Mitnick In The News
City victim of fraudulent scheme
Aug 5, 2016 - Enid News, by Emily Summars
City of Enid recently fell victim to a fraudulent scheme, resulting in the possible loss of thousands of dollars, City Manager Jerald Gilbert said.
The city was a victim of a social engineering fraudulent scheme, Gilbert said. He said someone impersonated a city of Enid supervisor, sending an email to an actual city of Enid employee, asking them to wire transfer a payment to a vendor.
"The employee that made the wire transfer thought this was coming from her supervisor to do this," he said. "But, it wasn't her supervisor. The email was spoofed or whatever the term is for where it looks like it's coming from your supervisor. The supervisor wasn't here to confirm. The domain name was off by one letter, but that wasn't easy to see."
The employee wired a payment of $36,850.
Gilbert said as soon as officials determined the payment was not legitimate, the city reported the incident to the police and Security National Bank.
"Security National Bank was able to put a hold on that account — the account is in Florida where the wire payment went to," Gilbert said. "That money — whatever money is in that account — it's frozen."
Enid Police Department Sgt. Justin Hodges said the investigation is ongoing. He said EPD has been working with the Federal Bureau of Investigation and Palm Beach County Sheriff's Office in Florida.
Hodges said incidents like what happened with the city are becoming more common, stating several Enid businesses have been victims of similar attacks.
Social engineering is becoming more popular against business, according to officials at the security awareness firm KnowBe4, LLC. One of the most popular techniques includes an email that has been designed to appear like it is from a credible organization or source, like a bank or within the company, said Kevin Mitnick, of KnowBe4. Other social engineering attacks include browser pop-up ads, phishing emails and telephone calls.
Gilbert said the city had internal controls in place on verification of payments, and the city is reviewing its internal controls.
"We are reviewing our best measures that need to be addressed and improved upon," Gilbert said. "Education is the most important thing in trying to defeat these fraudulent social engineering scams, which is what this is called. We're certainly looking at all those measures and anything we could do to try to improve and prevent something like this from happening."
Gilbert said the incident will be reported to the city's auditors, who also will review the city's internal controls.
"We think we've taken appropriate steps to try and ensure even if this type of scam happens again, there will be measures in place that would prevent it from happening," he said, not detailing specific measures. "The bottom line is we want to have positive confirmation that what we are doing is legitimate city business. The city employee thought she was doing legitimate city business at the direction of her supervisor and it turned out that was not the case."
Regarding the $36,850, Gilbert said the funds have not been recovered at this time. EPD, SNB and other involved parties are working to recover as much of the money as possible, he said. Gilbert said he does not expect the missing funds to impact the city's budget immediately or in the long-term. He said the possible impact depends on how much money is recovered.
Regarding the employee, Gilbert said it is an personnel issue and appropriate action has been taken.