The City of Hilliard is actively investigating a December e-mail phishing incident that resulted in the theft of nearly $219,000.
“Through the City’s internal and criminal investigations, we are learning exactly what happened and when, and we are committed to finding the criminals who launched this phishing scam,” City Manager Michelle Crandall said. “We also are performing a thorough review of our Finance Department’s accounts payable protocols, including determining why a required protocol that could have prevented this scam from being successful was not followed.”
The City of Hilliard Division of Police is performing an ongoing criminal investigation to locate the individual(s) who committed the crime. The City’s Human Resource Department also is in the process of completing a thorough internal investigation with the assistance of legal counsel.
“Our investigations have shown the loss of funds was a result of human error in not following established protocol,” Crandall said. “This scam did not involve any breach of the City’s network, systems, or data.”
Crandall placed an Accounting Assistant and the Director of Finance on paid administrative leave Feb. 6, pending the City’s investigation. The Accounting Assistant remains on administrative leave. On Feb. 13, the Finance Director’s employment with the City was terminated.
Crandall said it is important that the City be as transparent with the community as possible while ensuring the ongoing police investigation is not negatively impacted.
In a phishing attack, an outside entity sends emails or other messages pretending to be from a known, reputable person or organization. These emails use various tactics to try to convince the recipient to provide private information or – in this case – to change bank account routing numbers.
“Unfortunately, phishing is a rapidly growing problem, and government agencies are common targets,” Crandall said. “In 2022 alone, the Anti-Phishing Working Group observed more than 1.2 million phishing attacks, with nearly one-fourth of these scams aimed at the financial sector.”
On Dec. 8 and 19, an accounting assistant in the City’s Finance Department received emails from an individual pretending to be from an existing vendor, Strawser Paving Company. The Dec. 19 email convinced that City staff member to change the bank account routing information the City had for the company. On Dec. 20, a payment was issued to that account for $218,992.06. While taking such actions is part of the standard work of an accounting assistant, in this instance a verification protocol the City has in place was not followed.
Between Dec. 28 and Jan. 5, Finance Department staff discovered the City had fallen prey to the phishing scam. On Jan. 6, the City of Hilliard Division of Police was contacted by the Finance Director and a detective was assigned to begin an investigation.
On Jan. 31, the Finance Director informed the City Manager of the incident – 35 days after the Finance Director became aware this felony crime had occurred against the City.
On Feb. 1, a claim was filed with the City’s insurance broker to recoup the missing funds. On that date, the City’s Director of Human Resources also began the internal investigation.
This incident remains the subject of an ongoing police investigation.