We’re probably all familiar with the email from a Nigerian Prince, a “potential” employer that’s asking you to buy a bunch of gift cards, or a dodgy message with long, suspicious links.
But some scams are not so easy to spot. A public utility in the Thumb fell victim to a phishing scam in January, and law enforcement authorities say these type of fraud cases are increasing.
The Sebewaing Light and Water Department announced in March — two months after the incident — that it had been the victim of a phishing scam. The announcement was in response to a rumor that funds were “siphoned off through fraudulent means.”
Multiple public officials did not respond or declined to comment on how much money had been lost in the scam due to the “ongoing investigation.”
But after filing a Freedom of Information Act request, WCMU confirmed $189,483.92 were stolen when a scammer posed as one of the public utility’s suppliers.
“These suspects sit there 24 hours a day, seven days a week with no real job because they're stealing millions and millions of dollars,” said Detective Samuel North, from the cyber command center with the Michigan State Police.
North is not part of the investigation, but said the Sebewaing incident is a classic “business email compromise” case — where a scammer hacks into an email account and creeps in the inbox, learning about how an organization operates.
“They know how those people interact with each other, what they put in the subject line, what the phone numbers and email addresses are," North said. "Sometimes they'll wait months until the right time to strike.”
The public records from the Michigan State Police included the police report filed on Jan. 23 and pages of correspondence between the Sebewaing Light and Water Department, the scammer and others about the case.
According to the records, the department had a legitimate outstanding invoice from their natural gas vendor, Rosso Supply and Management.
A few days before the invoice due date, the department received an email on Jan. 4 from Rosso that the company’s banking information had changed.
The following message included the sign-off from a Rosso employee, the company’s real Grosse Pointe address and phone number — along with the “new” account and routing number.
A department employee replied to the email, saying they updated Rosso’s banking information in their system, and the department paid the $189,483.92 bill on Jan. 5, which was cleared four days later.
Except that original message wasn’t from Rosso — the email address was off by a single letter — and the money was gone.
It took the department two weeks to realize it had been defrauded when a real Rosso employee reached out on Jan. 22, asking when the invoice would be paid.
“They have all the time and money in the world to figure out the best schemes to trick people," North said. "And so law enforcement is constantly trying to keep up with the new tactics being used by the suspects.”
Scams are an underreported crime, and getting definite numbers is difficult, but they are increasing. From 2018 to 2022, the FBI, alone, received more than three million complaints that added up to roughly $28 billion in losses.
There are also countless studies that show people drastically overestimate their ability to spot scams, and overconfidence is largely to blame.
As one of only five detectives in the state’s unit dedicated to cyber crimes, North said scams are possible to solve, but limited resources and time mean that the vast majority of scammers are never caught.
“We know it's growing massively and quite honestly, it doesn't matter if it never grows again," North said. "It's already so rampant that we'll never run out of work.”
To avoid falling victim to phishing scams, North said people should check their email’s IP address to see if there have been sign-ins from suspicious locations. Employees should also check if their email has any strange forwarding rules set up that could have been set up by a scammer to block intended senders.
North recommends contacting the source through other means before sending money or sensitive information.
“Instead of just trusting the email, you should give them a phone call or if you're able to go talk to them in person, so you can verify it's actually them before changing the bank information," North said. "That would help prevent most of these situations.”
The records indicate the Sebewaing Light and Water Department did notify its bank and reach out to its insurance about recovering the funds, as well as change its email login information, but it’s still unclear if and how the department will make up the loss.
For more information about cybersecurity, visit the FBI scam safety page.