Montana Ag department details ‘man-in-the-middle’ phishing scam
Montana Department of Agriculture Director Christy Clark, with department attorney Cort Jensen sitting in the background to left during a legislative audit hearing on Oct. 5, 2022 (Photo screenshot from Montana Public Affairs Network).
There were no desperate pleas from African princes.
There were no email messages from banks or Amazon that needed a credit card number.
A phishing scam that took more than $344,000 from the State of Montana Department of Agriculture vanished with something more sophisticated, a “man-in-the-middle” scheme. By the time the department was able to identify the problem, the money was likely overseas – somewhere.
The good news was that another large payment for a similar amount had already been flagged by a bank as suspicious.
During a meeting of the Legislative Audit Committee last week, lawmakers heard how the phishing or phone-email scam worked and learned that the state’s cyberinsurance policy had paid the claim, leaving both the department and a grant recipient, U.S. Dry Pea and Lentil Council, whole.
The phishing scam had been identified, along with another thwarted phony attempt for gift cards, as part of a routine financial compliance audit. Both Montana Department of Agriculture Director Christy Clark and chief legal counsel for the department, Cort Jensen, said that policies and procedures have been updated.
The email scheme worked when hackers obtained email from both the lentil council and state ag staff. Jensen described the way the hackers monitored the email, taking information and setting up false email accounts. Then, having learned of several grants that were routine, hackers told department staff members that before the payments could be processed, they’d have to obtain new bank account information because the Dry Pea and Lentil Council had recently switched banks, something that turned out to be false.
The Department of Agriculture staff input the new bank account information after hackers gave the new banking instructions while posing as employees from the council. The hackers requested two payments, both usual amounts that they gleaned from other email communications.
The state’s bank flagged the first payment as suspicious and stopped it. However, Jensen said when the fraudsters asked for the second payment and the department complied, the transaction of more than $344,000 went through, and officials were not able to stop the payment on time.
Jensen told lawmakers that the fraudsters waited – for weeks – until the payment time was appropriate and requested the exact dollar amount, something likely gleaned from intercepting previous emails.
According to Jensen, the Department of Justice case file is still open, but unlikely to be solved because the money went out of the country.
“I don’t have a lot of hope there’ll be a resolution,” Jensen said.
Changes to state policy
Not only the Montana Department of Agriculture, but the entire state updated its practices after the successful phishing attack.
Clark told the lawmakers that anytime an organization wants to update its banking information, that can only be done on the phone, and through a person who is already known to the department’s employees.
“Two people have to know each other prior to the accounts being changed,” Clark said.
Other state policies worked as they have been designed: For example investigators seized the computer, which was in the Billings office, in order to make sure that the Department of Agriculture employee was not involved in the scheme, and to make sure no other malicious software was on the machine.
“(The organizations) complain about the overhead we charge, but that’s part of what pays for the insurance,” Jensen said. “So that neither we nor the Dry Pea and Lentil Council was out the money.”
Clark also said the department has updated its training policies. For example, recently an employee texted her with questions about a gift card. Someone was posing via text as Clark and had made up a story about being stuck in a meeting and needing gift cards.
“This is a constant thing,” Clark said, noting that they realized it was a fraudulent request almost immediately.
State auditors had also faulted the department for not reporting several incidents to the legislative auditor.
“You can imagine the scramble we were in when we found out (about the phishing scam),” Clark said. “And no offense to Director (Angus) Maciver (the Montana Legislative Auditor), but contacting legislative services was not at the top of our list. It was really about calling the authorities and stopping those bank transfers.”
Clark told the committee that one of the most challenging parts of the scam is getting employees to report possible fraud incidents quickly.
“Our employees don’t want people to think they messed up or made a mistake so they’re reluctant to report those,” Clark said.
She said part of the challenge is to continually keep up to date with the different way scammers figure out how to navigate around obstacles.
“I don’t enjoy being made an example, but I think it would be helpful if more people will be cognizant of how extraordinarily good fraudsters are and how vulnerable we are,” Clark said. “Just to get into my email is hard. I can’t imagine how hard it was for them. They’re very sophisticated and good. We need to point out and we need to be cognizant of these risks.”
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.