Department Of Ag Loses In Phishing Scam
The Montana Department of Agriculture lost more than $344,000 from a person impersonating a grant recipient in an email phishing attack, according to a new report recently released by the Legislative Audit Division.
The incident, which happened in October 2020, was one of two cases turned up by a legislative auditing team as part of a two-year cycle of reviews for the Legislature.
The other incident, which occurred in April 2020, happened when an employee with the Department of Agriculture purchased $1,000 in gift cards in response to a different email phishing attack. That scam was thwarted when the employee became suspicious and notified their supervisor. According to the report, the gift cards were returned for full credit.
However, the state lost $344,271 in the larger phishing scam. It noted that the department was able to stop the first payment to hackers, but not the second, which resulted in the loss. The Montana Department of Agriculture agreed with the auditorsâ findings and agreed to update its financial controls. The department also reported the theft to its chief attorney, the Governorâs Office, and the Department of Administrationâs Risk Management and Tort Defense, but it did not notify state auditors.
The Legislative Audit Division reported that the incident was turned over to the stateâs insurance carrier.
âWe recommend the Department of Agriculture comply with state law by notifying the attorney general and legislative auditor in writing upon the discovery of any theft, actual or suspected, involving state money or property,â the report recommends.
The report noted the Department of Agriculture did not notify the attorney general or the legislative auditor of the gift-card issues because personnel determined it was unnecessary because the theft was ultimately not successful.
Other credit issue
The auditorâs office also discovered one other issue, primarily an accounting issue, but indicated a possible legislative fix.
The departmentâs Agricultural Sciences Division provides licensing and registration for pesticides, pesticide applicators and dealers and special pesticide registrations that are processed through a custom-built registration system, MT Plants.
Auditors found that the system can process and take payments, often placed in accounts by farmers and ranchers for renewals, permits or registrations. However, when customers overpaid into the system, it does not refund overpayments unless a customer requests it in writing. Furthermore, staff can only tell if thereâs a credit balance in the ânotesâ section of the customer profile.
âMT Plants is an older system with limited capabilities. It can track balances due to the department but cannot track balances due to the customer. Due to the systemâs limitations, we do not know how many customer accounts have a credit balance and the total of these credit balances,â the auditorsâ report said.
The report noted that some staff issue refunds for overpayments, while others wanted a written request.
âThis is not being done consistently,â the report said. âManagement stated staff turnover has led to confusion regarding internal refund policies.â