City of Tenino loses $280,309 to phishing email scam, state Auditor’s Office says

Tony Overman/Olympian file photo
·5 min read

The city of Tenino fell victim to a fraudulent scheme that cost it $280,309 in public funds, according to the Washington State Auditor’s Office.

Former Clerk Treasurer John Millard initiated 20 automated clearing house payments from the city’s bank account to multiple out-of-state bank accounts from March 19 to May 4, 2020, per a report. A series of phishing emails prompted the payments, many of which he did not get city council approval for.

The email was sent to multiple public employees in Washington state who were members of the Washington Municipal Clerks Association. The same day it was sent, the association notified members that it was illegitimate.

“While other recipients either deleted or ignored the email, contacted the association to confirm it was a phishing attempt, or contacted their IT departments, Tenino’s Clerk-Treasurer did not,” the report says.

Millard, who served in the U.S. military until 2016, had previously received training in cybercrimes, according to the report.

On May 5, 2020, the report says a Texas-based bank told Millard someone came in to withdraw funds from an account that received an ACH payment and then tried to close the account.

Millard told the bank to contact the professional association, per the report, but the president of the association said she did not know about any such payments.

That same day, he informed the Tenino mayor, the state’s Auditor’s Office and Tenino police about the loss of funds, saying he had been deceived by a scam. Millard resigned in December 2020 and moved out of state, per the report.

Washington State Patrol investigated the scam but could not determine whether Millard personally benefited from the scheme. The case has since been turned over to the Federal Bureau of Investigation.

In all, Millard issued $336,968 in inappropriate ACH payments, per the report, but $56,659 in payments were returned to the city.

Security weaknesses

The state’s Auditor’s Office identified two key weaknesses that allowed the fraud to happen.

As Clerk Treasurer, Millard had access to all the city’s bank accounts and could complete electronic transfers without any oversight or monitoring.

Millard also performed bank statement reconciliations on his own without additional review from someone else.

In a response to the report, the city of Tenino indicated it addressed its weaknesses by securing its ACH transaction process and wire transfer process with dual control. This means one person can initiate either process, but a second person must approve the process.

“The City of Tenino has taken extreme measures to improve internal controls and monitoring over disbursements and banking to prevent future fraudulent activities,” the city says.

Additionally, the city says it contracted Right! Systems Inc., a Lacey-based IT company, to help it secure its network. Among the added measures, the company set up multi-factor authentication and email filtering for the city.

“The City of Tenino will continue to be diligent by improving and strengthening the internal controls and monitoring of funds through all available resources to prevent any fraudulent activities in the future,” the city says.

The city has an operating budget of just over $1 million and has just 13 employees, per the report.

In a news release, State Auditor Pat McCarthy said governments must secure their electronic payment methods to avoid being scammed like Tenino was.

“The City of Tenino’s loss should serve as a lesson for every government in Washington: No matter how small your operations are, strong internal controls can reduce the risk of losing public funds,” McCarthy said.

Investigation findings

Millard informed the Tenino City Council of a request for funds from the professional association during an April 14, 2020, meeting, according to the report and meeting minutes.

He asked the council for approval to “write a couple of checks” to help the organization pay expenses for its annual conference rescheduling, per the report.

The association, Millard reasoned, needed the funds because its treasurer was out of the office due to COVID-19, hindering its ability to write its own checks. He also claimed the city would be reimbursed for the expenses in about two weeks.

By this time, Millard had already initiated transactions totaling $45,090 for nearly a month. Additionally, the report notes the phishing emails did not contain the level of detail Millard shared with the council.

Unfortunately, the council unanimously approved $23,000 for this purpose during the meeting, according to archived meeting minutes.

This action drew the suspicion of Tenino resident Shaun Brown and former Tenino mayors D. Jean Pettit and Mike Brown. They penned a joint letter to editor that was published in the Chronicle on Dec. 24, 2020.

In the letter, the former mayors asked how a $23,000 “loan” ballooned to $270,488 in the city’s 2020 budget. After speaking with Millard and submitting public records requests, they expressed concern about a lack of documentation regarding this expenditure.

“Action to approve the expenditure taken by the council members during the April 2020 meeting did not include a directive for development of a contract with WMCA,” the letter says. “Expenditures of public funds must have a documented reason and justification for the expenditure.”

Millard told investigators he did not recognize the email address the phishing email came from, per the report. He also never contacted the association directly to confirm the request. Even so, he said he convinced himself he was communicating with the association’s real president.

He admitted to initiating payments without the council’s approval, per the report, and said he never received invoices or supporting documentation for the payments.

After obtaining a search warrant, the report says investigators determined the account that sent the phishing email originated in Nigeria.

Investigators contend the emails Millard received contained several “red flags” that someone with cybersecurity training should have noticed. There were spelling and grammatical errors, per the report, and the email address of the sender was not associated with the association.

Furthermore, the report says the sender claimed to be a former president of the association rather than the current one. The use of multiple out-of-state bank accounts should have also been questioned.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting