The City of Hilliard is actively investigating a December e-mail phishing incident that resulted in the theft of nearly $219,000.
โThrough the Cityโs internal and criminal investigations, we are learning exactly what happened and when, and we are committed to finding the criminals who launched this phishing scam,โ City Manager Michelle Crandall said. โWe also are performing a thorough review of our Finance Departmentโs accounts payable protocols, including determining why a required protocol that could have prevented this scam from being successful was not followed.โ
The City of Hilliard Division of Police is performing an ongoing criminal investigation to locate the individual(s) who committed the crime. The Cityโs Human Resource Department also is in the process of completing a thorough internal investigation with the assistance of legal counsel.
โOur investigations have shown the loss of funds was a result of human error in not following established protocol,โ Crandall said. โThis scam did not involve any breach of the Cityโs network, systems, or data.โ
Crandall placed an Accounting Assistant and the Director of Finance on paid administrative leave Feb. 6, pending the Cityโs investigation. The Accounting Assistant remains on administrative leave. On Feb. 13, the Finance Directorโs employment with the City was terminated.
Crandall said it is important that the City be as transparent with the community as possible while ensuring the ongoing police investigation is not negatively impacted.
In a phishing attack, an outside entity sends emails or other messages pretending to be from a known, reputable person or organization. These emails use various tactics to try to convince the recipient to provide private information or โ in this case โ to change bank account routing numbers.
โUnfortunately, phishing is a rapidly growing problem, and government agencies are common targets,โ Crandall said. โIn 2022 alone, the Anti-Phishing Working Group observed more than 1.2 million phishing attacks, with nearly one-fourth of these scams aimed at the financial sector.โ
On Dec. 8 and 19, an accounting assistant in the Cityโs Finance Department received emails from an individual pretending to be from an existing vendor, Strawser Paving Company. The Dec. 19 email convinced that City staff member to change the bank account routing information the City had for the company. On Dec. 20, a payment was issued to that account for $218,992.06. While taking such actions is part of the standard work of an accounting assistant, in this instance a verification protocol the City has in place was not followed.
Between Dec. 28 and Jan. 5, Finance Department staff discovered the City had fallen prey to the phishing scam. On Jan. 6, the City of Hilliard Division of Police was contacted by the Finance Director and a detective was assigned to begin an investigation.
On Jan. 31, the Finance Director informed the City Manager of the incident โ 35 days after the Finance Director became aware this felony crime had occurred against the City.
On Feb. 1, a claim was filed with the Cityโs insurance broker to recoup the missing funds. On that date, the Cityโs Director of Human Resources also began the internal investigation.
This incident remains the subject of an ongoing police investigation.
