Web Scam Bilks State of Utah Out of $2.5M

KitB sends in a story in the Salt Lake Tribune that tells of a Web-based scam, resembling some used by Nigerian gangs, that snared the state of Utah. $2.5M was sent to a bank account in Texas before the bank raised a question and then froze $1.8M in the account. "Thieves apparently used a Nigerian-based scam to steal $2.5 million from the Utah treasury, covering their tracks by using intermediaries and a church address. A Salt Lake Tribune review of the names listed in a search warrant as receiving or transferring money [found] names of African origin or connections to that continent. Michael Kessler, ... a forensic accounting [investigator] in New York City, said the thieves appear to have used a simple scam that originated in Nigeria about five years ago. The Utah theft is the first time he's seen a government victimized. 'Their IT people should have known better,' Kessler said after reviewing a copy of the search warrant Thursday. 'It sounds like any kid could have done this.'"

How is that Nigerian?

[khasim]

This was a scam technique that originated in Nigeria.

Submitting fake invoices did NOT originate in Nigeria any more than the "419" (aka "The Spanish Prisoner") scam did.

These scams have been around for YEARS.

It's just sensationalism to mention Nigeria in the article.

Why are they blaming the IT department?

[DavidTC]

Unless they mean the insurance company's IT department, as a password sniffer apparently got past them.

What that story has to do with the 'change the account number for vendor and submit bogus invoices' story I don't know. At no point do they actually appear to explain the fraud.

Also, a 'Nigerian' scam traditionally refers to advance fee fraud, aka, 'I have X million here that you can get if you send me Y thousand.'. That does not appear to be what happened here.

There's a difference between being dumb and falling for that scam, and having someone break in and change the address your business (Or, in this case, government) are supposed to send money to.

Re:So why didn't God intervene?

[TheModelEskimo]

Really? You're modded +5 informative for a question that gets answered in the first week of any non-denominational, even atheist-leaning comparative religions course? You might start with Victor Frankl and continue from there. Or just GOTO 10 and troll again...I mean, religion-bashing seems to get you great mod points around here, and none of it (that I've ever seen) even approaches 200-level college material...

Re:Everyone

[oheso]

That doesn't sound at all like a Nigerian scam to me. It sounds like good, old-fashioned white collar fraud. The story is horrible. The Ohio insurance firm case apparently has nothing to do with the story. There's no explanation why the university's "IT people should have known better". What did the IT people have to do with it? I love the suggestion that people should immediately be suspicious of those with "names of African origin or connections to that continent". And let's see who we're looking for. A guy with a Minnesota driver's license. A truck driver -- but not a Minnesota license? Narrowing it down here ...

Re:Everyone

[oheso]

"The story is horribl[y written]." Just to make it clear ...

This is about purchase orders, not bank accounts

[Teancum]

It wasn't even changing the bank accounts. This was a situation where somebody got some purchase orders for a university department and the state paid what appeared to be legitimate purchase orders drawn on department funds. The "vendor number" is to speedily process and simplify the task of allocating funds to people who are providing services or products to the university.

Where this scam became a scam was with the process of submitting the purchase orders to the state, and submitting new bank account information for the vendor. Indeed, some of the purchases that were made may have even been legitimate, in terms of having a vendor like a computer supplier deliver a dozen or more computers to the department and then submitting the purchase order to the university accounting office. (I don't know what exactly was purchased here, but this seems to be something on the order of what was done.) The goods were delivered, payment was expected, and a check was cut and sent to what state records said was the legitimate vendor.

The "vendor number" wouldn't be the department's code number, although it is possible that the director's signature was forged and several purchase orders were sent through asking payment for items that have never even been delivered in the first place. The reporters on this incident certainly got the details screwed up in terms of typical purchase order procedures.

Having used Utah state purchase orders myself as a state employee, I can see how this would get missed for some time until the paperwork gets through. Accounting for all of this takes months and quite a bit of good faith is depended upon through out the whole process... although there are a number of points where purchase orders are questioned eventually and have to be reviewed. Smaller businesses would scream quickly if they didn't get their money right away, so it would have to be a larger vendor like Wal-Mart or Circuit City (again, I don't know the specifics here, but this is typical) where the accounting chain is much longer and wouldn't get caught right away.

What is the scary thing here is that this department had so much money to throw around that missing a couple millions dollars wouldn't be missed. It wasn't the "department's bank account number" as all state funds are deposited together in one place, including tax funds and research grants. This is about how money was disbursed once authorization from the project administrators/department chair has occurred and was intended to pay what appeared to be legitimate debts.

