Boulder County officials said they were tricked into sending a check worth around a quarter of a million dollars to fraudsters.
Following a cyberattack experienced by a Boulder County vendor, the county mistakenly sent a $238,000 check to a fraudulent account, according to a press release issued by the county on Friday. The county said hackers used information obtained from the vendor to create a spearfishing email to the county that appeared to be from the vendor, resulting in the check being sent to the fraudulent account.
“Although the county has safeguards in place to prevent these types of frauds from occurring, and we successfully thwart attacks by fraudsters several times a year, we did not catch this one in time to prevent the check from being cashed,” County Administrator Jana Petersen said in a release. “Fraudsters continue to get more and more creative in their approaches, and we continue to enhance our safeguards to make sure to minimize the risk to taxpayer dollars.”
Boulder County Public Information Officer Gloria Handyside said she could not share details about the type of vendor the hackers were pretending to be due to the active investigation.
The county said insurance proceeds are expected to cover most of the loss after the appropriate investigations take place. The Boulder County Sheriff’s Office will be investigating this crime and working with federal law enforcement during the investigation.
“We take great pride in our work and in the controls we have in place to detect and prevent fraud,” Petersen said. “It’s so frustrating that this happened, and we will learn from the experience and continuously work to review and enhance our controls.”
The release added that the incident is under investigation and that law enforcement will release any future information in due course.
Handyside said the county typically sees five or six significant fraud attempts per year. Staff are trained on financial controls and how to spot fraud before given access to the financial system, and all county staff with system access must complete cyber security training annually, she added.
“Our primary financial control is separation of duties, where one staff member creates a vendor account and it is reviewed and approved by another staff member,” Handyside said. “Similarly, to make a payment, one staff member enters the transaction, and it is reviewed and approved by another staff member in the department and again by centralized accounting staff.”
