Wire Fraud Bad Guys, not Hackers, Stole $2.3 Million from Wisconsin Republicans in an Epic Wire Fraud Case

As reported by the AP “Wisconsin Republican Party says hackers stole $2.3m” two weeks before the 2020 election.  That is an enormous amount of money.  Try and imagine the energy and urgency of working on and in those campaigns.   The pace was frenetic, the dollars spent immense and armies of vendors and consultants were looking to not only aid their Republican or Democratic clients, but also get paid.  

That environment, driven by high stakes, deadlines and dollars is clearly ripe for exploitation, as proven by the massive dollar loss for Republicans and the number of cyber attacks aimed at Democrats (800 according to the AP).

Upon a close examination of the available facts, however, blaming a hacker is an oversimplification.  A notorious hacker might seem impossible to stop, making losses seem more unfair, inevitable or even excusable.  This, however, was wire fraud, pure and simple, perpetrated by a criminal and is a scam that has been on the books since 1872. The fraudster may have used technology in a nefarious way, but ultimately relied on social engineering, a twenty-first century way of alluding to techniques con men have been using for hundreds of years.

Was the theft of $2.3m a hack? 

No. In fact, the Republican Party willingly sent the money to the fraudster.  

Republican Party Chairman Andrew Hitt said the hackers manipulated invoices from four vendors who were being paid for direct mail for Trump’s reelection efforts as well as for pro-Trump material such as hats to be handed out to supporters. Invoices and other documents were altered so when the party paid them, the money went to the hackers instead of the vendors, Hitt said.

The Republicans were delivered fake invoices and dutifully paid them.   This was an exercise in forgery and an exploitation of human nature and weak organizational processes.  In similar cases we have seen the criminals use the high stress environment and timeliness around the request to put pressure on those paying the bills.  Staffers, time and time again, relate how they were afraid to cause a problem due to the urgency of the request.  They ultimately didn’t want to “hold-up” funds, slow down business, or get in trouble.

Was the theft IT’s fault?  Was it accounting’s fault?

Neither. In the vast majority of cases, it is leadership’s fault for not having both appropriate IT and accounting processes and tools in place.  Blame is generally pushed down and shared across groups, but we often see finance pointing a finger at IT, and vice-versa.  At the end of the day the mistake was found not by someone examining code, but by someone noticing a bad invoice, likely during a bank reconciliation or account review. 

It was discovered after someone noticed that an invoice was generated that should not have been, he said.

Believe it or not, this is a simple problem with a simple solution.

Should my IT team have done something more?

Hitt said it appears the attack began as a phishing attempt and no data appears to have been stolen, said party spokesman Alec Zimmerman.

Having a robust technology platform in place certainly helps.  Secure networks, anti-virus software and 2 factor verification are all important.  However, in most cases, the criminal will be looking to use technology as a cover to convince someone to willingly release, unwittingly, funds to the wrong account (for more detail around best IT practices to prevent wire fraud, click here). 

Awareness training and testing are modestly effective against common hacks, business email compromise, and fake invoices. However, fraud prevention based on training requires that your team never make a mistake. Unfortunately the criminals, especially the sophisticated ones, are expert at manipulation and deceit in order to cause a lapse in judgement.

What can I do to protect myself and my business from wire fraud? 

Implement best practices in IT and and financial controls to protect yourself. Specifically:

1. Create a documented policy and procedure, including requirements for verification calls to validated numbers.
2. Make certain your organization is aware of, and trained on, these procedures (especially including senior executives)
3. Ensure the wire team members have well-delineated responsibilities and clear communication for all wire transfers

If you have been a victim of wire fraud or would like to learn more about how the Conduit platform can dramatically lower your risk, please contact us.