Auditor of State Rob Sand was recently made aware of payments made by a City to scammers posing as vendors.
In January 2020, the Auditor issued an Alert regarding a similar scam that involved unknown parties attempting to fraudulently misdirect state and local governmental entities in Iowa into issuing payments by posing as vendors.
In the recent situation, a City in Iowa learned payments to three legitimate vendors had been sent to bank accounts established by scammers who contacted the City via email.
After discovering the misrouted payments and consulting with cyber security specialists, City officials learned a City email account had been compromised. They believe the scammers then monitored the email account for several months.
After identifying City vendors who received electronic payments from the City, the scammers sent emails to the City which appeared to be from legitimate vendors with updated bank account information. The fraudulent emails sent to the City contained logos, contact information, and formatting which were consistent with other communications received from the three vendors.
However, upon close examination, it was later determined the addresses of the fraudulent emails varied from the authentic vendors’ email addresses by moving a “dot” in the email addresses one place to the left or right.
I strongly advise representatives of all governmental entities to call any vendors to independently confirm instructions received electronically of revised bank routing information,” said Sand. “Do not respond to the email. Instead, use previously held contact information to ensure the appropriate party is reached.
Auditor Sand also recommends governmental entities consider implementing a notification of electronic payment to an established vendor email address. The notification should ask vendors to promptly confirm the receipt of funds and immediately contact the governmental entity or business if the electronic payment was not properly deposited into the vendor’s account.
In addition, governmental entities should require vendors to provide existing bank account information when requesting an update of their bank routing information as a safeguard.