Scammers steal $500,000 from Galveston County, two officials held responsible

• A Galveston County judge called on 2 officials to resign, blaming them for the theft of the $500,000.
• The scammers have not been caught and the stolen funds have not been recovered.

Galveston County Judge Mark Henry called on the county's auditor and purchasing agent to resign accusing them of being responsible for scammers making away with hundreds of thousands of dollars.

In June 2018, a wrongful electronic payment of $525,282.39 was paid to a cybercriminal who posed as a county contractor. Judge Henry, at a county commissioners meeting, said that County Auditor Randall Rice and County Purchasing Agent Rufus Crowder should be held responsible for the erronous payment.

It is to be noted that the cybercriminal(s) have not been caught and the stolen funds have not been recovered. The cybercriminal(s) pretended to be a county contractor who represented Lucas Construction Co. - a Houston company doing road work for the county.

The disagreement

“I find it unacceptable that homeowners are held to a different standard than county employees," said Henry, "As a result of that, I'm calling for the resignation of the purchasing agent and the county auditor for their involvement and their refusal to take any responsibility for what has happened here."

The county judge revealed that he does not hold the authority to sack the two officials, as neither of them reported directly to him and commissioners court. Henry also said that he would direct their boards to hold them responsible.

"The purchasing agent reports to a purchasing agent board and the auditor reports to a state district judge board, so all six state district judges appoint him and can remove him," Henry said.

The County Auditor did not respond directly to Henry's demand, but he pointed out that an investigation conducted by Dawson Forensic Group revealed that no single office or person was to blame for the theft.

"I think that the report was fairly accurate... the conclusion they had was that everything that had been done was done according to the constitution of the state of Texas and the appropriate procedures were followed that were existing at the time and since that time, we've added additional procedures and policies in place and we're continuing to work to improve all of those things to further protect the county," the County Auditor, Rice said.

What happened?

The Dawson Forensic report, which was released publicly on December 3, 2018, provided a detailed account of the scam and the county's lack of safeguards in protecting itself against this kind of cyberattack.

The cybercriminal created a fake email address to pose as both a county employee and as a representative for the Lucas Construction Company. The scammer also used a form, obtained through the county's website, to request a change on the bank account information for the road contractor. The scammer also requested the company to make the payment through an electronic transfer, instead of paying with a paper check.

The scammer used fake email addresses that mimicked real email addresses used by the county and the contractor. The report stated that the county purchasing department lacked validation processes to ensure that the new bank account was valid.

Preventive measures taken

Investigators concluded that the county's treasurer, auditor, purchasing agent, and information technology office had "coordinated the design of new processes" to identify potential technical issues that will help identify such future problems as they occur rather than after an attack.

Judge Henry was annoyed that Rice had emailed the county on December 10, 2018, requesting the surety bond for his office to be reduced from $100,000 to $5,000.

"He doesn't want taxpayers to have any recourse if he makes another mistake in the future," Henry said. "I find that extremely unacceptable and a slight to the taxpayers in this county who are forced to pay their taxes every year."

Meanwhile, county commissioners voted unanimously to raise the surety bonds held by the county treasurer to the maximum amount, $500,000.

Henry said after the commissioners' court meeting that he hoped to establish a committee to offer recommendations to the county on how to further protect against any future cyberattack, evidently finding the changes Rice has implemented in the county auditor's office to be insufficient.

"That's why, I told commissioners' court, if the auditor's going to acknowledge that he can't do his job, maybe we should hire another auditor to audit the auditor," Henry said.