Time is money: $400K lost in phishing scam not reported to leadership until months later

Imagine that someone in A/P got fooled by a bogus invoice in a phishing email and paid hundreds of thousands of dollars to a cybercrook, but you didn’t find out about it until long after the fact.

That’s what happened to the city government of Chester, Pennsylvania. A hacker posing as an insurance broker emailed the director of accounts and finance regarding a monthly workers’ compensation insurance invoice.

The scammer somehow knew the Finance manager had an email conversation going with a real insurance broker and was able to gain enough knowledge related to a legitimate invoice to start a separate email chain that had “almost identical information” and a convincing but fraudulent invoice, according to a report in the Delaware County Daily Times newspaper.

As a result, an estimated $400,000 was transferred to the imposter.

The city first became aware of the fraud during an internal review of monthly invoices. However, some top officials didn’t learn about the financial loss until three months after it happened, according to the news report.

The bank for Chester, PA, reportedly told the Finance official it’s unlikely the money will be recouped and it’s unknown whether the loss will be covered by insurance.

What’s your phishing mitigation strategy?

While we’re sure you run a tight ship, missteps can happen. So if a phishing fraudster should strike, what’s your organization’s response plan, besides notifying your bank and the police right away and filing a report with the FBI Internet Crime Complaint Center?

This incident is a reminder of how important it is to have a cyberattack disaster recovery plan and conduct periodic cybersecurity training so your entire workforce will be alert for fraud.

The City of Chester claims that its third-party IT provider successfully fended off other phishing attempts this year, yet this one slipped through. To keep phishing attacks from happening to you, this may be a good time for a cybersecurity audit with your IT team where the following questions are answered:

• Is it time to make investments in more up-to-date cyberattack prevention and detection technology?
• What security precautions do your software vendors currently have in place to deter phishing attempts and similar threats?
• Is it time to get cybersecurity insurance?