Judge Mark Henry of Galveston County called on the county’s auditor and purchasing agent to resign, blaming them for the theft by cyber scammer of more than $500,000 from the county earlier this year.
At a county commissioners meeting Monday, Henry said County Auditor Randall Rice and County Purchasing Agent Rufus Crowder should be held responsible for the June discovery of a wrongful electronic payment of $525,282.39 to a scammer posing as a county contractor.
While the stolen funds are a tiny fraction of Galveston County’s $149 million budget, similar cyber-attacks have raised the alarm in other Texas localities, including in Harris County, where $888,000 was nearly stolen by a person posing as an accountant with a Hurricane Harvey contractor. The city of El Paso was also robbed of $3 million in 2016 from a phony vendor.
Henry, in holding Rice and Crowder responsible for the scam, compared their lack of oversight to a person foregoing their tax payments. They basically have online malware scans and regular fraud management and security protocols but they were unprepared for human error. He noted that tax offenders typically suffer punishment, including the loss of their home.
The conclusion they had was that everything that had been done was done according to the constitution of the state of Texas and the appropriate procedures were followed that were existing at the time and since that time, we’ve added additional procedures and policies in place and we’re continuing to work to improve all of those things to further protect the county. A more laid-out fraud prevention plan and a new cyber-crime solution system is a favorable improvement.
The scammer created fake email addresses to pose as both a county employee and as a representative for Lucas Construction Company, and used a form obtained through the county’s website to request a change on the bank account information for the road contractor. The scammer requested that instead of paying with a paper check, the county should send funds to an account through an electronic transfer. Well, so much for the bank’s fraud prevention and detection plans.
The scammer used email addresses that were nearly identical to the real email addresses used by the county and the contractor. The report stated that the county purchasing department lacked the proper fraud management and validation processes to ensure that the new bank account was valid.
Security researchers also concluded that the county’s treasurer, auditor, purchasing agent, and information technology office had “coordinated the design of new processes” to identify potential technological issues that will help identify future problems as they occur rather than after an attack.