SEATTLE — A Washington state audit found that the Port of Seattle lost more than $500,000 in public funds to multiple phishing scams in 2021.
The Port reported two phishing incidents to the Washington State Auditor's Office. The audit found that the two incidents resulted in eight payments of public funds, totaling $572,683 to fraudulent bank accounts.
The Port was able to recover $522,683 through direct recovery and crime insurance.
"We found that although the Port had procedures in place to protect electronic funds transfer (EFT) payments from loss, staff did not consistently or adequately follow them," the Auditor's Office wrote. "Further, the training the Port provided to employees was ineffective, as staff missed key red flags common to phishing schemes, such as misspellings in the email body and email address, as well as the bank declining EFTs due to closed accounts."
"Despite the robustness of controls in place, the human element can become a factor in any well-designed internal control environment," the Port of Seattle wrote in response to the audit.
Port staff involved in the 2021 fraud experience attended mandatory cyberfraud fictitious email training provided by the Port's information security department in 2022 in response to the incident. This training is now an annual mandatory refresher.
According to the Auditor's Office, since 2016, Washington’s government has reported more than $28 million of lost public funds as a result of cyberfraud.
According to the Federal Trade Commission, here are some indicators of a possible phishing scam:
- The email has a generic greeting.
- The email says your account is on hold because of a billing problem.
- The email invites you to click on a link to update your payment details.
- There are spelling or grammar errors in the email.
- The email includes coupons for something free.
- The email says you need to confirm personal or financial information.
If you suspect a phishing scam, report it to the FTC by emailing ReportFraud.ftc.gov.