Mitcham, Charles Sturt and Port Adelaide Enfield councils admit being caught in payroll email scam
At least three Adelaide councils — Mitcham, Charles Sturt and Port Adelaide Enfield — lost tens of thousands of dollars after being caught in an email “phishing” scam. Here’s how they were duped.
- Man and woman charged over alleged $2.1m email scam
- Getting the most out of your Advertiser digital subscription
Three Adelaide councils have been fleeced of ratepayer money as part of an elaborate email scam relating to staff pay.
Mitcham, Charles Sturt and Port Adelaide Enfield councils have admitted handing over a combined $20,400 with one council losing more than $13,000 to interstate criminals earlier this year.
It is known at least four other councils were subject to the same email in a cybercrime known as phishing.
The Advertiser has confirmed councils received emails from someone posing as staff members claiming their bank details had changed and asking for them to be altered in the payroll system.
The councils then obliged the requests and changed the account into which the staff member’s pay was deposited to that of the scammer.
A transcript of the email obtained by The Advertiser shows it to be simple instruction:
“Good Day,
I’d like to change my EFT dd info, can it be effective for the current pay date? My old account is closed and I changed to a new financial institution.
Thanks”
The email was then signed with the name of a current council staff member.
A northern council told The Advertiser it had received several of the emails but hadn’t acted on them.
They took particular note that the emails were from staff members who were currently on leave and holidaying overseas.
Port Adelaide Enfield was defrauded of $2974 before the error was discovered and reported to SA Police.
Port Adelaide Enfield Mayor Claire Boan — also the chairwoman of the council’s audit committee — said the council had conducted anti-phishing training across all its staff since the scam was discovered.
“The staff member (responsible) feels terrible,” Mrs Boan said.
“It was so realistic that you couldn’t imagine it wasn’t even the case. It was really a bit of bad luck.”
Mitcham, which handed over $13,423.26, said it had informed elected members and its audit committee about the scam although the first four councillors approached by The Advertiser said they had no knowledge of the fraud.
Cr Lindy Taeuber she was aware having been informed by a email “a few weeks ago”.
Mitcham chief executive Matt Pears said the money had been recovered through insurance.
The council has also been the subject of a second scam involving credit card details of an executive staff member.
The Advertiser understands six unauthorised transactions of the credit card were used to purchase accommodation on the east coast of NSW.
An audit statement said: “All transactions were identified immediately, and a disputed transactions form was prepared with the provider. A new card was reissued within two days and all money was refunded.”
The total amount defrauded has not been revealed.
Charles Sturt Council also lost $4000.
All the councils recovered the money either through insurance or their banks.
MORE ON PHISHING SCAMS
Westpac’s warning as customers banking information is hacked
Man and woman charged over alleged $2.1m email scam
Online scammers fleece woman of thousands
The three councils said they had strengthened their business processes and internal controls since the incidents.
Police confirmed they had investigated the scams after they were reported through the Australian Cybercrime Online Reporting Network.
They were set to be forwarded to Victorian Police for further investigation.
Police also said businesses had been targeted with similar scams.
A Local Government Association spokesman said the council lobby group was unaware of any of its members being hit by the scam and refused to comment on the matter.
Local Government Minister Stephan Knoll and the Australian Cyber Security Centre were contacted for comment.