Iowa Auditor Rob Sand was recently made aware of payments made by a city to scammers posing as vendors. He is alerting Iowans to prevent others from falling victim to email scams.
An Iowan city learned payments to three legitimate vendors had been sent to bank accounts established by scammers who contacted the city via email. After discovering the misrouted payments and consulting with cyber security specialists, officials learned an email account had been compromised. They believe the scammers monitored the account for several months. After identifying vendors who received electronic payments from the city, the scammers sent emails which appeared to be from legitimate vendors with updated bank account information. The fraudulent emails sent to the city contained logos, contact information and formatting which were consistent with other communications received from the three vendors.
However, it was later determined the addresses of the fraudulent emails varied from the authentic vendors’ email addresses by moving a “dot” in the email addresses one place to the left or right.
“I strongly advise representatives of all governmental entities to call any vendors to independently confirm instructions received electronically of revised bank routing information,” Sand said. “Do not respond to the email. Instead, use previously held contact information to ensure the appropriate party is reached.”
He also recommends governmental entities consider implementing a notification of electronic payment to an established vendor email address. The notification should ask vendors to promptly confirm the receipt of funds and immediately contact the government or business if the payment was not properly deposited.
Also, Sand said governments should require vendors to provide existing bank account information when requesting an update of their bank routing information as a safeguard.
Any governmental agency suspecting a scam is required by the Code of Iowa to contact the Auditor of State at email@example.com or 515-281-5834.