Alexandria, VA

Alexandria Police are investigating the theft of nearly $184,000 from the city’s finance department in a suspected phishing scheme.

On Jan. 28, the department made a payment of $183,956.10 to what it believed was Integrity Construction Services, a vendor to Alexandria City Public Schools. The president of the company, Alex Lucas, told police that he is the victim of a phishing attack. The payment was actually sent to an unknown cyberthief.

Police were notified of the theft on Feb. 5.

“The suspect sent and received multiple emails from Mr. Lucas’ account until he was able to get in contact with someone from City of Alexandria Finance,” police reported in a search warrant affidavit. “From there, the suspect successfully changed the method and destination of payment for Mr. Lucas’ contract with the City of Alexandria.”

The finance office, which is located at City Hall (301 King Street), started receiving fraudulent emails last October requesting a change from a paper check payment to electronic funds transfer. An accounting manager with the city took multiple steps to verify the account information. The first email to the finance office was sent on Oct. 18, 2019, and the office continued to receive emails until Feb. 5, 2020, documents show.

The individual portraying themselves as a representative from Integrity Construction Services communicated via email and sent a voided check at the request of the account manager, according to police. The voided check showed the name of the vendor, but the account belongs to a woman in South Carolina.

Police spoke with Lucas, who told them he had no knowledge of what transpired, and subsequently hired an IT consultant who determined he was the victim of a phishing scam.

“The suspect who successfully phished Mr. Lucas’ email address gained access and established rules with the Outlook 365 program Mr. Lucas used,” police reported in the affidavit.

Alexandria spokesman Craig Fifer said that the city was not the victim of a phishing attack.

“The city provides training to all employees on how to avoid phishing attacks, and this was not a case in which the city was the victim of a phishing attack. This was a breach on the vendor’s side,” he said. “The city and ACPS are reviewing our vetting practices to improve those controls and keep this situation from happening in the future.”

Fifer added that the city is still in the process of paying the vendor.

“It’s slightly delayed by the investigation, but we’re in the process of making that payment,” he said.

If the thief is caught, he or she could face felony charges punishable by up to 20 years in prison.

×

Subscribe to our mailing list