Department Of Ag Loses In Phishing Scam

The Montana Department of Agriculture lost more than $344,000 from a person impersonating a grant recipient in an email phishing attack, according to a new report recently released by the Legislative Audit Division.

The incident, which happened in October 2020, was one of two cases turned up by a legislative auditing team as part of a two-year cycle of reviews for the Legislature.

The other incident, which occurred in April 2020, happened when an employee with the Department of Agriculture purchased $1,000 in gift cards in response to a different email phishing attack. That scam was thwarted when the employee became suspicious and notified their supervisor. According to the report, the gift cards were returned for full credit.

However, the state lost $344,271 in the larger phishing scam. It noted that the department was able to stop the first payment to hackers, but not the second, which resulted in the loss. The Montana Department of Agriculture agreed with the auditors’ findings and agreed to update its financial controls. The department also reported the theft to its chief attorney, the Governor’s Office, and the Department of Administration’s Risk Management and Tort Defense, but it did not notify state auditors.

The Legislative Audit Division reported that the incident was turned over to the state’s insurance carrier.

“We recommend the Department of Agriculture comply with state law by notifying the attorney general and legislative auditor in writing upon the discovery of any theft, actual or suspected, involving state money or property,” the report recommends.

The report noted the Department of Agriculture did not notify the attorney general or the legislative auditor of the gift-card issues because personnel determined it was unnecessary because the theft was ultimately not successful.

Other credit issue

The auditor’s office also discovered one other issue, primarily an accounting issue, but indicated a possible legislative fix.

The department’s Agricultural Sciences Division provides licensing and registration for pesticides, pesticide applicators and dealers and special pesticide registrations that are processed through a custom-built registration system, MT Plants.

Auditors found that the system can process and take payments, often placed in accounts by farmers and ranchers for renewals, permits or registrations. However, when customers overpaid into the system, it does not refund overpayments unless a customer requests it in writing. Furthermore, staff can only tell if there’s a credit balance in the “notes” section of the customer profile.

“MT Plants is an older system with limited capabilities. It can track balances due to the department but cannot track balances due to the customer. Due to the system’s limitations, we do not know how many customer accounts have a credit balance and the total of these credit balances,” the auditors’ report said.

The report noted that some staff issue refunds for overpayments, while others wanted a written request.

“This is not being done consistently,” the report said. “Management stated staff turnover has led to confusion regarding internal refund policies.”