The City of Solvang fell victim to a phishing scam, leading to a $538,000 loss, some of which was covered by insurance.
Buried in Solvang’s annual audit report for the 2021-22 fiscal year was a brief, two-sentence mention about the phishing scam.
“The city was also a victim of a phishing attack which caused a net expenditure of $538,000. The city reported the incident to law enforcement authorities, and the city received $250,000 in insurance proceeds for the loss after June 30, 2022,” the annual audit report noted.
City officials reported the incident to the Santa Barbara County Sheriff’s Office, which serves as Solvang’s police department.
“I’m not sure how much information I can disclose without interfering with their investigation on that,” City Attorney Dave Fleishman said in response to questions from Noozhawk, adding that he believed the investigation remained open.
He declined to specify how the incident occurred, saying it may give away a key signature of the criminal’s behavior.
A routine financial report during the Feb. 27 meeting prompted a question from Councilwoman Elizabeth Orona, which led to a staff response that mentioned “fraud.”
An audience member asked about the fraud reference.
“That’s something that happened awhile back. It was brought up at a prior council meeting, but we are not going to address your question directly and give you an answer,” Mayor Mark Infanti said.
The phishing payments reportedly were made during the fiscal year running from July 1, 2021, to June 30, 2022.
It’s not clear whether it involved one errant payment or more.
Steps have been taken within City Hall to prevent a recurrence, the city attorney added.
“I can assure you that measures have been put in place,” Fleishman said. “I can’t tell you exactly what they are because I don’t want to give insight to what the city is doing because it might allow those with bad intentions to find a way around them.”
He declined to discuss whether the incident led to any disciplinary actions, adding that he couldn’t discuss personnel matters.
City employees caught the incident and alerted the auditor about the loss.
Unlike many small cities, Solvang has a relatively healthy financial status because of its popularity among tourists.
However, the Danish-themed city isn’t alone in getting scammed.
During the Jan. 23 presentation to the City Council, a member of Solvang’s auditing team noted a financial loss due to the phishing attack, “which is unfortunately getting more common these days.”
The City of Fresno lost $614,000 in 2020 after paying invoices that appeared to come from a city contractor but actually included a different bank account number for the city to send the payment, according to the Fresno Bee.
Likewise, a city in Ohio received an email late last year from a city vendor submitting a new bank account number with an invoice, according to USA Today. A city employee updated the information and paid $218,000, only for officials to learn later they had fallen prey to a phishing scam.
Some public agencies in other states have reported millions of dollars in losses to assorted phishing attacks and other cyber crimes.
The FBI’s Internet Cybercrime Complaint Center, or IC3, has seen an increase in reports with more than $40 million in losses for 2021 and a number likely to grow.
Fleishman said members of the public as well as businesses and government agencies must remain vigilant to guard against falling victim to phishing expeditions.
“They are becoming more and more common, and they are looking for any opportunity to make money where they can,” Fleishman added.