Port of Seattle paid fraudsters more than $570,000 due to lax security, audit finds
The port fell for phishing schemes on two occasions in 2021, the Washington State Auditor's Office found, due to weak controls including staff not following protocol.
In October, 2021 the Port of Seattle Diversity, Equity & Inclusion department fell victim to what auditor's office spokesperson called a "classic phishing scheme": cyber-fraudsters posing as a legitimate contact seeking to have upcoming payments sent to a different bank account.
The department forwarded the phony email to the accounts payable department, which also took the bait, and paid the fraudsters $184,676 in three payments.
Two months later, the DEI department received a second phishing email, which it also forwarded on for processing, and the port made five more payments totaling $388,007 to a second fraudulent bank account.
After the port realized the fraud, it was able to recover most of the money, minus a $50,000 insurance deductible.
The auditor’s office found that port employees failed to follow standard protocols to prevent fraud, which State Auditor Pat McCarthy said is a cautionary tale for other state and local governments.
“I think it’s good lessons learned not only for the Port of Seattle, but for many other governments who have a plethora of resources. It can happen to them, and it can happen to a very small irrigation district, as well," McCarthy said.
Port officials told the auditor’s office they’ve added layers of financial oversight for improved security, and require staff to take phishing-detection training.
"We quickly took steps to tighten our payment procedures to stop the fraudsters and protect against future attempted thefts of this kind, said Port of Seattle spokesperson Peter McGraw in an emailed statement to KUOW.
McGraw added that the port has been transparent about the fraud since it was revealed, and has discussed the incidents in public meetings.
The auditor’s office says that since 2016, government agencies across the state have reported losing more than $28 million through cyber fraud.