116 3rd St SE
Cedar Rapids, Iowa 52401
LECLAIRE — The Scott County city of LeClaire is working to recover $102,000 from scammers who posed as three city vendors.
In total, $222,373 in city funds were directed to three fraudulent accounts through “cleverly disguised and modified emails that resembled legitimate emails from legitimate vendors,” interim City Administrator Ed Choate wrote in an email to the Quad-City Times.
The scam occurred over a four-month period from November 2020 to February of this year.
LeClaire has recovered about $120,618 by freezing the accounts, Choate said.
Choate said the city is continuing to work with the FBI, the city's bank and its insurance carrier to recover and/or reach a settlement for the remaining about $102,000.
In two of the three situations, Choate said, the city discovered the cyberattack because the actual vendors contacted the city to alert officials they hadn’t received payment.
In the third case, the city clerk discovered the fraud and contacted the vendor.
The cyberattack is similar to one that happened in Rock Island County in Illinois, where a scammer pretending to be a legitimate contractor asked county officials to wire $115,000, to a new bank account.
Choate wrote that the city, the FB, and the city’s local financial institution fraud team “immediately engaged a cybersecurity firm to conduct a ‘deep-dive’ forensic analysis and incident response investigation on the city’s entire I.T. system and to ensure the servers and emails were no longer compromised.”
The city installed multifactor authentication and other security software applications to prevent email compromises in the future, Choate said.
Documents and training for electronic payments were implemented with help from the city’s financial institution and the Iowa Department of Management.
“This was simply human error involving a situation where most people, who being preoccupied with busy daily schedules and activities, would have executed the very same way,” Choate wrote in an email. “It was determined that no formal, personnel disciplinary actions were warranted or administered.”
Choate was city administrator for 42 years before announcing his intention to retire at the end of 2021, staying on for the transition.
The new city administrator, Chris Ball, started in February but parted ways after a six-month evaluation. Choate was reinstated temporarily while the search for a new city administrator is underway.
John Johnson, founder and president of the Docent Institute, a Bettendorf-based nonprofit that focuses on cybersecurity education, said a simple step of taking the time to make a call or send an email to someone you trust before completing high-dollar transfers is a low-cost way to prevent scamming.
And, he says, not all email spoofs are easily distinguishable from legitimate requests.
“Not everything looks like the Nigerian prince scam,” Johnson said. “If you check your spam folder, 90 percent of it is obvious, but sometimes they do just enough research, they have a logo, and they look legitimate.”