In July 2018, the Washington D.C. government fell for an email scam that resulted in wire transfers totaling nearly $700,000 being sent to a scammer’s account.
The scammer impersonated a vendor used by the city and requested outstanding invoices for construction work be paid. The vendor had been contracted to work on a design and build project on a permanent supportive housing facility.
The emails requested the payment method be changed from check to bank transfer, and details of a Bank of America account was provided where the payments needed to be directed. Three separate payments were made totaling $690,912.75.
The account details supplied were for an account controlled by the scammer. By the time the scam was uncovered, the money had already been withdrawn from the account and could not be recovered. According to a Washington Post investigation, the scammer had impersonated the firm Winmar Construction.
The emails were sent from a domain that had been registered by the scammer that mimicked that of the construction firm. The domain was identical apart from two letters which had been transposed. The scammer then created an email address using that domain which was used to request payment of the invoices.
According to the Washington Post, prior to this scam the D.C. government was targeted with multiple phishing emails, although Mike Rupert, a spokesperson for the city’s chief technology officer, said those phishing attacks were not successful and were not related to the wire transfer scam.
These scams are commonplace. They often involve an email account compromise which allows the scammers to identify vendors and obtain details of outstanding payments. David Umansky, a spokesman for the city’s chief financial officer told the Washington Post that the attacker had gained the information necessary to pull off the scam from the vendor’s system and that D.C. officials failed to identify the fraudulent domain and email.
After discovering the fraudulent wire transfers, the D.C. government contacted law enforcement and steps have been taken to track the scammers. Additional security controls have now been implemented to prevent similar scams from succeeding in the future, including the requirement for additional verification to take place to confirm the authenticity of any request to change bank information or payment methods.
The U.S Treasury Department has now launched an investigation into the breach, as bank fraud is a federal offense. That investigation is ongoing.