A cybercrook impersonating an MWH employee in emails tricked the city of Portland, Ore. last March into sending them a $6.7 million filtration plant project payment.
The money could have been out of reach. But a payment platform that entangled the crook, alerting bankers to possible fraud who then prompted quick action from Portland financial managers, averted a stinging loss.
The frustrated crook even took to making numerous telephone calls trying to check on the status of the payment.
When criminals impersonate someone involved in the payment chain, they often start by breaching email security via phishing deceptions. Cyber criminals have found construction projects tempting targets and try to induce an owner or general contractor to send payments to a new account number. Once a diverted payment is made, there is only a short window of time when the money can be clawed back.
The Portland payment fraud played out during a five-month interruption in construction while city officials fended off a legal challenge to the project’s environmental permit.
In this case, an employee working for a joint venture of MWH Constructors Inc. and Kiewit Corp., was convincingly impersonated. The joint venture is building the huge $2.1 billion Bull Run filtration plant.
Here’s how the matter unfolded, according to the affidavit of Michael Porter, the city’s staff senior deputy attorney, and other legal documents.
In February the city implemented an SAP Ariba vendor management system and all its contractors were required to use it. Later that month, an emailer representing himself as John Lisman, an MWH senior proposal manager, contacted Portland’s accounts payable department to request a change in bank account information.
The request email came with all needed bank account information, including an account confirmation letter from Truist bank. The city staff sent a security challenge to the address on file for the joint venture, and when it was unanswered, the city made no changes to the account.
A Password Reset Link Request
The criminal, still portraying himself as Lisman, contacted a city staff member, in an email repeating the request for the account to be changed. The city again informed him that he would have to make the change in the SAP Ariba system, and the next day the person posing as Lisman emailed again saying something had gone wrong and asked the city to send the password reset confirmation link again, to what appeared to be the same email address.
But the confirmation link didn’t go to the real John Lisman.
What the city sent allowed the imposter to change the vendor profile information inside the SAP Ariba system, including adding a new Chase bank account for payments.
Two weeks later, on March 21, the city transferred $6.7 million to the account provided by the fraudster, with a settlement date of March 25.
On March 24, the imposter. emailing as Lisman, emailed the payment system that the bank information for the prime contractor was incorrect and provided a new account number.
“Based on the City and law enforcement’s investigation,” Porter stated, ” I believe [the person portraying Lisman] may have become aware that Chase Acct. ending in #5138 was being investigated for its use in connection
with other transactions and attempted to substitute another account to reroute the transfer” to an account that was not on the radar of the Federal Bureau of Investigation.
That last-minute attempt to change the account number apparently set off a digital alarm. On March 25, Chase contacted Wells Fargo, the city’s bank, saying there was a potential fraud associated with the fund transfer.
________________________________________________________________
________________________________________________________________
With that, Portland’s treasurer and deputy controller rushed to take steps through which the money could be recovered.
Treasurer Brigid O’Callaghan asked staff of the controller’s office, including Cynthia Dominguez, the city’s deputy controller, to check on the discrepancy in account information detected by the SAP Ariba system and Chase Bank.
“We have a very short opportunity to cancel this transaction if this information is not correct,” O’Callaghan wrote in an email at 2:03 p.m. that day. A short while later she sent another email saying that “once the funds are remitted, then it could be very difficult to retrieve them.”
“Please go ahead and reject/block payment for now,” Dominguez replied at 3:22 pm.
An investigation followed, and with assistance from the FBI, Wells Fargo and Chase, the city learned that the Chase account with the funds belonged to a law firm in New York City.
But the cybercrook couldn’t get the money just yet.
Starting on April 2nd, the criminal posing as Lisman made 10 phone calls to Portland’s accounts payable department to check on the payment status.
By April 4th, the city’s Water Bureau staff confirmed that the John Lisman employed by MWH was being impersonated.
Believing the law firm was involved in the deception, and trying to be sure the funds could not be withdrawn or used, Portland officials sued the legal practice in New York state court (and deposited numerous emails showing what occurred in the court record). But the Portland legal department soon learned that the law firm had itself been the target of the cybercriminal and was not involved in the attempted fraud or the account set up in its name.
On April 23, the city reported that the funds were in the hands of U.S. Marshalls and that the lawsuit against the New York law firm had been dropped.
Portland Mayor Keith Wilson said in a statement that the fast action of local and federal law enforcement stopped the fraudulent transfer “before it landed in the wrong hands.”
“We’ll continue to collaborate with law enforcement and other partners on the recovery effort and any subsequent prosecution and will take these steps with full accountability.”
No arrests have been made in connection with the Portland payment fraud so far.
