The News10NBC team details breaking news, traffic and weather.
WEBSTER, NY – The Town of Webster sent scammers more than $500,000 in a phishing scheme and now town leaders and police are scrambling to get some of the taxpayer money back.
The fraud took place already in November but was only made public on Thursday. The scammers apparently posed as a contractor the city legitimately works with and sent an invoice with letterhead, logos, the real names of employees and what looked like authentic email addresses and bank account information for payment.
“Webster is in the middle of major infrastructure projects, we have Coke-Fairlife coming to town, our sewage plant that will support that is in the middle of an $80 million renovation, we’re building a new highway garage that’s $20+ million,” says Tom Flaherty, manager of the city of Webster.
It wasn’t until about 12 days after the bill was paid that the city realized there was a problem.
“The way we found out is the contractor called us and said ‘hey, when are you going to send us that $500,000+ money’ and we kind of did,” Flaherty said.
Webster police were able to freeze the account where the money was linked and there was still $300,000 in it.
“I think they may have had the money there because they took it out slowly so as not to raise any red flags and we got it before they took it all out,” says Flaherty.
That money will be earned and the other $240,000 will be covered by the city’s cyber insurance. “This is a very complex, sophisticated system,” says Flaherty.
Jennifer Lewke, News10NBC: “If it was so extensive and sophisticated, how do you make sure it doesn’t happen again?”
Tom Flaherty: “We’ve really expanded our policies and procedures and as often happens they’re probably over cautious now, like triple or quadruple authentication.”
Jennifer Lewke: “It was essentially two months where this happened, you figure out what to do with it and the taxpayers didn’t know about it. How come you didn’t tell people right away?”
Tom Flaherty: “It’s a pretty simple answer because when you talk about the ongoing criminal investigation, if we would have come out and told this to the world the day after it happened, it would have put us at risk of not being able to get any money back.”
The criminal investigation into this situation is ongoing, with both Webster Police and the FBI investigating.
Questions and answers from the Town of Webster about the incident:
Town of Webster – 2024 Phishing Incident Questions and Answers
Q: How long did it take to detect the fraudulent activity?
A: The fraudulent activity was discovered by City staff twelve days after the payment was sent.
Q: Why wasn’t this information released immediately after the incident?
A: The matter was being actively investigated by law enforcement, our banking institution and insurance provider and could not be made public immediately. This theft was part of a complex scheme and took time to reveal the information the public needed.
Q: Who is responsible for the money?
A: The City of Webster is responsible for the loss. Fortunately, we are successfully working with law enforcement and insurance on a lost funds recovery plan.
Q: Have any losses been recovered through investigation or insurance?
A: $300,972 has been seized by the Webster Police Department (WPD) through its criminal investigation. In addition, the city has been authorized to receive up to $240,000 through its cyber insurance.
Q: What is cyber insurance?
A: Cyber insurance is used to protect against losses resulting from a cyber attack or incident.
Q: How does this affect the general budget?
A: The 2025 operating budget will not be affected by this incident.
Q: What immediate actions did the city take in response to this incident?
A: Immediately upon becoming aware of this incident, the City of Webster took steps to mitigate any negative impacts. This included
• Criminal Investigation: The Webster Police Department immediately launched a criminal investigation into the fraudulent activity. This investigation led the Webster Police Department to seize $300,972. WPD continues to work with the FBI and the District Attorney’s office on this investigation.
• Insurance Claims: The City communicated with its insurance agent and provided all necessary documentation to proceed with the claims.
• Cyber security efforts: Webster’s IT department was informed of the fraud, which triggered a review of the incident. An analysis was conducted to ensure that the city’s computer network was not hacked and to check for vulnerabilities.
• Communication with the Town’s Bank: The Town of Webster immediately contacted the bank where the payment came from. The bank tried to reverse the payment, but it happened outside of five working days, so it was not possible. The city obtained all necessary supporting documentation from the bank to investigate this matter.
• Cooperation with the contractor: The City of Webster and the contractor have worked together to identify the cause of this incident.
Q: What local, state and federal agencies were/are involved in the investigation?
A: Webster Police and the FBI are conducting a joint criminal investigation. The Monroe County District Attorney’s Office has assisted in the investigation.
Q: Is the city confident that no other cyber thefts have occurred?
A: The fraudulent activity was reported to Webster’s IT department immediately upon discovery. The IT department did an audit of all the city’s accounts and IT(1)managed systems; this review found that no accounts or systems had been compromised.
Q: What is the city doing to avoid becoming a victim of another phishing incident?
A: Webster’s IT department has made several recommendations in an action plan to prevent future phishing incidents. This action plan includes several procedures that are currently in place and are being followed by City staff. In addition, the finance department reviewed all existing internal controls regarding vendor payments and added procedures and additional levels of review to tighten existing controls
*AI assisted with the formatting of this story. Click here to see how WHEC News 10 uses AI*
