The US Department of Treasury is currently investigating how the D.C. government managed to lose nearly $700,000 in an online phishing scam.
In July, scammers impersonated a city vendor and managed to trick the local government into paying for services. The fraud came to light after D.C. officials revealed the incident to The Washington Post.
David Umansky, a spokesperson for the office of D.C. chief financial officer Jeffrey S. DeWitt, has confirmed that no government systems were compromised during the fraud incident. He revealed, however, that the hacker responsible for the phishing attack created a fraudulent email address based on information from a city vendor.
The hacker, using the fraudulent email address, asked the city to begin processing vendor payments through electronic transfer instead of checks. The government of D.C., which failed to detect the suspicious email address, then paid a number of outstanding invoices to the new account the scammer specified.
Three payments that totaled $690,912.75 were wired to a Bank of America account in New York.
According to a letter obtained by The Washington Post, the vendor being impersonated was Winmar Construction. The payments made were supposed to be for a design-build contract for a permanent supportive housing facility.
The letter, sent by Winmar Construction vice-president Kelly Markland on August 01, 2018, informed DeWitt’s accounts payable supervisor that the email address of the company’s controller was “fraudulently mimicked.”
Markland added in his letter that Winmar had “taken additional steps via our IT department to track the offending party and have reported this incident to the FBI.”
Since the incident, D.C.’s processes for dealing with vendor payments has “been modified to require additional confirmation before changing bank information,” Umansky explained.