The Washington State Auditor’s Office has found that weak controls led to the Port of Seattle falling victim to phishing scams.
Since 2016, Washington’s governments have reported more than $28 million of lost public funds as a result of cyber-fraud, most commonly in the form of phishing, spearfishing, or business email compromise schemes. In these schemes, an external threat actor contacts the government, appearing to be a known source—an employee, upper-level manager, vendor or other business associate. Government staff are convinced to redirect valid payments to the external threat actor, or to purchase gift cards and provide them with the card numbers.
The Port of Seattle reported two phishing incidents to the Washington State Auditor’s Office. These incidents resulted in eight payments of public funds, totaling $572,683, to fraudulent bank accounts.
First, in October 2021, the Port’s Office of Equity, Diversity, and Inclusion received a phishing email and forwarded it to the Accounts Payable Department for processing. As a result, the Port made two payments totaling $135,679 to a fraudulent bank account. A third payment totaling $48,997 was returned by the bank because the fraudulent bank account was closed.
In December 2021, the Port’s Office of Equity, Diversity, and Inclusion received a second phishing email and forwarded it to other Port employees. Ultimately, the Port made five payments totaling $388,007 to a fraudulent bank account.
The State Auditor reviewed the Port’s policy and operating processes over electronic funds transfer (EFT). It found that although the Port had procedures in place to protect EFT payments from loss, staff did not consistently or adequately follow them. Further, the audit found that the training the Port provided to employees was ineffective, as staff missed key red flags common to phishing schemes, such as misspellings in the email body and email address, as well as the bank declining EFTs due to closed accounts.
After the Port became aware of these losses, the Internal Audit Department audited the events and related weaknesses, and provided recommendations to management.
Ultimately, the State Auditor found that while the Port had established protocols, there was not adequate management oversight to ensure staff followed the required procedures and this contributed to the loss of public funds. The Port was able to recover $522,683 via banks and its insurance provider.
The State Auditor recommends that the Port of Seattle strengthen its controls to ensure staff follow verification procedures to protect EFT transactions from internal and external threats, and provide adequate communication and training to staff on cybersecurity risks and EFT verification requirements.
In response, the Port said that policy, procedural and systems controls were in place at the time of the incidents and that they had proven to be effective over the many years prior with no occurrence of a cybercrime loss. The Port added that there has not been any control failures or loss over the recent 15 months to-date since the incidents in 2021.
Citing the human element as a factor in both incidents, the Port said that staff from the departments involved in the 2021 incidents attended mandatory cyber-fraud fictitious email training provided by the Port’s Information Security department in 2022. This training is now an annual mandatory refresher. In addition, oversight and controls were stepped up following the incidents.
Read the full report at the Washington State Auditor’s Office
