Tenino loses $280,309 to phishing email scam, state says


The town hall of Tenino in 2012.

Olympic archive photo

The city of Tenino was the victim of a fraudulent scheme that cost it $280,309 in public funds, according to the Washington State Auditor’s Office.

Former Clerk Treasurer John Millard initiated 20 automated clearing house payments from the city’s bank account to multiple out-of-state bank accounts from March 19 to May 4, 2020, according to a report. A series of phishing emails prompted the payouts, most of which he failed to gain city council approval for.

The email was sent to several Washington State public employees who were members of the Washington Municipal Clerks Association. The very day it was sent, the association notified the members that it was illegitimate.

“While other recipients either deleted or ignored the email, contacted the association to confirm it was a phishing attempt, or contacted their IT departments, the Tenino Clerk-Treasurer did not,” the report said.

Millard, who served in the US military until 2016, had previously received cybercrime training, the report said.

On May 5, 2020, the report states that a Texas-based bank told Millard that someone came to withdraw funds from an account that had received an ACH payment and then attempted to close the account.

Millard told the bank to contact the trade association, according to the report, but the association’s president said she was unaware of any such payments.

That same day, he notified the Tenino mayor, state auditor’s office, and Tenino police about the loss of funds, claiming he had been tricked by a scam. Millard resigned in December 2020 and left the state, according to the report.

The Washington State Patrol investigated the scam but could not determine whether Millard personally benefited from the scheme. The case has since been turned over to the Federal Bureau of Investigation.

In total, Millard issued $336,968 in improper ACH payments, according to the report, but $56,659 in payments were returned to the city.

Security Weaknesses

The state auditor’s office identified two key weaknesses that allowed the fraud to occur.

As clerk-treasurer, Millard had access to all city bank accounts and could make wire transfers without any monitoring or oversight.

Millard also performed bank statement reconciliations himself without additional review by anyone else.

In a response to the report, the City of Tenino said it had addressed its weaknesses by securing its ACH transaction process and wire transfer process with dual control. This means that one person can initiate either process, but a second person must approve the process.

“The City of Tenino has taken extreme measures to improve internal controls and monitoring of disbursements and banking transactions to prevent future fraudulent activity,” the city says.

Additionally, the city says it contracted Right! Systems Inc., a Lacey-based IT company, to help secure its network. Among the measures added, the company implemented multi-factor authentication and email filtering for the city.

“The City of Tenino will continue to be diligent in improving and strengthening internal controls and oversight of funds with all available resources to prevent fraudulent activity in the future,” the city said.

The city has an operating budget of just over $1 million and has only 13 employees, according to the report.

In a press release, State Auditor Pat McCarthy said governments need to secure their electronic payment methods to avoid being scammed like Tenino was.

“The loss of the city of Tenino should serve as a lesson to all governments in Washington: No matter the size of your operations, strong internal controls can reduce the risk of losing public funds,” McCarthy said.

Findings of the investigation

Millard informed Tenino City Council of a trade association request for funds at a meeting on April 14, 2020, according to the meeting report and minutes.

He asked the board for approval to “write out some checks” to help the organization pay for expenses related to the postponement of its annual conference, according to the report.

The association, Millard explained, needed the funds because its treasurer was out of office due to COVID-19, hampering his ability to write his own checks. He also claimed the city would be reimbursed for expenses in about two weeks.

By this time, Millard had already initiated trades totaling $45,090 for almost a month. Additionally, the report notes that the phishing emails did not contain the level of detail Millard shared with the council.

Unfortunately, the board unanimously approved $23,000 for this purpose at the meeting, according to archived minutes.

This action drew suspicion from Tenino resident Shaun Brown and former Tenino mayors D. Jean Pettit and Mike Brown. They wrote a joint letter to the editor which was published in the Chronicle on December 24, 2020.

In the letter, the former mayors asked how a $23,000 “loan” reached $270,488 in the city’s 2020 budget. After speaking with Millard and submitting public records requests, they expressed concern about the lack of documentation regarding these expenses.

“Expense approval actions taken by board members at the April 2020 meeting did not include direction for the development of a contract with WMCA,” the letter states. “Expenditure of public funds must have a documented reason and justification for the expenditure.”

Millard told investigators he did not recognize the email address where the phishing email came from, according to the report. He also never contacted the association directly to confirm the claim. Even so, he said he had convinced himself that he was communicating with the real president of the association.

He admitted to initiating payments without council approval, according to the report, and said he never received invoices or vouchers for the payments.

After obtaining a search warrant, the report said investigators determined that the account that sent the phishing email was from Nigeria.

Investigators say the emails Millard received contained several “red flags” that someone with cybersecurity training should have noticed. There were spelling and grammatical errors, according to the report, and the sender’s email address was not associated with the association.

Additionally, the report states that the sender claimed to be a former president of the association rather than the current one. The use of multiple out-of-state bank accounts should also have been questioned.

Comments are closed.