SALT LAKE CITY — A "spear phishing" attack scratched San Juan County for $48,000 and Emery County for nearly $40,000 earlier this year, prompting a Utah auditor's office warning to public agencies across the state.
"I would say everyone is a target," Utah Auditor John Dougall said. "Smaller counties may be at a greater risk because of the lack of sophisticated controls and other folks that are experienced with these types of attacks."
In June, Emery County Treasurer Steven Barton received an email that appeared to be from Commission Chairman Keith Brady, saying a wire transfer needed to be sent, asking about the general fund balance and seeking a reply as soon as possible.
Seven emails between Barton and the scammer and 91 minutes later, the treasurer wired $38,700 to a fake consultant in Florida.
Barton fell victim to a scam known as "spear phishing," according to a state auditor's office report released Tuesday.
Scammers use information on a website such as names, titles and other references to draft an email that targets an entity for money. The email is specific enough to seem real, but it's also very general, Dougall said.
"They thrive on familiarity and a sense of urgency. There's just enough information to make you think that you're talking to the person that it's supposedly coming from," he said, adding that it makes the recipient less vigilant about verifying the request.
San Juan County lost $48,000 the same way just days after Emery County did. Scammers also targeted another county in Utah, but the auditor ignored the email, Dougall said.
The incidents prompted Dougall to send an alert to local governments warning them of the scam.
The treasurers in both Emery and San Juan counties realized the next day they had made a mistake and notified other county officials. Dougall said there were no attempts to cover up the transfers or alter financial records.
Emery County Sheriff Greg Funk notified the state auditor's office, leading to the report. Funk did not return a phone message Tuesday for comment.
Barton did not request documentation for the wire transfer until almost 24 hours after the money was sent. Barton believed the transfer request came from Brady and trusted that he would provide the documentation shortly after the transaction, according to the report.
Had the treasurer called the commissioner on the telephone or sought confirmation through the county auditor, the scam could have been avoided, according to Dougall.
The state auditor recommended that Emery County adopt policies over cash receipts and disbursements for all employees, including obtaining documentation and approval before any transaction, regardless of the apparent urgency.
In a written response to the report, Brady wrote that the county treasurer's office has written procedures but no written policies.
"We have adequately followed unwritten policies for at least the last 19 years and have never run into this type of problem," the commission chairman wrote. "We don't believe there are any controls you can put in place that would completely prevent this if the controls are not followed, which is what happened here."