The scam is known as a “Spear Phishing” attack. It is a targeted e-mail scam which thrives on familiarity and uses information publicly available on a website to extract protected information or money from an entity.
The funds have not yet been recovered, although an investigation into the crime is ongoing. The event also triggered an investigation into financial controls for the county by the Utah State Auditor.
On June 15, 2016, San Juan County Treasurer Glenis Pearson received an email message, apparently from Commissioner Phil Lyman, asking Pearson to wire funds to a consultant who had helped the county.
The message appeared to be from Lyman’s email account and Pearson responded to the email with several questions, which were answered to her satisfaction.
The County Treasurer went ahead and wired $48,620 to a bank account in East Orange, NJ.
Pearson said that her initial suspicions became more pronounced when she continued to receive e-mails from the address asking her to send funds to a foreign bank.
Pearson said she notified authorities within an hour of wiring the funds, but it was too late and the funds were gone.
Pearson states that the investigation is active, ongoing, and the outcome is unknown at this time.
“I hope that they can find and return the money,” said Pearson.
The Utah Counties Insurance Company (UCIP) will cover the loss under its cyber liability coverage. There is a $25,000 deductible on the UCIP policy.
Pearson said she is hopeful that if the insurance coverage is needed, UCIP will waive the deductible expense.
San Juan County is not the only entity to be scammed. Also in June, the Emery County Treasurer wired nearly $40,000 to a bank in Florida.
The Utah State Auditor report outlined policies that need to be followed in the disbursement of public funds. The report focused on the Emery County incident, not on San Juan County.
Officials state that financial controls are in place for San Juan County, but were not closely followed. This is due, in part, to the fact that a key employee in the clerk’s office was on vacation during the incident.
“We use wire transfers very occasionally,” said Pearson. “While checks from San Juan County require two signatures, a wire transfer can be made directly.”
While the e-mail was from Commissioner Lyman’s e-mail address, after discovering the scam, Pearson noticed that her responses were sent to another e-mail address.
In retrospect, there are a number of steps that could have been taken to avoid the scam, including making a telephone call directly to Commissioner Lyman rather than responding to the email. However, the scam, which thrives on familiarity, worked to perfection for the cyberthief.
“Believe me, I understand the anger,” said Pearson. “I’ve had many sleepless nights over this.”