WELLFLEET — The town came close to being scammed out of more than $1 million last summer.
According to the fiscal 2023 audit and internal emails between town officials, in July 2023 former Treasurer Cameron Scott received an email from someone pretending to be at the MIG Corp., the town’s contractor for the Herring River Restoration Project. The email said MIG was now requiring payment by wire transfer.
“Adequate steps to verify that it was a legitimate request were not performed and $1.1 million was wired to a fraudulent account,” the auditors wrote. According to an email sent to the select board by former Town Administrator Rich Waldo, Scott made the payment on July 5, just before he left to become assistant treasurer in Eastham. The fraud was identified two days later by Assistant Treasurer Christine Young and interim Treasurer Alex Williams, Scott’s replacement.
Waldo told the board that Scott “did not pick up on the false but similar email address of the sender” and had not verified the payment terms.
Waldo reported the scam to Cape Cod 5, the town’s bank, and to the Barnstable police. The town also asked for help from the FBI’s Boston office. Cape Cod 5 contacted Truist Bank, where the fraudster had opened an account, and “immediately began working to withdraw payment,” Waldo stated.
According to Christopher Richards, a vice president at Cape Cod 5, the funds had not yet been credited to the fraudulent account and the banks were able to freeze the transfer. Although wire transfers are among the fastest ways to send money, they must go through wire desks on both ends, which takes time, Richards said. The chances of recovery, however, are low.
“There is never a guarantee that funds can be recovered,” said Richards. “Once funds leave the bank and go to the beneficiary’s bank, typically those funds are gone.”
The cyberattack came during a period of conflict between Waldo and then-select board chair Ryan Curley. In response to Waldo’s email about the attack, Curley wrote: “This is what happens without the proper controls in place.”
Waldo declined to comment on the incident, and Scott did not respond to an inquiry from the Independent.
In their report, the auditors wrote that the town should develop “robust controls” including “regular employee training on identifying phishing emails, implementing advanced email filtering solutions, and having clear reporting procedures for suspected phishing attempts.”
Town Administrator Tom Guerino said that Wellfleet “has good controls in place now,” including online training for staff on email scams and other cybersecurity threats. Staff members are also required to implement multifactor authentication, which requires secondary proof of identification when logging into town accounts. Electronic payments to vendors are no longer allowed, he said, and the town is “very deliberate before any payments are made.”
Auditor Renee Davis of Markum, formerly known as Powers & Sullivan, assured the select board on Aug. 20 that the town is not alone in being targeted. “This is happening in a lot of places,” Davis said. “I don’t know if any of us are insulated from that.”
In June, the town of Arlington lost almost $500,000 to a similar scam, joining a list of municipalities that have fallen victim to attacks since 2020 that includes Tewksbury, Franklin, Quincy, Lowell, and Concord. In 2023, the FBI’s Internet Crime Complaint Center received over 21,000 complaints about email fraud with over $2.9 billion in losses.
Richards said that municipalities are “high value targets” and thus are frequent victims.
“You were very fortunate to get this back,” Davis told the board.
Overall Improvement
Markum’s fiscal 2023 audit report found the town’s internal controls over its finances are now “a much better story.” The 2023 audit covers the year Waldo was the town’s administrator.
The positive result comes after years of faulty bookkeeping. High turnover, incompetence, and lack of training when the town switched to new accounting software left it scrambling to reconcile $5 million in unbalanced books since 2018. Powers & Sullivan’s 2020 audit found an “unknown variance” of over $750,000 in unreconciled cash.
The financial meltdown caught the attention of the state Dept. of Revenue, which would not certify the town’s free cash, or leftover money from the previous fiscal year, for three years.
The fiscal 2021 audit identified various “material weaknesses” in the finance dept.’s internal controls: the town’s inability to reconcile its cash books, a lack of supporting documentation for money coming in, and the town’s failure to record transactions to its general ledger in a timely and consistent manner.
Davis noted “significant improvement” on the finance dept’s reconciliation and recording, which are now no longer considered material weaknesses, she said. According to the audit’s management letter, cash reconciliation is “partially resolved.” Cash discrepancies have been identified and corrected, but the town still needs to develop written policies on reconciliation, Davis said.
Support for accounts receivable is also partially resolved. There are “still some unknown variances between the general ledger and supporting documentation,” the audit said. And control over the general ledger is also partially resolved.
Staff turnover is still a concern. “Extended absences and significant turnover in key financial positions increases the risk that daily processes are not being performed on a consistent basis,” the audit stated.
The auditors’ management letter noted a delay in the town’s contribution to the Other Postemployment Benefit Trust Fund. The 2022 town meeting voted to contribute $200,000 to the fund. But that actual cash transfer was not made until February 2024.
Another comment related to insurance payments to the Cape Cod Municipal Health Group before they were authorized by town meeting. According to the audit, from March through June 2023 the town paid bills totaling $480,836 in expenditures and $356,075 in the release of holdings. Davis said these payments were released before going on the town warrant.
“Releasing any funds prior to the authorization and approval of Town officials is a breakdown in this system of controls,” the audit stated.
The 2023 audit included nine additional comments — an improvement from the 14 comments in the 2021 audit and 12 comments in the 2022 audit. “The town really struggled for several years,” Davis told the board. “There were material weaknesses. The good news is that, starting in FY2023, that did go away.”
