We are so used to hearing that computer security is an ongoing arms race where you have to be eternally vigilant. It’s not often enough, though, that we get specifics of why we need to keep on our toes, so the quite disturbing scam that’s caught out South Lanarkshire Council is very instructive.
And scary; I’m sorry to say, as a journalist, that this episode shows why you really, really don’t want your security snafus covered in the press, as it will only make it worse.
So the facts are these: the Scottish local authority in question lost £102,000 after it was conned by a letter that claimed to come from one of its regular, kosher suppliers asking for payments be made into a different account.
Finance complied, apparently without checking the request was genuine, and the £102,000 was sent to the forger’s bank account. The Council is now working the Police to see if there are any other possible examples, while a national (Scottish) investigation is now underway to see if any other Town Halls have been similarly stolen from, and of course to attempt to trace the gang.
Some press reports seem to think this is a bit amusing, citing ‘ironic’ details that make South Lanarkshire look foolish. To whit: the council has a £55m budget shortfall (so can hardly afford to waste this sort of money) and its own Trading Standards department had in parallel sent out a letter to residents reminding them that any communications asking for bank details "should set alarm bells ringing" (crooks had been calling residents to tell them their homes have been put in a lower council tax band and asking them to hand over their bank details to receive a refund).
But that of course isn’t the case here, as the duped Finance person didn’t do that – they thought they were dealing with a real supplier. And while we think the gang involved is from West Africa, the theft isn’t your usual 419 nonsense, it was proper, nasty thievery with forged documents: the whole nine yards.
One Scottish paper added the piquant detail that the council is not insured against outside fraud and that the burghers have had to pay the £102,000 to the real suppliers to boot.
It’s a mess, and this is very sad for a perfectly good council that’s been made to wear a Dunce’s cap. Learnings: there should have been a better (EDRM-based?) accounting process. Two, no-one is perfect. Three, if you don’t think this could happen to you, you’re on the brown acid. And four: if you’d like to be the head of Finance in this team – let alone the poor soul who pressed the ‘go’ button on the BACS transfer – then you truly are a masochist.
Security is not a funny subject. Look at this car wreck, learn, move on and stop sniggering like a schoolboy.
Clown image courtesy of SpiritMama on Flickr.