The University of Utah does have billions of dollars floating around from various research grants and project of various types, so even though the amount of money here seems staggering, it is a drop in the bucket compared to how much money flows through that campus. It isn't even the first inappropriate allocation of funds, although this one should have had flags come up quite some time earlier from a whole bunch of different sources.... not the least of which was the project lead who should have been reviewing invoices charged to his project (where this design department comes into play) and questioning things that seemed out of place. The state won't allocate money if the project has insufficient funds on the charge code.

Poorly Written Post.

[Jane Q. Public]

The only "Nigerian" connection seems to be the name "Ongaga". Not compelling to me.

I wonder, though, if the choice of a bank in Texas was deliberate, and if they were using a third party as a shill of some kind. When I was in Texas, years ago, I noticed some of the "different" laws Texas has in regard to banking. I don't know if they are still the same, but at the time, ANY bank error in favor of a customer legally became the property of the customer, without question.

Re:Safeguards

[hazem]

If you do more than 100,000 a year with a bank you should automatically have a clause that states all assets transferred to Nigeria (or any country you don't regularly do business with for that matter) should be frozen

You mean foreign countries like New Jersey and Texas? The story says the money was being sent to a bank in Texas (which was the entity that raised a flag on this) and checks were going to some nonexistent guy in New Jersey.

But you're on the right track that there should be some "human checking" if the banking details of a state's approved list are changed. I have no idea why the IT people are being blamed. This was the error of some clerk in the accounting department, or worse, by the management of that department who didn't have a validation process for changes in banking information for vendors who are paid over a certain amount.

Re:This is about purchase orders, not bank account

[Herkum01]

The whole reason for all of these procedures was because they do not trust their employees with money. Instead they put their trust in a system which is basically a Purchase Order number. Once someone knows the system they can keep the money coming like an ATM.

I am surprised that this does not happen more often because all it takes for someone to get money is the belief that the system will take care of it. A few months later when the mistake has been identified it is too late.

Re:IT People's Fault?

[Teancum]

Verification of the direct deposit stuff is to confirm that the account is valid and has a proper routing numbers. That is not a control in terms of verifying that the purchases were legitimate or that the correct person is receiving the money. They could ask the bank where the money is being deposited for verification of the name on the account, but how hard is that?

The only control on this is to have somebody review each invoice and confirm that the good or service was actually provided. Some accountant sitting in the basement of the administration building of a university campus does not have the ability to make this declaration. All they can do is to verify there is money in the charge code and that the vendor is one on the list of "approved vendors" for the school. It is up to the department chair/research project leader to decide if the allocation is appropriate.

What is sad here is that the trigger that something may have been wrong here came from an out-of-state bank wondering why so much money was going into their bank from a government on an account that was apparently rather new. It is appropriate to question the department controls on this.

Otherwise, this is just a typical bank fraud case, and not even all that big of a bank fraud situation either. Hardly even newsworthy.

Re:This is about purchase orders, not bank account

[__aasqbs9791]

I wish I had mod points for you. When people trust a system implicitly it is at least as bad as trusting a person implicitly. At least with a person they may have the character to not screw you. A systems has the morals of whoever is using it, and that changes with every user, legitimate or otherwise.

Re:This is about purchase orders, not bank account

[urbanriot]

If this was a purchasing issue, why does the article quote the interviewee as suggesting, "Their IT people should have known better,"

Re:This is about purchase orders, not bank account

[Anonymous Coward]

"The whole reason for all of these procedures was because they do not trust their employees with money."

Anyone wanting to have accountability in government won't trust people with cash either. It's just too easy to forget to enter a payment in the system, and then you have 'hundreds of thousands of dollars unaccounted for' such as with the complaints about Halliburton.

The bottom line is: any system can leak, and large systems naturally develop cracks through which exploits can occur. Constant maintenance, accounting, and double-checks are one defense, which in this case worked (according to the summary, where 1.8M of the 2.5M was stopped cold). So we're talking better than 2/3 of the fraud was successfully caught on the double-check, and a total loss of 700 thousand out of a yearly budget of many millions or a few billion.

Not perfect, but not a loss of all 2.5 million (and I hope they are looking into ways to retrieve some of that money, as this appears to have happened recently).

Re:This is about purchase orders, not bank account

[X0563511]

Oh wow, a classic crime, but they use a COMPUTER!

Quick, fire up the spin-machine!

Re:Good day

[noidentity]

Yes but even the Slashdot posting script won't fall for all-caps scams.