The city of Fresno could have caught a phishing scam that lost the city more than $600,000 if city employees were following the safeguards set in place, according to a Fresno County Civil Grand Jury report released last week.
The city fell for the $613,737 hustle in 2020, but the mistakes did not come to light until The Fresno Bee broke the story of the phishing scam in 2022. City officials did not disclose the loss until The Bee asked about it, citing an effort to protect an FBI investigation, according to city leaders.
Months later the city fired its city controller, but leaders would not say whether the scam was the reason for his termination. The city controller heads up the Finance Department and oversees the city’s financial integrity, guides spending policies and pays the bills, among other business-related responsibilities.
Despite security practices and policies in place at the time, “conspicuous red flags within the Finance Department were apparently not noticed,” according to the grand jury.
The city’s Finance Department has since improved its practices, the report said. But leaders should still beef up security, including adopting practices citywide by the end of year that are used by the U.S. Department of Defense.
The grand jury found that some of the finance department’s policies were understood to be in place through training, but were not in the written policy. Even so, if the unwritten rules had been followed, the scam would have been caught, the jury report said.
The swindle started when the scammers presented themselves as a legitimate vendor that was already doing business with the city. That particular legitimate vendor had asked for payments to be provided with a paper check, the report says.
The scammers asked for those paper checks to be made into electronic payments, which should have been a red flag, the report said. Employees told the grand jury that kind of request is uncommon.
The city typically used an “automated clearing house” form to authenticate payments to contractors, but did not in the two cases that led to the $600,000 scam, the report says. The scammers used multiple bank account numbers connected to different states, which the clearing house form would have caught if used properly.
Finance department employees were also supposed to seek a second approval from another employee for large payments, but did not in the scam cases, according to the report.
The city has since adopted a policy of contacting vendors by phone with a number already on file to confirm the legitimacy, the report says.
The grand jury also made recommendations for protecting the city’s finances, noting that the growing prevalence of artificial intelligence and sophistication of criminals could make cybersecurity a greater issue in coming years.
Along with adopting Department of Defense policies, the grand jury recommended the city adopt policies that require the director to double-check certain payments, hire a firm to test the city’s system for phishing attacks, and add more double-checks, among other new policies. The grand jury put some deadlines on its recommendations for the end of 2024, and others into next year.
Mayor Jerry Dyer said many of the recommendations of the grand jury have already been met. He noted the city hired a new city controller and has implemented ongoing training. The city has also upgraded its software, he said.
©2024 The Fresno Bee, Distributed by Tribune Content Agency, LLC.
