Six months after it was defrauded of $719,000 in a conventional phishing scheme, district officials had little to disclose in an update to the school board today, though about $20,000 was recovered and a board member suggested that a lawsuit may be ahead, presumably in hopes of recovering more. The money was due the construction company building the Matanzas High School addition. The district had to make up the amount.
So it’s not clear why Flagler County Schools’ Chief Financial Officer Patty Wormeck went through the motions of what she called an “update” to the board. Wormeck’s vague presentation was little more than a reminder to the board that the district was still working things through. (See: “Flagler School District Loses ‘Significant Amount of Money’ in Apparent Phishing Scheme Involving Vendor.”)
When a board member asked for more substantive information, another board member stopped her, and Superintendent LaShakia Moore suggested that those conversations take place between individual board members and the administration, behind closed doors.
“The district does continue to work through this process to try to recover as many funds as we can. And we are working in through our local sheriff’s office, the Secret Service, the bank and our risk management team.”
In fact, and though Wormeck did not disclose that, either, investigators recovered about $20,000 in the earliest goings of the investigation when the money was being spread around various accounts before it was wired abroad. With time passing, investigators knew that they had little hope of recovering more. Sheriff Rick Staly had said early on that hopes of recovering any substantial sums were slim to none. (See: “With $719,000 Almost Certainly Lost to Fraud, School District Turns to Insurance in Hopes for Recovery.”)
The most that Wormeck said of substance was that “there was no breach on our end. So the data and the network is safe.” She did not elaborate. But if the statement was intended either to indemnify the district or to give the impression that nothing at its end had gone wrong, that was not necessarily the case even if there was no breach as Wormeck described it.
The district sent the money to the construction company building the Matanzas High School addition. FlaglerLive has learned that it appears spyware may have infiltrated an email network, enabling the fraudsters to fool recipients into thinking they were the construction company. It’s not an uncommon phishing technique: numerous local governments have been defrauded that way. The fraudsters then claim the “company” again needs banking information, and the trusting recipients comply, in essence wiring money to a fraudulent account.
“Our financial processes in the finance world have been updated quite substantially to ensure that this does not happen again,” Wormeck said. “This is a very, very lengthy process that takes time to work through. There are many different factors involved in it.”
Board member Cheryl Massaro asked for a few details. “If I were a vendor and I just billed you for a million dollars,” she asked Wormeck, “talk to me about the process before this situation took place, and the revisions that have been made since so it never happens again.” But Board member Colleen Conklin didn’t want Wormeck to answer–not that she would have–saying it would give a how-to to the next fraudster. “I would hate for us to get into the details of all of this publicly. Especially if we’re going to end up in litigation in the future.”
But it was Conklin who revealed more than Wormeck had disclosed, or that the district may have been willing to let out of the bag: short of recovering the money, the district may be suing for it if in fact the breach was enabled outside of its own systems, though it would then have to also show why the “processes” Wormeck says have now been put in place weren’t in place before the fraud. That’s especially the case since phishing is nothing new, and the scheme used in this case was nothing original, and seemingly quite preventable.
“The purpose really is for us to say, this isn’t gone away. We’re not ignoring it,” Moore said. “We’re not sweeping it under the rug. But it is a process that’s going to take time. And right now, unfortunately or fortunately, however you look at it, it really is that you have to trust that we’re working the different processes that we need to work in order to ensure that our system, our servers, all of those things are safe. And when we can publicly disclose everything that’s happened, we will.”
“That’s something that we should all be aware of,” Massaro said. “Why did it happen the first time, and what have we done to make sure it never happens again.”
Board member Sally Hunt wondered to what extent the board itself should get involved in setting policy that would control to do with policy. David Delaney, the acting board attorney, answered in general terms, cautioning the board that technology is changing rapidly, “so it will be difficult to write a policy to anticipate all of those changes.”
“But you’ve got some smart cookies over here and I think we collectively could think of a lot of different things,” Hunt said.
Joe D says
I think Board member HUNT should let the professional “SMART COOKIES” do their investigation and maintain communication with the police bureaus who deal with this on a daily basis… that is “IF” there is any chance the taxpayers might see ANY of their money retuned.
Double Click says
Ya’know, can’t just absolve the district’s IT dept of any responsibility. Yeah as a user you have some responsibility to not just arbitrarily click on anything that comes your way, but it is IT’s responsibility to make certain the emails and links don’t make it to you in the first place. There is plenty of software and firewalls to do that with. The major players such as Microsoft, Google, Cisco, etc. take care of that for you. Technologically, that link with masqueraded addresses should have never made it through. Then, going out should have never happened. So IT dropped the ball here. Either they were strangled by a lack of funding, or they were simply not very good at their job. In the private sector, the man on top gets walking papers. Sucks, but that’s the trade off for the title and subsequent pay.
Clearly Clueless says
Tell me you have no idea what you’re talking about without telling me you have no idea what you’re talking about. Phishing can be extremely sophisticated these days and if you had any idea you’d know it’s so popular because outside of obvious click bait phishing emails there is only so much IT can control in these situations outside of end user training. Anyone can create an email account in good standing and use it to social engineer a user within in a company. Firewalls and the major players just don’t automatically safeguard you from sophisticated phishing attempts.
If anything, as this article states it sounds more like a procedural issue on the financial side since it was stated how new processes have been put in place after the fraud took place.
Double Click says
Three decades of experience at all levels IT, two degrees and countless certifications, owner of several mm tech companies. Yeah, I know what I’m talking about. These little podunk towns and counties with their lack of funding both capitol and personnel wise are prime targets for these less than sophisticated attacks. Toss in local yeeha’s such as “Clearly Clueless” protecting and even enabling these inadequacies and this is what you get. Pay now or pay later. Government is notorious for choosing the latter.
Clearly Clueless says
All that experience, all those degrees and certs and you don’t have a basic understanding of social engineering and cybersecurity.
Probably too late but hopefully you can get a refund.
All these assumptions over something we have no details about is crazy. To what end? Make yourself look good on an online anonymous comment section and to put down the district employees who are here to serve and educate our children?
Bethechange says
Spot on Double Click, imo.
Ld says
Checks and balances appear missing.
Idk why says
Huh. Holding closed door mettings as an elected official. Dig your grave
Lizzo says
@ Flagler live
You should definitely look into some of the things that have happened on the campus of FLAGLER PALM COAST-
Campus investigations- teachers put on leave
Kids being arrested????
Money for nothin, and the chicks for free says
Cheryl, better question – ask Wormeck how the finance dept figures out who’s on FLMA before they send payments to people who are not even coming into work!! For MONTHS. Pay with no work! Go ask! It’s real! Wormeck’s a total utter unorganized disgrace!!!