The authority was targeted in June by scammers who posed as a vendor awaiting payment for work as part of the agency’s $25 million project to expand its Indian Creek water treatment plant near Connellsville.
“This was a painful lesson as an organization and we’re thankful we were able to secure a significant amount of the funds,” said MAWC business manager Brian Hohman.
Officials earlier this year said the theft involved a significant amount of money. The authority operates with a $117 million budget to serve more than 123,000 water customers in five counties and nearly 32,000 sewer customers.
Details of the scam were initially kept private as federal authorities investigated the scheme but at Wednesday’s public board meeting, officials disclosed how the money was stolen and the steps the authority has taken to prevent future thefts.
Hohman said the scammers made contact with an authority employee through a phishing scheme that allowed them to monitor internal emails. Using that information, the scammers posed as vendor and sent financial staff bogus billing information as to where funds should be paid.
“They saw our internal discussions about an invoice and created a false email that impersonated the vendor,” Hohman said.
Authority officials said the fake email used the same format as the legitimate contractor, which was undergoing a ownership transition. One letter in the company’s name was changed along with new account numbers where the money was to be paid, Hohman said.
The authority’s New York bank investigated the theft and was able to track the money to about 10 other financial institutions and was able to recover most of the funds, nearly $729,000. Insurance will repay the remaining $97,000 that has yet to be located.
FBI spokesman Bradford Arick did not respond to a request for comment about the investigation.
FAKE VENDORS
Cyber crimes have become a growing concern in recent years, according to Leia Kupris Shilobod, owner of Compliancy IT in Greensburg.
“This is a very common way malicious actors get their payday. If an organization doesn’t have good written controls, this is more likely to happen. Even with these it could happen anyway,” Shilobod said.
She said public organizations and businesses need to be diligent about cyber security training and enforce standard operating procedures to help guard against online incursions and to be alert for potential scams.
Scott Davis, president and chief executive officer with the Cyber Security Association of Pennsylvania, a Harrisburg-based nonprofit, said scams involving fraudsters who pose as vendors is on the rise. About 42% of all businesses were targeted during the first half of 2023 with scams related to bogus vendors. Similar incidents have increased by another 70% this year, he said.
“Every email address is at risk for social engineering attacks, which are the foundation of a (business email compromise or vendor email compromise). With the advent of AI, we see these attacks not only growing in scale but in sophistication as the emails look better, have fewer red flags, and when done in mass are successful,” Davis said.
Shilobod said it is rare for organizations to recover stolen money from online scams.
MAWC officials said cyber security efforts have intensified since the theft. Hohman said the authority this summer signed off on a $70,000 contract with a local firm to improve security efforts and train staff to recognize and prevent potential threats.
“Lesson learned and we will be better as an organization because of it,” Hohman said.
(c)2024 Tribune-Review (Greensburg, Pa.) Visit Tribune-Review (Greensburg, Pa.) at www.triblive.com Distributed by Tribune Content Agency, LLC.
