While initial reports indicated the City of Tenino lost roughly $270,000 to scammers in 2020, Washington State Patrol (WSP)’s fraud investigation and the Washington state Auditor’s report have revealed the actual amount was $336,968 — of which only $56,659 has been credited back to the city, resulting in an overall loss of $280,309.
The money left the City of Tenino’s bank account in 20 payments to multiple out-of-state bank accounts between March 19 and May 4, 2020, on the authorization of former Clerk-Treasurer John Millard, according to WSP’s investigation.
The results of WSP’s investigation were detailed in State Auditor Pat McCarthy’s official report on the City of Tenino’s misappropriation of funds, which was published on Thursday.
Millard received an email on March 19, 2020, from what he reportedly thought was the Washington Municipal Clerks Association requesting a loan to pay for some expenses for their 50th anniversary celebration, according to previous The Chronicle reporting.
The Washington Municipal Clerks Association sent out an email to all of its members — including Millard — that same day notifying them of the scam email and warning them not to make any payments, according to McCarthy’s report.
“While other recipients either deleted or ignored the email, contacted the association to confirm it was a phishing attempt, or contacted their IT departments, Tenino’s clerk-treasurer did not. Instead, on the same day as receiving the email, he initiated an automated clearing house (ACH) payment for $2,890 to someone in Ohio who was not connected to either the city or the association,” stated McCarthy in her report.
Millard reportedly received specialized training in cybercrimes during his time in the military, according to WSP, which noted “red flags about the email someone knowledgeable in cybersecurity should notice,” including spelling and grammatical errors, the frequency and use of multiple out-of-state bank accounts, the fact that it came from an email address not associated with the association and wasn’t signed with the name of the association’s current president.
Millard was the only recipient of the email who made payments, according to the report.
During an interview with WSP, Millard said he recognized the emails weren’t from the association’s official email address, but said he did not call the association to confirm the legitimacy of the payment request “because he recognized the name of the person who claimed to send the email,” according to the report.
Millard went to the Tenino City Council on April 14 and asked for council approval to “write a couple of checks” to help the association, and ultimately, the council approved $23,000 for that purpose.
“He did not disclose that he had already paid $45,090 to purportedly help the association,” according to the report.
While he stated he asked the city council’s approval before he started making payments, “he said he did not get the council’s approval for every payment,” according to the report.
While Millard told the city council the city would be reimbursed within two weeks of that April 14 meeting, Millard never received invoices or supporting information for the payments, he said, “but he didn’t care as long as the association reimbursed the city for the transactions,” according to the report.
He got a call from a Texas bank on May 5 that was reporting a concern about one of the payments, saying someone had come to withdraw the amount the city had deposited and attempted to close the account.
Millard told the bank to contact the professional association about the payment, and then Millard told the mayor “he had been deceived into a scam for city funds,” according to the report.
Millard told WSP “he convinced himself that he was communicating with the real professional association’s president, and that he did not realize he had been deceived until the out-of-state bank called him,” according to the report.
The City of Tenino reported the fraud to the Tenino Police Department, which reported it to WSP, and has been cooperative in the investigation, according to the report.
WSP found the phishing email originated from Nigeria, but WSP was unable to continue its investigation into the scammer once the funds were withdrawn and the bank accounts closed because the activity occurred out of state.
Millard resigned from his position in December 2020 and moved out of state, according to the report.
WSP closed the investigation in January 2021 and while it could not determine whether Millard personally benefited from the city’s loss, all of WSP’s files have all been turned over to the Federal Bureau of Investigation for further investigation.
McCarthy noted that the City of Tenino’s internal controls failed in this case because Millard had full access to the city’s bank accounts and could complete electronic transfers “with no oversight or monitoring,” and could also perform bank statement reconciliations without another person reviewing them.
She recommended the city improve its overall control structure by implementing a secondary bank statement reconciliation and either breaking up financial duties among different staff members or increasing oversight.
The City of Tenino stated it had already done both of those in the wake of the fraud: the mayor will now review bank reconciliations completed by the clerk-treasurer, and two employees are required to approve a transaction or transfer before it goes through.
There is also a dollar limit for transactions.
The city has also contracted with an IT company, Right!Systems Inc., to harden network security for the city and filter out phishing emails.
“The City of Tenino will continue to be diligent by improving and strengthening the internal controls and monitoring of funds through all available resources to prevent any fraudulent activities in the future,” stated the city in its written response to McCarthy’s report.
The auditor’s office will follow up on the City of Tenino’s internal controls during the city’s next audit, stated McCarthy in the report.
Tenino Mayor Wayne Fournier published the following statement after the release of the auditor's report:
“The City of Tenino would like to thank Washington State Auditor’s office for their thorough and comprehensive audit of the cyber fraud event that the City of Tenino was subjected to and discovered around May 5, 2020. When discovered the city acted quickly to initiate this investigation and we have worked closely with the SAO for nearly the past two years to complete this report. Through the course of this event and the subsequent investigation we have been able to improve upon our internal controls and ensure public funds are protected both internally and externally. As technology evolves and we gain new tools to conduct business it’s important that we continue to evaluate our policies to ensure that they protect new practices. It is important to note, that while the funds were lost, they were subsequently recovered, and the City suffered no actual loss aside from the damage to the Public’s Trust that comes along with any event like this. This administration practices radical transparency, with this unfortunate event we have been as open as we can as we could, we have made copies of the SAO report available at Tenino City Hall and it can be found on our City Website. Last but not least, this event is still part of an ongoing international criminal investigation that is being done by the Federal Bureau of Investigation and we cannot comment on an open investigation.”