(Des Moines, Iowa) – Auditor of State Rob Sand’s office reports Sand was recently made aware of payments made by a City to scammers posing as vendors. Auditor Sand has determined it is in the public interest to issue this Alert to help prevent others from falling victim to email scams.

In January 2020, the Auditor issued an Alert regarding a similar scam that involved unknown parties attempting to fraudulently misdirect state and local governmental entities in Iowa into issuing payments by posing as vendors. A copy of the Alert can be found here. In the recent situation, a City in Iowa learned payments to three legitimate vendors had been sent to bank accounts established by scammers who contacted the City via email. After discovering the mis-routed payments and consulting with cyber security specialists, City officials learned a City email account had been compromised.

They believe the scammers then monitored the email account for several months. After identifying City vendors who received electronic payments from the City, the scammers sent emails to the City which appeared to be from legitimate vendors with updated bank account information. The fraudulent emails sent to the City contained logos, contact information, and formatting which were consistent with other communications received from the three vendors. However, upon close examination, it was later determined the addresses of the fraudulent emails varied from the authentic vendors’ email addresses by moving a “dot” in the email addresses one place to the left or right.

Sand says “I strongly advise representatives of all governmental entities to call any vendors to independently confirm instructions received electronically of revised bank routing information, do not respond to the email. Instead, use previously held contact information to ensure the appropriate party is reached.” He also recommends governmental entities consider implementing a notification of electronic payment to an established vendor email address. The notification should ask vendors to promptly confirm the receipt of funds and immediately contact the governmental entity or business if the electronic payment was not properly deposited into the vendor’s account. In addition, governmental entities should require vendors to provide existing bank account information when requesting an update of their bank routing information as a safeguard.

Any governmental agency suspecting a scam is required by the Code of Iowa to contact the Auditor of State at info@aos.iowa.gov or 515-281-5834.