A King County employee's mistake, coupled with systemic security issues, led to the county paying scammers more than $220,000 that should have been paid to a county vendor that provides services for people with intellectual and developmental disabilities.
“This was not the fault of any individual employee,” King County Director of Finance and Business Operations Ken Guy said. “I want to make that clear. We did not have sufficient controls in place to prevent this type of scheme from happening.”
The phishing email, sent in July of last year, appears to be from Jeanne at WISE, Washington Initiative for Supported Employment. The vendor trains people with developmental or intellectual disabilities to work at county nonprofits.
The email, riddled with punctuation and capitalization mistakes, asked for the county to change the organization's bank routing number.
“Why wasn't that email flagged?” reporter Linzi Sheldon asked.
“I think this is a situation where if you quickly look at that email, and then the fax that came in later—I don’t know if you saw the fax, but it looks like it was on the county’s form,” Guy said. “It looked like a legitimate request.”
Emails show the King County employee sent the scammers the form after receiving the initial email. The county then sent payments last summer and fall before the real Jeanne at WISE emailed about the organization not getting paid. Sheldon asked Executive Director Cesilee Coulson if the delay in payments affected them.
“We weren't negatively affected by it,” Coulson said.
“So you were able to sort of cover… the missing payments for a small period of time until King County paid?” Sheldon asked.
“Yes,” Coulson said. “We couldn't have gone out a lot longer. It was like, ‘Hey, [where are our payments?],' which was unusual.”
Coulson said WISE’s relationship with King County goes back about 30 years. She said that once King County identified that the payments had been rerouted, it immediately paid WISE.
The FBI opened an investigation, but it could not track down the suspects who took off with thousands of taxpayer dollars.
Guy said on Tuesday the insurance company wrote a check.
“We have a total of $195,000,” he said. “The total loss was $220,000. So that difference between the two is $25,000 and that's our insurance deductible.”
“So what do you say to taxpayers who look at that and say, ‘That's still $25,000?’” Sheldon asked.
“Any loss of public funds, we take very seriously,” Guy said. “We're sorry this happened.”
That means changes at the county, including fraud training employees are going through right now. The county is also investing in new technology to detect phishing scams and launched new external email alerts in May.
King County is also requiring employees to make a phone call when they’re handling electronic banking authorizations.
“They have to call back a vendor at a number that they're familiar with to make sure this is a legitimate request,” Guy said.
KIRO 7 shared the news of the scam with taxpayers.
“I feel terrible about it—I think that we shouldn’t have to pay it,” Eddie Snead said.
Alicia Evans, who works at a local company as a CFO, said she’s gotten phishing emails in the past and has learned to scrutinize them. She said her company has software designed to detect them.
“It looks like it's coming from the CEO of our company, saying, ‘Hey, can you pay this vendor now?” she said.
Evans called the $25,000 in taxpayer money lost an unfortunate mistake.
“It'd be nice for that to go to homeless or one of the other crises that we're experiencing in the city,” she said. “But I guess that's the way government works.”
Phishing scams are growing. The FBI said losses have quadrupled from 2015 to 2019 to an estimated $1.6 billion. The FBI recommends victims notify them immediately if they think they’ve been scammed, because the chances of getting their money back drop drastically after the first 72 hours.
Here's a link on how to recognize and avoid phishing scams.
More news from KIRO 7
© 2020 Cox Media Group