EFT or a new account is created to receive funds, the first step the department is supposed to take is to verify that the entity submitting the ACH form is the actual vendor. Next, the department sends a zero-dollar pre-notification – prenote – to the account to verify all information matches what the city has on file in its financial system.

According to the report, “a successful prenote would confirm that the new bank routing and account numbers match.”

Lastly, at the close of each business day, department staff is supposed to review all large disbursements. This procedure ensures the first two procedures have been followed. There is no paper trail confirming these three procedures were followed.

The report notes the above procedure was largely unwritten in 2020. And while EFT is the preferred method for paying vendors, if a vendor does not request EFT, they are paid by check. As noted, the substation contractor originally requested to be paid by check.

Training for these procedures was done verbally; not all finance department employees were properly trained.

These were not the only red flags. The individual claiming to be an account specialist with the company submitted multiple ACH and EFT forms. These referenced different bank accounts in different states. The individual also submitted different email addresses with various domain endings. None of these activities gave department employees pause.

A MUNDANE OPERATION

The city contacted the Fresno Police Department. The FBI joined the investigation, which revealed the bad actors were part of an international crime ring. Fresno was just one of many cities scammed.

Multiple accounts and the profusion of domain names aside, the Grand Jury noted that the scammers relied on publicly available information to pull off their frauds. They did not submit fraudulent invoices. They searched the internet for large construction contracts up for discussion in municipalities. According to the report, they examined city council information – agendas, minutes – to find out what they could about contracts. From there, they implemented their phishing operation. The report makes no mention of hacking or cyberattacks.

RECOMMENDATIONS

The report concludes with 11 recommendations.

By Dec. 31, 2024, the Fresno City Council should:

  • Adopt a citywide policy similar to the U.S. Depart of Defense’s policy to identify indicators of fraud;
  • Ensure only data provided by the vendor in approved contracts is used in financial transactions;
  • Any changes to a vendor’s bank account must be verified and reviewed by multiple financial department staff;
  • Adopt a citywide policy regarding changes to ACH payments. This policy would place a cap on dollar amounts and utilize accepted accounting controls;
  • The city’s director of finance must approve all changes to methods of payment, such as moving from a physical check to EFT; and
  • Only the director of finance is authorized to bypass the prenote procedure.

By March 1, 2025, the council should:

  • Develop a single, authoritative repository of finance department written policies to which all department employees must adhere;
  • When possible, prevent the finance department from relying on verbal policies;
  • Contract with an outside firm to conduct phishing tests that identify vulnerabilities in the city’s data systems; and
  • Instruct the city manager to furnish a written report to the council that addresses all of the recommendations listed in the Nov. 16, 2023 report regarding internal controls as they related to accounts payable and financial disbursements. The report was written by the Clovis-based accounting firm of Price Paige & Company.

Lastly, by June 30, 2025, the Council should ensure that all city finance managers and supervisors complete yearly training on reducing and preventing human error.

Darren Fraser
Reporter