“We have vendors that we make electronic payments to, and basically, those payments were compromised through electronic wire transfers,” said Rob Perry, the city’s chief administrative officer. “We’re working with the Albuquerque Police Department and FBI cybercrimes unit to conduct a preliminary investigation into this matter.”
The fraudulent transfers were made in mid-March, and the city discovered that it had fallen victim to the scam about a week and a half ago, Perry said. He said the APD, the FBI and the city’s inspector general were notified promptly, and the Office of the State Auditor was notified Thursday.
Perry said he is looking into whether the $420,000 loss will be covered by insurance. Although the city is self-insured, he said, it does have third-party cybercrime coverage that may cover the loss.
No other vendor payments appear to have been compromised.
“We’ve conducted (an) extensive search of other potential vulnerabilities in payments, and we haven’t discovered anything that indicates it goes any further than this particular fraud,” Perry said.
He said he couldn’t go into specifics about how the fraud was perpetrated, but the Office of the State Auditor said in a news release that the city had complied with a fraudulent request to change vendor payment information that diverted the public funds to the scammer.
“Unfortunately, the city of Albuquerque was hit by a scam that cost it over $400,000 in taxpayer dollars,” state Auditor Tim Keller said in the release. “This is now the second entity in New Mexico that we are aware of that was tricked into diverting money to imposters posing as legitimate businesses.”
An almost identical scam resulted in the loss of more than $200,000 in construction funds for a project at San Antonio Elementary School in Socorro, the Auditor’s Office said in its release.
That incident prompted Keller to issue an alert earlier this week, urging government employees to use best practices his office has previously outlined to prevent this type of fraud.
Those best practices include verifying the legitimacy of any request to change payment or banking information before processing the change. The Auditor’s Office recommends that vendors be contacted directly through a phone number or contact person obtained through a known source, such as their public website. The agency said government employees shouldn’t use phone numbers included in emails requesting the change to verify the legitimacy of the request.
He said an investigation is underway into whether city policies and procedures were followed in this matter.
“There’s nothing thus far in the investigation to indicate that there was any wrongdoing by city employees,” Perry said. “We’ve put heightened security measures in place regarding all electronic payments.”
Asked whether he’s confident that the new measures will prevent this type of thing from happening again, he said, “I’d like to say I’m confident, but I live in a world where hackers are able to get into CIA computers, all the national banks, and a lot of other governments.
“It just seems to me that when we talk about computer crime and cyberfraud, we’re constantly evaluating our security procedures and protocols, and they’re always challenged, and there’s always attempts to compromise them.”
Albuquerque and the Socorro school district aren’t the only government agencies to fall victim to scammers.
In May, San Miguel County in northern New Mexico was bilked out of $38,000. A county employee fell for a fraudulent email purporting to be from the county manager directing her to transfer those funds to an outside account.
©2017 the Albuquerque Journal (Albuquerque, N.M.) Distributed by Tribune Content Agency, LLC.