The city fell for the $613,737 hustle in 2020, but the mistakes of the city did not come to light until The Beebroke the story of the phishing scam in 2022.
City officials did not disclose the loss until The Bee asked about it, citing an effort to protect an FBI investigation, according to city leaders.
Months later the city fired its city controller, but leaders would not say if the scam was the reason for his termination. The city controller heads up the Finance Department and oversees the city’s financial integrity, guides spending policies and pays the bills, among other business-related responsibilities.
Despite security practices and policies in place at the time, “conspicuous red flags within the Finance Department were apparently not noticed,” according to the grand jury.
The city’s Finance Department has since improved its practices, the report said. But leaders should still beef up security, including adopting practices citywide by the end of year that are used by the U.S. Department of Defense.
THE PHISHING SCAM AND CITY SAFEGUARDS
The grand jury found that some of the finance department’s policies were understood to be in place through training, but were not in the written policy. Even so, if the unwritten rules had been followed the scam would have been caught, the jury report said.
The swindle started when the scammers presented themselves as a legitimate vendor that was already doing business with the city. That particular legitimate vendor had asked for payments to be provided with a paper check, the report says.
The scammers asked for those paper checks to be made into electronic payments, which should have been a red flag, the report said. Employees told the grand jury that kind of request is uncommon.
The city typically used an “automated clearing house” form to authenticate payments to contractors, but did not in the two cases that led to the $600,000 scam, the report says. The scammers used multiple bank account numbers connected to different states, which the clearing house form would have caught if used properly.
Finance department employees were also supposed to seek a second approval from another employee for large payments, but did not in the scam cases, according to the report.
NEW POLICIES TO PREVENT SCAMS
The city has since adopted a policy of contacting vendors by phone with a number already on file to confirm the legitimacy, the report says.
The grand jury also made recommendations for protecting the city’s finances, noting the growing prevalence of artificial intelligence and sophistication of criminals could make cybersecurity a greater issue in coming years.
Along with adopting Department of Defense policies, the grand jury recommended the city adopt policies that require the director to double check certain payments, hire a firm to test the city’s system for phishing attacks and add more double checks, among other new policies.
The grand jury put some deadlines on its recommendations for the end of 2024, and others into next year.
Mayor Jerry Dyer issued a prepared statement on Thursday, which said many of the recommendations of the grand jury have already been met. He noted the city hired a new city controller and has implemented ongoing training.
The city has also upgraded its software, he said.
“I am appreciative of the (Fresno County) Civil Grand Jury’s time and attention on such a relevant issue in our city and our nation,” the statement said. “I am also pleased with the grand jury’s confidence that internally updated procedures appear appropriate for preventing this type of fraud from happening again. I would like to assure the public we will do everything we can to ensure human error is minimized in the future.”
©2024 The Fresno Bee, Distributed by Tribune Content Agency, LLC.