A con man stole $700,000 from a Florida city. Officials found out three weeks later
The City of Naples didn’t realize it had paid a conman $700,000 until three weeks later.
But Naples “financial reserves are strong” and will not be affected by the cyber attack, officials said in a press conference Tuesday afternoon.
The person, posing as a representative of Wright Construction Group, made a “change of bank account” request on June 24, said City Manager Charles Chapman.
A city employee then wired $700,000 to the fake bank account on July 11.
Three weeks later, on Aug. 1, the city realized it had fallen victim to a “targeted” spear-phishing scheme when the construction company made a payment inquiry, Chapman said.
The city then reported it.
In a spear-fishing attack, a hacker disguises an email to make it look like it’s from a trusted source. This type of “business email compromise” targets businesses and individuals performing wire transfer payments, according to the FBI.
Last year, victims in Florida lost $82,979,768 to this type of scam, the FBI said.
In Naples’ case, Wright Construction Group was owed the money for a renovation project the company was doing this summer to improve water utilities.
“It is important to note the process of any invoicing is a multi-layered process of checks and balances,” Chapman said. “The change of bank account procedure also has checks and balances but is a separate process from the invoice payment system.”
The employee who wired the money to the fake bank account was put on paid administrative leave as part of a human resource investigation, according to David Fralick, the city’s public information officer.
Chapman wants to assure residents no other data or information was compromised.
“We are cooperating fully with the FBI and local law enforcement to pursue the attacker. The city’s data system are safe and secure,” Chapman said. “This attack was not malware or ransomware. No data breach occurred. The city has and will continue to make improvements to our information technology system.”
The city has since paid the construction company using funds from its utility and storm water departments and is working with its banks and insurance companies to try and recover the money. The city’s capital projects were not affected by the scam and will continue as scheduled, Chapman said.
Naples is the newest city to fall victim to a cyber attack this summer.
The village of Key Biscayne confirmed to the Miami Herald it had been hit by a cyber attack on June 23, but officials would not say if a ransom was involved.
Lake City, about 60 miles west of Jacksonville, confirmed on June 10 that it had fallen victim to an attack that rendered official emails inaccessible. The city paid a ransom of $490,000 in Bitcoin.
On June 5, Riviera Beach, in central Palm Beach County, also confirmed it had paid a ransom worth about $600,000 in Bitcoin to recover city data.
One of the most recent high-profile cyber attack was in Baltimore. Hackers demanded a $76,000 ransom but the city refused to pay. It’s estimated the hack cost the city more than $18 million.
The confirmation also comes about two weeks after the U.S. Senate Select Committee on Intelligence released a heavily redacted 67-page report that appears to include new information about Russian hackers’ attempt to probe and target elections networks in Florida — including the FBI’s suspicion in 2018 that four county election systems had been hacked rather than two.
This story was originally published August 7, 2019 at 3:36 PM.
