The city of Ottawa’s financial staff have been criticized by its auditor general for failing to follow its money transfer rules after the municipality’s treasurer was tricked into wiring over $100,000 in what is known as a business email compromise scam.
“Had the city’s policy and procedures been followed, the fraudulent payment request would have been documented on a Payment Without Reference Form and gone through either Accounts Payable or the Financial Services Unit,” said the report presented to city council on Monday. “In our opinion, it is unlikely that the payment would have been made had either of these groups processed the request.”
The scam was a classic: On Friday, July 6, 2018 city treasurer Marian Simulik received what she thought was an email from city manager Steve Kanellakos, asking her to transfer US$97,797.20. to the bank account of a U.S.-based firm for a purchase the city allegedly had made.
“I want you to take care of this for me personally,” said the message, “I have just been informed that we have had an offer accepted by a new international vendor, to complete an acquisition that i have been negotiating privately for some time now, in line with the terms agreed, we will need to make a down payment of 30 per cent of their total, Which will be $97,797.20. An announcement is currently being drafted and will be announced next week, once the deal has been executed, for now I don’t want to go into any more details. Until we are in a position to formally announce the acquisition I do not want you discussing it with anybody in the office, any question please email me. Can you confirm if international wire transfer can go out this morning?
Unknown to Simulik, that email was a spoof of Kanellakos’ real email address.
Like many fraudulent messages of this kind, there was an element of urgency to it. And, the action was asked for on a Friday, which also adds to the urgency.
The treasurer searched the Internet for the U.S. firm, which she discovered was a web page design company. She assumed the payment was for work to improve the city’s web site. She also checked if the payment could be sent that day, and replied by emial to the “city manager.” In return, the “city manager” sent details for the bank transfer, and the money was sent.
Simulik sent a confirmation email to the real city manager. He intended to follow-up, but didn’t.
Five days later the treasurer got another email apparently from the city manager asking for another US$154,238, the balance of the transaction. Because Simulik was at a council meeting sitting Kanellakos, she asked him about the message. Kanellakos told her he had not authorized any wire transfer.
The person who got the money transferred it to a bank account that was being watched by the U.S. Secret Service, which later seized US$88,000. So the city may be able to get some of its money back.
On investigating, auditor general Ken Hughes found no one on city staff had done anything fraudulent, but did discover policies and procedures weren’t followed. He also found a number of other problems:
–former and current city managers said they have never directly requested that either a payment be processed by Accounts Payable or a wire transfer by the city’s Treasury Branch;
–wire transfer payments can be processed without a general ledger account to allocate the payment to or even an entry in the financial system;
–there are no formal written city authorization limits (approval rules) with respect to wire transfer payments;
— wire transfer summary reports are not prepared nor reviewed by senior management;
–in theory, a staffer couldn’t create and approve a wire transfer below $25 million under the city’s banking system. However, during the investigation this was tested and found it could be done. “This represented a very dangerous control weakness,” the auditor concluded;
–the City doesn’t have a mandatory fraud awareness training program for staff.
As a result of the investigation the city is changing a number of its procedures, including setting up a way to distinguish email coming from outside the municipal system and inside. An email coming from outside the system pretending to be from an employee would be a tip-off the message is suspicious. At the RSA Conference earlier this year a speaker said one way to do this is by colour-coding email (for example, messages in red come from outside).
The city is also working on toughening wire transfer and other procurement procedures. The ability of any one employee to both create and approve a wire transfer in the financial institution’s system has been removed except for those with administrative rights.
The city is also creating a fraud awareness training program which will start in the second quarter.