It’s standard procedure in Owen County Judge/Executive Todd Woodyard’s office for county staff to prepare documents for the fiscal court’s meeting packet, including invoices and information relating to topics on the upcoming agenda. This preparation typically occurs on Fridays prior to the Tuesday meetings.
“The packet has all the information of the things we’re working on and voting on,” Woodyard said. “Once the claims are approved by the fiscal court, we cut the checks for the items that need to be paid.”
As they were finalizing a packet showing recent receipts, claims, transfers and more before a recent fiscal court meeting, a staff member received an email that appeared to be from Judge Woodyard. The email focused on a bill of $22,000 the county needed to pay, and payment should be rushed. This invoice was included in the packet.
“It truly looked like it was from me,” Woodyard said of the email. “It used consistent terms that we use like preparing for the Friday packets. It had my address, everything needed.”
Thinking they were communicating with Judge Woodyard, the staff person replied to the email and mentioned the vendor wasn’t in the county’s system. The subsequent response recommended the staffer call a number to get the proper paperwork to set up an account.
“They had sent us a fake W9 and everything,” Woodyard said. "Later that day, I walked past our new treasurer’s desk, and he asked what that company did for us, and I wasn’t familiar with who he was talking about. I asked to see the emails and sure enough, it was a phishing scam.”
Owen County nearly fell victim to a cybersecurity threat known as spoofing. A spoofed email can appear to be from a trusted source, who then tricks the recipient into sending money, providing sensitive information or clicking on a malicious link.
As soon as they realized what was happening, Woodyard and the fiscal court implemented a new verbal confirmation policy for payment requests.
“If it's not on our standing orders or something normally that we do, nothing gets added without a follow-up phone call to me,” Woodyard said. “We won’t be using any information from the direct phishing scam or replying to that message without verification.”
That means starting a new email to verify or calling the alleged source using a number not on the email.
Woodyard says it’s also important to check email addresses to see the actual source and to be cautious anytime an email mentions things like rushing a payment or the sender of the email not being available to respond in a manner outside of replying to the email.
“Those are big red flags,” Woodyard said. “We just want other county offices to be aware of what’s potentially out there. I think a lot of people think they target larger companies, but we’re a small staff here.
“I think they are focusing a lot on rural counties right, now too,” he added. “The more we talk about it, the more people are sharing it, and we can bring a greater awareness to hopefully prevent these people from getting away with this. When it does happen, we can stop it before they get away with it.”
As scammers become more sophisticated in their approach, it’s important to continually review cybersecurity best practices. For more information about cyber threats and ways to protect your county, review KACo’s cybersecurity resources.
