The cyber-hacking of an email of a contractor for Macomb County Public Works resulted in the county being scammed out of a $700,000 payment to a contractor for a project, although some money has been recovered.
“Unfortunately, the county was a victim of this elaborate scheme,” said Brian Baker, deputy commissioner of county Public Works, told The Macomb Daily. “It was a series of misfortunate events.”
The incident, which took place in August 2022, was publicly revealed earlier this month during the county’s audit presentation by UHY Advisors in front of the county Board of Commissioners. UHY cited the incident as a “material weakness” in the county’s finances.
The revelation drew responses from a couple of commissioners, including Mai Xiong of Warren who asked that the board be further informed about the incident, steps to prevent it from happening again and the status of the investigation, which Baker said appears to be closed.
“It’s concerning … because we utilize technology and email so much that we really have to be diligent and cautious,” Xiong said.
UHY officials Michael Santicchia and Marlene Beach told commissioners, in response to an inquriy by Commissioner Joe Sabatini, they can provide a cyber-audit of the county. Santicchia said UHY is a “state preferred vendor.”
“We are seeing more companies and municipal organizations getting them done just because of everything that can happen,” Beach said.
Agents from the FBI and Secret Service, with assistance from Novi police, investigated and were able to recover $60,000 that was left in the bank account created by the hacker and his or her accomplice, officials said. Baker added officials have not heard from the agencies on whether there was an arrest. The county also has collected $100,000 from a claim to its insurance company and is seeking another $100,000 insurance payout, officials said.
The payment was part of public works’ $10-million project near Nine Mile and Beaconsfield roads to add capacity in the 8-½ Mile Drainage District to reduce combined sewer overflows into Lake St. Clair from the Chapaton Pump Station in St. Clair Shores, Baker said. The district includes about 92,000 users and takes in all of St. Clair Shores and most of Eastpointe.
The project is scheduled to be completed early next spring after which the county and the contractor, Novi-based Weiss Construction, will negotiate a payment to the county to settle the expected $440,000 net loss, Baker said.
The drainage district could be responsible for any amount not reimbursed, but Baker said he believes rate-payers will not be impacted.
Public works officials decided not to change contractors for the project because the second lowest bid was about $2 million more than the bid that was awarded, Baker said.
A copy of the initial report to the county Sheriff’s Office sought by The Macomb Daily through a state Freedom of Information Act request submitted to the county last week had not received a response as of Friday afternoon.
Baker said the loss resulted from the hacker entering Weiss’ email system via phishing of an employee. The company did not have two-factor authentication for its email and, according to a cyber expert, Professor Doug Witten of Wayne State University, the hacker could easily gain the victim’s identification and other computer information.
“You can pose as an inside person pretty easily … as long as you can get the ID from someone inside,” Witten said. “Once you get your foot in the door it’s easily to maneuver someplace else.”
The suspect posed as a Weiss employee in a multiple-email thread that included a public works employee. The hacker “cloned” other thread members so the public works employee believed others on the threat had also seen the wire-payment request but in fact only the lone county employee saw it, Baker said..
The hacker who posed as the Weiss employee requested the county employee to wire the monthly payment to a bank account that had the company’s name in the title so they did not raise suspicions, Baker said.
It was the first time the company had requested a wire transfer, and the county public works employee made a mistake by failing to gain confirmation of the new method from Weiss, Baker said. The county employee called a Weiss employee and left a voicemail message but made the transfer without receiving a call back, he said.
The employee was “talked to,” Baker said, but he declined to say if he or she was subject of disciplinary action.
The employee did not violate county policy because he or she had a second person review the invoice and approve the payment. Baker said a new policy has been established to gain confirmation of an invoice from a county vendor when a new payment method is proposed.
Finance Director Stephen Smigiel said at the meeting a change was made so that public works’ “wire requests flow through the Treasurer’s Office.”
“There’s been some controls put in place,” he said.
Witten said the incident demonstrates the vulnerability of companies and governmental units to phishing in which an email sender attempts to get the receiver to click on a link.
“You can have all of the protections in the world but if one person lets someone in, that starts a whole cavalcade of activity,” he said.