By Staff
December 16th, 2020
BURLINGTON, ON
The city has recovered $322,641.67 of a $503,026.66 fraudulent vendor payment made in May 2019.
The recovery of monies comes as a result of a Superior Court of Justice action commenced by the City, and a claim made by the City to its insurer pursuant to its Cyber Crime Policy.
In May 2019, the City discovered it was a victim of fraud, due to a single transaction made to a falsified bank account. This was a result of a complex phishing email to City staff requesting to change banking information for an established City vendor. The transaction was in the form of an electronic transfer of funds made to the vendor in the amount of approximately $503,000 and was processed on May 16, 2019.
Upon learning of the fraudulent payment, the City took immediate steps. The unauthorized payment was reported to the City’s financial institution and the Halton Regional Police, and the City put additional internal controls in place to prevent this type of fraud from occurring in the future. Criminal investigations are also underway by the appropriate authorities.
A full review of the City’s current processes has taken place. The City’s IT system was not compromised during this incident; no personal information was stolen or shared.
To maintain the integrity of ongoing investigations, the City will not be commenting further at this time.
The Mayor said this morning: “I know the public will welcome news that we’ve been reimbursed for a substantial amount of the funds stolen via fraud. The quick action of staff and the police has contributed to the recovery of these funds. I thank them for their efforts.
“There are additional avenues we are exploring to secure the remaining balance. We’ve also significantly increased our internal controls to ensure this never happens again.”
Tim Commisso, City Manager tells us that: “The City is committed to being open, accountable and transparent about the city’s finances. Thank you to staff and law enforcement who have worked diligently to help recover these funds. The City has thoroughly reviewed the underlying cause of this event and implemented enhanced internal controls to mitigate against any recurrence of this type of fraud.”
Also not clear is how many frauds are we talking about just the one or all that have gone on. Don’;t forget the Halton Region (our councillors are opart of that group too) failed to disclose to the public before the last election how much taxpayers were out on an employee fraud and have not yet disclosed how much if any was recovered. The Spectator covered this last December duirng the Christmas break. Council knew before the election but kept quiet as they did not want us to know how easy it was to take their eye loff our money!
Both the Halton Region and the City of Burlington frauds were single frauds.
The Halton frauds was a multi event fraud committed over an extended period of time by an employee of the Region in collaboration with a small group of individuals at a supplier against the Region.
The City of Burlington was defraud by outsiders who via the internet and through the use of email masqueraded as one of the City’s suppliers.
Neither the Region’s councilors nor the City’s councilors “took their eyes off the money”. That is an unwarranted criticism.
Certainly there is room for improvement in internal controls at both the Rigion and the City, but that is hardly within the scope of the councilors direct responsibility.
How much money has the City spent in staff time and third party costs to recover this? I want to see justice done, but I don’t want the City to spend lots of time and money to get a ‘good news’ story.
One last point. If the City did not have the correct insurance in place at the time of the loss, very public questions should be asked of both those at the City charged with managing its insurance affairs and of its insurance broker/risk advisor.
What action has the city taken regarding training of staff and the revison of procedures to prevent this and other fraudulent schemes in the future?
I would hope the risk management protocol that is now a mandated requirement of all insurance companies that underwrite crime/fraud insurance policies has been implemented at the City. It is very simple and easy to implement protocol. Insurance companies require an “in person” authentication of any instruction where a request to change previously accepted deposit instructions is being requested. The individual/organization receiving the change of banking information instructions is required to make direct contact (in person physically or by phone) with a pre-agreed contact at the requesting organization so as to gain a direct and verbal confirmation of the requested change. It’s a very simple but very effective risk management protocol. This protocol should also be used for internal change of banking instructions. Fraudsters are great at electronically impersonating internal email traffic from those in a position authority, such as a CFO, a director, or maybe even a City Manager.
Good news! However, taxpayers are still in a hole for the difference, a large sum of $ 180,385.- !! Also not clear is, how much was spent to recover the said amount? Quite the story!
One must hope the outstanding balance is recoverable under one or more insurance policies purchased by the City.