CHICAGO (CBS) — The City of Chicago’s Department of Aviation thought it was paying an approved vendor more than $1 million for services earlier this year.
But your tax dollars didn’t reach them. The money almost went to what appeared to be a phishing scam that police are now investigating as a business email compromise.
While the city recovered the money, the incident almost cost taxpayers seven figures and raises red flags about the integrity of Chicago’s cyber-security system.
According to a police report recently obtained by The 2 Investigators, the Department of Aviation received an email Jan. 24 from what appeared to be a city-approved vendor, Skyline Management.
The company has been paid more than a quarter of a billion dollars — $284,628,921.17 -– for custodial services at Midway International Airport and O’Hare International Airport since 2008, city documents show.
The email requested that Skyline’s account payable information be changed from US Bank to Wells Fargo Bank.
The request was referred to the city comptroller’s office to make the change, which is routine procedure, according to the report. The change was made, and less than a month later, the city paid the updated account $1,150,759.82 for services.
But in a call to the Department of Aviation weeks later, Skyline Management stated they had not received a payment for their services. That’s when the discovery was made: Skyline never requested an account change.
The report said the city later recovered the money after Wells Fargo put a hold on the account.
Where was the breakdown?
Paul Petefish, information security expert and CEO of Evolve Security, works with companies to find vulnerabilities in their security systems to prevent hacks.
“Everybody has vulnerabilities,” Petefish said.
He said the email received by the city’s Department of Aviation is “the oldest trick in the book.”
“It’s certainly easier than robbing a bank,” Petefish said of phishing scams.
“I’m just going to try to get someone into giving me something, versus trying to steal it through another way,” said Petefish, speaking from the perspective of the e-mailer. “So I’m going to send you an e-mail and say, ‘Hey, I’m with Bank of America, we’re making an update to our system. I’m going to need to check your password – will you provide me with your password?’ ”
This could also be an account number, he said, as was the case in Chicago.
“There was a breakdown somewhere,” Petefish said. “You have to get two people to sign off to make that change.”
The police report does not indicate who actually approved the account change.
Police interviewed a Skyline employee who, according to the report, said his AOL account may have been hacked at the time in question.
How common are phishing scams?
Since 2013, more than $12 billion was lost worldwide to business e-mail compromises, according to the FBI.
A total of $3 billion of that was lost in the United States, with more than 40,000 victims nationwide.
Chicago isn’t the only government entity whose system was compromised.
In 2016, Sedgwick County, Kansas, lost $566,088 in a similar phishing scam. As a result, the county added two auditors to its staff and required phone calls to confirm payment changes.
Two years later, the county was able to recoup money lost through an insurance claim, with the exception of a $100,000 deductible.
Petefish said in many cases, by the time the fraud has been detected, the money is gone.
In Chicago’s case, Wells Fargo placed a “hold for verification” on both accounts due to the “large and unusual wire transfer” and other inconsistencies with the transaction. Ultimately, the city was credited the full amount.
Securing the system
After CBS 2 sent questions to a Department of Aviation spokesperson, our request for information was deferred to the Department of Finance for comment.
A spokesperson said the cause of the incident was the hacking of a Skyline employee’s email account and that moving forward, employees will confirm account changes with a phone call. You can read the full statement below:
“We’re pleased to have worked with the Chicago Police Department to recover the money that was illegally misdirected to another account. Although the situation was caused by the hacking of an external vendor’s email account, out of an abundance of caution, the Department of Finance will now follow up with a phone call if and when contractors request bank account changes via email to ensure this doesn’t happen again.”