Scammers posed as mayor to target city of Craig
March 1, 2018
CRAIG — When Craig Finance Director Bruce Nelson received an email — ostensibly from Mayor John Ponikvar — asking about the cash balance in the city's general fund and requesting he wire $37,000 to a consultant's bank account in Clinton, Oklahoma, Nelson was concerned.
The situation was the result of a multi-step scam that compromised the mayor's email account, the city’s bank account and a bank account in Oklahoma. The city caught onto the fraud and did not wire any money.
While under the impression that he was communicating with the mayor, Nelson recommended the scammer contact "Mike" about the matter. Though Nelson used only his first name and made no mention of Mike Foreman's role as city manager, the scammer knew to email Foreman.
"I realized that it wasn't John, because the responses weren't the vernacular he uses or the syntax that he uses," Foreman said.
Foreman told Nelson he believed the email was fraudulent and contacted Police Chief Jerry DeLong. They were unable to reach Ponikvar, who was driving back from Grand Junction, but eventually confirmed he did not send the message.
The scammer had the city's banking information and gave city officials the address, routing and account number where the money was to be sent.
Recommended Stories For You
DeLong contacted the bank in Oklahoma and found these numbers were linked to a valid personal bank account. The account showed normal transactions — the account holder deposited her tax return and had made purchases on her debit card.
DeLong drafted a police report and sent it to the Clinton City Police Department, which is continuing the investigation.
DeLong believed the bank account holder's information was compromised by a third party. Often, he said, scammers use someone else's account to funnel money overseas. In this scam, criminals direct one party to wire money into the compromised account, then immediately skim the money from the account into their pockets.
"Somebody did a really good job of hacking, because they got all of that information — the mayor's information, the bank's information and this lady's information," DeLong said.
In light of the incident, Ponikvar has installed two-party authentication on his email account and has asked city council members to do the same.
Two-factor authentication requires an additional step after entering a password to log in to an online account. Usually, a code is sent to a mobile device or secondary email address when logging in on an unrecognized device. To successfully login, a person must enter both the password and the code.
DeLong offered a few suggestions for protecting one’s self from such scams: Use two-factor authentication on online accounts, and don't give personal information over the phone, including birthday or Social Security number, unless the legitimacy of both the organization and the representative can be verified.
"A lot of businesses now — the legitimate businesses — don't ask for that information over the phone," said DeLong.
To verify that someone is who they say they are, ask for a supervisor or request a number to return their call, and hang up. Then research the company and representative, and return the call if it's legitimate.
The bottom line, DeLong said, is that if it seems to good to be true, it probably isn't.
In the Craig area, one phone scam seems to be surfacing frequently. CPD Commander Bill Leonard said the department has received numerous reports that scammers are calling Craig residents, falsely claiming there is a warrant for their arrest. Scammers then request the victim purchase and send Walmart gift cards to a specific address. The callers pressure victims by telling them the local police department is about to arrest them.
Don't fall for it — people with active warrants for their arrest probably have some idea of the crime they’ve been accused of.