Online Requests To Change Payment Procedures: A Red Flag That Needs Thorough Investigation

A district court judge sentenced a man accused of stealing nearly $700,000 from the City of Fort Worth to 12 years in prison.

The accused, who pled guilty to theft of property greater than $300,000, allegedly stole the money through a phishing email scam.

Fort Worth's accounts payable department received a change of account request in October of 2017. The spam email claimed to come from two Imperial Construction employees, one of whom was an actual person. The email requested that the department change the construction company's electronic deposit to a Chase Bank account and included a copy of a check with the account and routing numbers. Imperial Construction later told authorities that the signature of the real employee had been forged.

The city changed the bank account, believing that Imperial Construction had changed banks. According to the affidavit, the scammer had access to the new account and withdrew thousands of dollars in cash from ATM machines in Houston.

After withdrawing the total - $693,625.77 - in the bank account, the 50-year-old man flew to Nigeria. He later returned to the U.S. and was arrested in Houston.

A terminated senior city IT manager filed a lawsuit, claiming the city mishandled the phishing scam. He also claims that the city allowed employees with criminal convictions access to a confidential FBI criminal database and allowed anyone to access employees' medical and personal information.

The plaintiff allegedly told the city's acting chief financial officer and acting chief technology officer that the city's cybersecurity had been compromised. The lawsuit claims they rejected the plaintiff's remediation proposal because it would have required City Council approval and public disclosure.

The plaintiff claims he was placed on administrative leave and then terminated in retaliation for reporting the security breaches to law enforcement after city officials failed to act. Emerson Clarridge "Court Sentences Man Who Stole $700K in City Phishing Scam" (May 14, 2021).


An email request to change the bank account associated with a direct deposit is only one type of phishing scam organizations may face. Cybercriminals target employers with a wide range of phishing attacks.

Any request to change accounts to which money is wired is a red flag and should require additional steps to make sure that the request is legitimate, including making independent confirmation that the request is legitimate, followed by a formal request in writing signed by the right authorities. A simple email request with an attachment is not enough to change payment protocols.

To spot this red flag and others, organizations must train employees on cybersecurity best practices. Teach them to always question any request sent through email and to call the official number for the organization, not a number included in the email, to confirm all requests.

Finally, inform employees to notify the designated individual or department immediately if they believe they have fallen victim to a phishing scam. The only thing worse than an employee complying with a scammer’s request is an employee covering it up for fear of termination.

Finally, your opinion is important to us. Please complete the opinion survey:


Anti-virus Software: Ineffective Against Surging Zero-Day Malware

A malware report from the first quarter of 2021 shows how zero-day malware is a significant threat that many traditional security programs cannot detect. We examine. Read More

Limited Access Is The Centerpiece Of All Data Security Strategies

Employers must revoke account access when employees leave. Read about how continued access creates exposure. Read More

Why Is Trojan Malware So Effective?

The latest security report shows Trojan malware is a primary network security risk for users. Read about the dangers of this type of attack and how to avoid becoming a victim. Read More