Thieves apparently used a Nigerian-based scam to steal $2.5 million from the Utah treasury, covering their tracks by using intermediaries and a church address.
Michael Kessler…said the thieves appear to have used a simple scam that originated in Nigeria about five years ago. The Utah theft is the first time he’s seen a government victimized.
“Their IT people should have known better,” Kessler said after reviewing a copy of the search warrant Thursday. “It sounds like any kid could have done this.”
The search warrant, made public this week in Salt Lake City’s 3rd District Court, said someone in August obtained a vendor number for the University of Utah’s design and construction department. They then forged the signature of the department’s director and submitted paperwork to the state of Utah changing the department’s bank account information.
Fraudsters logged onto a state Web site and submitted invoices to the state on behalf of the campus department. When the state paid the invoices, the money went to a Bank of America account in Texas.
The thieves reaped $2.5 million before the bank called the state to inquire why such large payments were going to the account.
Attempts to contact any of the people listed in the search warrant Thursday as receiving or transferring money were unsuccessful.
Tee hee.
Do we know anyone in Utah who may have done this?
Not like it is real money. That is a “m” and not a “b” or “t” following the two-point-five.
Get a decent AR/AP system! But most really large organizations don’t check a thing if its under a million or so..
really!
I read the full article but still don’t understand why the quote “Their IT people should have known better”. Of course they used a system probably owned by IT, but payments like this should have required finance approval. Don’t blame the system, blame the people approving the payment for not looking a little closer. Its a controllership problem not an IT issue.
There is nothing Nigerian about submitted phony invoices to AP. That is an old scam. Any comptroller worth his salt would have had a system in place to authenticate all invoices submitted. In my experience, invoices are only paid when there is a purchase order matched to it. PO’s have to match against budgets, vendor authorizations, etc.
Sounds like the state comptroller screwed up. Perhaps he/she is trying to avert blame by trying to make the IT dept take the fall.
5,
DITTO..
Automated system with NO HUMANS checking/watching.
Multiple/many invoices coming in, should have made whistles blow, and a double check and phone call.
4 DITTO
Heck, as broke as our states are the check will probably bounce! Now who’s the joke on?
#5, #6
You’re correct they should have caught it. The bank’s system eventually flagged it. Why didn’t theirs?
I have a feeling this being publicly known is just going to encourage more scammers, and the more creative type emulating what they did 🙁
#5, Ron is correct.
I had to sign every PO before the order and either I and/or a Supervisor signed the invoice. Accounting wouldn’t pay without both PO and invoice matching and signed.
Now that is probably standard in industry, a State might be different.
I have caught three or four scammers through the years submitting phony invoices straight to purchasing. I assume there are some companies without sufficient controls in place so the scams succeed.