Nearly $1.1 million was lost from the city of Aurora’s bank accounts late last month because a city employee fell for a deceptive phone call, officials say.
After questions from The Beacon-News, Aurora released limited information about the incident earlier this week. Since then, city officials have confirmed additional details about what has been called a cyber attack.
The “social engineering fraud scheme” is currently being investigated by the city, law enforcement and outside cybersecurity experts, according to a statement Aurora sent The Beacon-News on Thursday.
Early findings of the investigation show that, on April 29, a city employee received a phone call from someone impersonating a bank representative, city officials said in the statement.
“The caller used deceptive tactics to appear legitimate, establish trust, and create a false sense of urgency, ultimately prompting the employee to disclose sensitive account information,” the statement said.
Aurora Mayor John Laesch called the incident a “very sophisticated cyber attack” when he spoke to The Beacon-News on Tuesday. When asked if disciplinary action had been brought against any employees because of what happened, he said that he couldn’t comment since the situation was still under investigation.
Despite the fraudulent transfer of nearly $1.1 million from city payroll bank accounts, city officials have said there is currently no evidence the city’s network or other data systems were compromised.
Aurora is still waiting to receive the results of its financial institution’s forensic audit to see whether any employee data stored on its systems might have been impacted, the city’s statement on Thursday said. City employees are expected to be notified if any of their information is found to have been affected.
There’s currently no evidence that any resident data was compromised, city officials confirmed.
When Aurora discovered the incident, it notified law enforcement and the city’s financial institution, activated response procedures and hired outside cybersecurity experts to help with the investigation, according to the city’s recent statement.
The city found out about the situation the day after it happened, Laesch has said, but information wasn’t released to the public because of the ongoing investigation.
The FBI has confirmed that it is aware of the incident but declined to say whether it is investigating due to U.S. Department of Justice policy.
The Aurora Police Department replied to questions from The Beacon-News earlier this week by confirming that “a reported incident” involving the city was under investigation, but a spokesperson said that more information was not available because of the “active and ongoing nature of the investigation.”
Similarly, city officials have repeatedly declined to provide more information because the investigation into the incident is still ongoing. It its most recent statement, Aurora noted that additional updates would be provided “when appropriate and in a way that protects the integrity of the investigation.”
Before Thursday, the city had also declined to give the dollar amount that was lost during the incident, except to say that it was a “considerable” amount, and had declined to discuss the nature of the attack beyond stating that fraudulent payments had been made through ACH transactions.
According to the federal Consumer Financial Protection Bureau, an ACH transaction is an electronic transfer of money between banks and credit unions. Businesses often allow the payment of bills through ACH transactions, which requires handing over a bank account number and routing number, the bureau notes on its website.
Law enforcement agencies are working closely with financial institutions to recover a portion of the funds, and city leadership continues to work with various partners to identify those responsible and work towards options for the full recovery of funds, city officials said in the statement from Thursday.
Aurora has recovered some of the lost funds and will continue working with law enforcement until “all of it or more of it” is recovered, Laesch said on Tuesday. He would not disclose the specific amount recovered so far.
Since these types of attacks are becoming more common nationwide, the city has insurance coverage to help mitigate against financial losses of this kind, according to the recent statement.
“Cybercriminals are increasingly using sophisticated tactics that exploit trust and create urgency, making these types of scams a growing challenge for both public and private organizations,” the statement said. “The city takes its responsibility to protect public resources seriously and appreciates the cooperation and support of staff, financial institutions, and law enforcement agencies as this matter continues to be addressed.”
The city plans to continue working on its internal procedures, security measures and employee training programs to strengthen protections and help prevent incidents in the future, city officials said.
Aurora is currently contracted for cyber-security-related services with NuHarbor Security, Inc., which was selected by the city towards the end of last year. City Council also approved the cybersecurity training course KnowBe4 for employees at around the same time.
The city holds internal training and phishing exercises that staff have to go through, according to Laesch. A city spokesperson said those trainings happen regularly.
rsmith@chicagotribune.com
