On Sept. 21, not three weeks after Houston was ravaged by Hurricane Harvey, the Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc.
The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.
“If we can get the form and voided check back to you today would it be updated in time for our payment?” read a Sept. 25 email from Chambers.
On Oct. 12, Harris County sent the money out. The next day, the county quietly was scrambling to get it back, after being alerted that the account did not belong to D&W, that Chambers did not exist and that county employees had been duped by a fraudster.
The county recouped the payment, but the ongoing investigation into who tried to take the county’s money and nearly got away with it has ignited a debate over the financial security and cyber security of the third-largest county in America. That debate comes as experts point to a growing number of increasingly sophisticated attackers from around the world, homing in on untrained employees or system vulnerabilities.
The incident now has become wrapped into an FBI investigation into a group that has attempted to extort local governments around the world, law enforcement officials said.
Meanwhile, some officials are moving to revamp their practices as others say further scrutiny of county defenses is necessary.
There’s a lot going on here, and a lot of room for process improvement. The county can provide training to employees to better recognize phishing attempts, and send out test emails to ensure that the training took hold. Extra checks and verifications, like pre-screening vendors an maintaining a list of approved vendors, can be put into place before any payments are made. Keeping on top of threat intelligence, to know what the new scams are that are going around, and ensuring that the email system and the proxy servers recognize junk mail and malicious websites. Cybersecurity is a process, and it contains multiple layers. The fact that the county almost got scammed is in itself not a great shame – it does happen, to many organization – but only if the opportunity to learn and improve from it is fully embraced.
This is a process issue. The County, or any entity of any size, should have verification checks in place for bank account changes, where an independent verifier contacts the vendor using previously known contact information to confirm that the bank account has changed.
I would hop that the County, City of Houston, etc, also have appropriate firewalls, email scanning, and such in place, and block all web based email sites like Hotmail, Gmail, etc.
Ross 100% on this being a process issue – the scammers could have snail-mailed them an invoice.
But do you mean that Harris County and City of Houston should block all incoming email from gmail and hotmail? As in you can’t petition your government via email? No.
Ross is spot on, also agree with Jules.
I meant that employee access to non-official email systems like Gmail, Yahoo, Hotmail, etc. should be blocked. There’s no reason to allow access to personal accounts from government computers.
As a Federal Employee, I can tell you I (already) cannot access my Yahoo or Gmail account while on my govt computer.
I can’t do my other job with my government email. I can’t do my other job with gmail. Just how is a city employee supposed to get any real work done?
Pingback: Interview with Nile Copeland – Off the Kuff