The Municipal Authority of Westmoreland County has successfully recovered over $826,000 that was stolen in a vendor impersonator scheme that targeted the water and sewer utility. This incident, which occurred in June, involved scammers posing as a vendor seeking payment for work related to the agency’s $25 million project to expand the Indian Creek water treatment plant near Connellsville.
Brian Hohman, the MAWC business manager, acknowledged that this incident was a painful learning experience for the organization, but expressed gratitude that a significant portion of the stolen funds has been reclaimed. The authority, which operates with a $117 million budget, serves more than 123,000 water customers across five counties and nearly 32,000 sewer customers.
Initially, details of the scam were kept confidential as federal authorities launched an investigation into the matter. However, during a public board meeting, officials revealed how the money was stolen and outlined the steps taken to prevent such incidents in the future. Hohman explained that the scammers initiated contact with an authority employee through a phishing scheme, enabling them to monitor internal emails. Subsequently, the scammers impersonated a vendor and sent fraudulent billing information to the financial staff for payment.
The fraudulent email mimicked the format used by the legitimate contractor, who was in the process of undergoing an ownership transition. By altering a single letter in the company’s name and providing new account numbers for the funds to be paid, the scammers were able to deceive the authority’s staff. Thankfully, the authority’s New York bank intervened and traced the stolen funds to approximately 10 other financial institutions, recovering the majority of the money, totaling nearly $729,000. The remaining $97,000 is expected to be reimbursed through insurance.
In response to this incident, the importance of cyber security measures has been underscored. Leia Kupris Shilobod, the owner of Compliancy IT in Greensburg, emphasized the need for organizations to implement robust controls and conduct regular cyber security training to safeguard against such attacks. Scott Davis, president and CEO of the Cyber Security Association of Pennsylvania, warned about the escalating trend of scams involving fraudulent vendor impersonation, with a significant increase in such incidents reported in recent years.
Despite the rarity of recovering stolen funds from online scams, the Municipal Authority of Westmoreland County has intensified its cyber security efforts following this incident. Hohman disclosed that the authority has invested in a $70,000 contract with a local firm to enhance security measures and provide staff training to detect and prevent potential threats.
As the authority strives to learn from this ordeal and strengthen its defenses against cyber threats, Hohman affirmed that they are committed to emerging stronger from this experience. The vigilance and proactive measures taken by the organization serve as a testament to their dedication to safeguarding the interests of their customers and the integrity of their operations.