Back in September 2017, a cybercriminal exploited Hurricane Harvey repair and rebuild efforts in the Houston area to dupe Harris County, the third largest county in the U.S., into releasing $888,000. While the county managed to recoup the payment, they plan on hiring a cyber security firm to review their internal policies and security controls, as increasingly sophisticated attacks from all over continue to target local governments.
Phishing Attackers Almost Steal $888K from Harris County, Texas, Prompting Cyber security Review
Government Technology | By Mihir Zaveri
On Sept. 21, not three weeks after Houston was ravaged by Hurricane Harvey, the Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc.
The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.
“If we can get the form and voided check back to you today would it be updated in time for our payment?” read a Sept. 25 email from Chambers.
On Oct. 12, Harris County sent the money out. The next day, the county quietly was scrambling to get it back, after being alerted that the account did not belong to D&W, that Chambers did not exist and that county employees had been duped by a fraudster.
The county recouped the payment, but the ongoing investigation into who tried to take the county’s money and nearly got away with it has ignited a debate over the financial security and cyber security of the third-largest county in America. That debate comes as experts point to a growing number of increasingly sophisticated attackers from around the world, homing in on untrained employees or system vulnerabilities.
The incident now has become wrapped into an FBI investigation into a group that has attempted to extort local governments around the world, law enforcement officials said.
Meanwhile, some officials are moving to revamp their practices as others say further scrutiny of county defenses is necessary.
“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you,” Harris County Judge Ed Emmett said. “I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money.”
The investigation into the incident comes as the cyber security of local governments has received increased scrutiny after reports in 2016 of Russian-sponsored attempts to hack campaign finance databases and software used by poll workers.
Harris County information technology officials last year acknowledged a “spike” in attempts to hack servers from outside of America’s borders, but, citing concerns over emboldening the hackers, they declined to say how big of a surge in hacking attempts the county was experiencing, whether it was election-related or which systems had been targeted.
Alan Shark, executive director and CEO of the Washington, D.C.-based Public Technology Institute, which partners with the National Association of Counties, said the attempt to steal money from Harris County was not typical, but local governments increasingly are becoming targets for hackers or other cyber criminals.
Shark said statistics to illustrate the trends specific to governments are hard to find, though he said they “mirror” those of the private sector. One firm estimates that by 2021, cybercrime will cost the world $6 trillion each year, up from $3 trillion in 2015.
“This is not somebody sitting in a college dorm somewhere, dreaming this up,” Shark said. “In most cases these are very sophisticated, more often happening from another nation or another country.”
Shark said local governments are particularly vulnerable after disasters.
Harris County Precinct 1 Constable Alan Rosen said his office has “worked the case as far as you can go,” and said that no county employee had been implicated.
“We’re working with the FBI because there have been multiple attempts by this group throughout the United States and abroad to phish in county governments, city governments, things like that,” Rosen said. “We’re working very closely with them.”
He declined to provide more information about the group being investigated, referring questions to the FBI office in Los Angeles.
An FBI spokeswoman said Wednesday she could not confirm or deny the investigation.
Rosen said he had never investigated such an incident before.
“But that doesn’t mean it hasn’t happened,” he said. “I just have not heard of it.”
The county makes nearly 10,000 payments to vendors each month totaling about $141 million, about a third of those in the form of electronic transfers like that set up in September to send out the $888,000.
Harris County Auditor Michael Post said he had never seen an attempt like the one from the fraudulent D&W contractor.
“I’m calling it a near miss,” Post said. “It was (nearly) $900,000. Oh my God, that happened. We did not want this to ever happen.”
He said while he cannot say for sure that it has not happened in the past, it likely would have been caught when whoever was supposed to receive the money did not.
Post said in the days after the incident, he created a five-person team that would begin reviewing every outgoing payment and double-checking that recipients are, in fact, who they say they are by calling and asking for verifying information. That team includes one individual certified by the Association of Certified Fraud Examiners.
Earlier this month, the auditor’s office staff went through training on how to review for fraudulent requests for payment.
Some say the changes so far do not go far enough.
Orlando Sanchez, the Harris County treasurer, who writes the actual checks for the county, said he would like to see a more comprehensive analysis of the county’s vulnerabilities. He said he has to write checks that are directed by the county auditor’s office, and he would like to see an outside agency or another county department audit the county’s payments.
On Jan. 9, Sanchez sought to hire an outside forensic financial investigation firm Briggs and Veselka to “review the county’s payment processes and controls” but a vote on the proposal was postponed by Harris County Commissioners Court after the county attorney’s office said it objected to some technical terms of the proposed contract.
Commissioners Court is expected to consider at its Jan. 30 meeting a proposal to hire a firm to look over the county’s internal policies and cyber security controls when it comes to the payment process.
“We are a big operation,” Emmett said. “Harris County has got more people than 26 states. We’re well into the billions of dollars on an annual budget. I think the more eyes the better.”