Fresno City Hall photo by Breanna Hardy

After an investigation involving interviews, examination of city records and assessments of financial reporting, the Fresno County Civil Grand Jury released a report Thursday revealing that the City of Fresno could have avoided losing more than $600,000 in an online phishing scheme dating back to 2020.

In 2020, the City of Fresno sent $613,737 to a false bank account. The perpetrator posed as an “accounting specialist” for a construction company that was contracted for the construction of a new police substation and requested a change to the installment payment methods.

Rather than physical checks, the perpetrator stated that the construction company requested payments via an automated clearing house fund transfer.

According to the report, the finance department fell for the scheme, believing the emails to have originated from the construction company, and proceeded to authorize two payments – a Jan. 30, 2020 payment of $324,473 and a March payment of $289,264.

The city, upon learning about the fraud, made unsuccessful attempts to recover the payments and conducted an internal investigation to determine that all city employees had followed legal practices.

Following a criminal investigation by the Fresno Police Department, the FBI became involved when it came to light the perpetrators originated from out of state. The perpetrators, belonging to an organized crime ring, defrauded other municipal governments across the country in a similar manner by scouring the internet for large construction contracts being handed down by local governments.

Using data constructed from city council agendas and minutes, the perpetrators were able to successfully identify the contracts connected to the construction of the police substation and were therefore able to carry out the scheme.

What could the City have done?

The report released today also addressed the City of Fresno’s Finance Department practices, some of which could have prevented the theft.

The investigation found that some policies were not formally written and were instead communicated to employees verbally and through undocumented training processes.

It found that had the city followed its policies properly, the theft would not have taken place.

For example, policy states that new bank accounts are required to be authenticated prior to submission of funds, including a “prenote” to confirm that the new bank routing and account numbers match.

It also requires all “large disbursements” to be reviewed by multiple staff members at the close of the business day.

According to the report, the department failed to adhere to both policies, with the initial bank account verification failing. Normally, this would initiate a second attempt to verify the bank information, but a second attempt was never carried out. The report also added that the perpetrators utilized multiple bank account numbers in different states – something that did not arouse suspicion among city employees.

Additionally, the routine end-of-day check was not executed. This discovery would have stopped both payments from being sent.

Could it happen again?

The Grand Jury report states that without strict observation and enforcement of new and existing policies, the chances of similar losses in the future remain high.

“Despite multiple ACH/EFT forms, multiple bank account numbers in different states, and different email address domain endings, conspicuous red flags within the Finance Department were apparently not noticed,” Thursday’s report reads. “Ultimately, an increase in vigilance and a recognition that the City of Fresno is engaged in an ongoing cybersecurity arms race with sophisticated criminals will be key to their success.”

The report also warns that the future use of AI and voice recognition software may continue to increase the likelihood of future attempts becoming successful.

The Grand Jury also concluded that many of the mistakes that transpired in 2020 took place because city employees work in complex systems with countless rules and procedures; the Jury encourages the City to develop methods to prevent errors and reduction strategies to prevent future losses.

Overall, the report outlined four key findings:

• The finance department failed to identify the fraudulent manner in which the alleged payments were requested.
•  
• Finance department policies, if followed correctly, would have likely prevented the loss.
•  
• City officials, upon discovery of the fraud, immediately acted to investigate the loss and ensure fraud of this nature would not occur again.
•  
• The finance department is now appearing to follow policy and exhibits sound business practices.

 

Dyer issued a statement regarding the Grand Jury’s report, confirming that recommendations from the findings have already been implemented at the City.

“While I appreciate that human error occurs, the City continues doing everything in our power to ensure we are not victimized in the future,” Dyer wrote. “New systems and ongoing training have been implemented, as well as a new Controller/Finance Director being hired in 2022.”

Dyer added that the City has also upgraded its financial software, placing special attention to controls put in place to avoid future theft.

The City of Fresno has 45 days from the release of the report to issue a formal response to the Grand Jury’s findings.