GRIFFIN, Ga. -- A metro Atlanta city of about 22,000 recently learned they were scammed out of $800,000.
The city manager of Griffin said he was shocked to learn of the scheme. Now we're learning how it all went down.
A city employee thought they got an email from a vendor the water department works with. But it turns out it was a cybercriminal who spoofed their email address was able to steal several hundred thousand dollars.
"We can patch operating systems all day long, but it's a lot harder to patch the human in us," cybersecurity expert Patrick Kelley said.
Kelley isn't surprised the city of Griffin got scammed.
"It happens every week," he said.
What is uncommon is how much money the crooks got. The scheme went through the city's water department. An email came through that looked legitimate from their vendor - P F Moon & Co. The email said they needed to change the banking information for the account, so the city employee sent it over.
"We get that these changes need to take place, but an email just isn't good enough," Kelley said.
Case in point, it only took Kelley five minutes to find a fake login for the city's vendor online.
"A quick search, it took me about 10 minutes to find 5 sets of usable credentials for employees of P F Moon," he said. "It took me 3 minutes to find credentials for City of Griffin."
Kelley said he was easily able to find the terms of the contract online. It's all public record.
In a statement, the Griffin city manager said:
"The City has the highest degree of firewall protection and constantly trains employees on the latest methods that hackers use, however the criminals seem to always be one step ahead. This unfortunate incident resulted in a large sum of money being misappropriated to a fraudulent account, however, a thorough criminal investigation has ensued and we are confident the funds will be restored. Let this be a warning to all businesses and citizens to be extremely diligent with on-line financial transactions."
"I'm happy to hear they're doing security awareness training," Kelley said. "It's not that common for governments to do that, so atta boy to them. I just think they need to go a little further when it comes to these large scale transactions."
The city manager said they turned the case over to the FBI and they're confident they'll get their money back.
Kelley, though, thinks they'll only be able to recoup some of it.
For anyone who believes they've gotten a phishing email or text message, government officials advise reporting it so that they can investigate.
Phishing emails can be sent to the Federal Trade Commission at spam@uce.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org. Fishing text messages should be sent to 7726 (SPAM).
Next, they urge anyone who receives a phishing attempt to report it to the FTC at FTC.gov/complaint.
MORE NEWS