The Montana Department of Agriculture did not fully comply with reporting requirements in 2020 after an online phishing scam led to the theft of more than $344,000 and another attempted theft was thwarted prior to an exchange of $1,000 in funds, a legislative audit report has found.
The Montana Legislative Audit Division released a financial compliance report on the department this month. Auditors identified three issues with accounting or reporting practices and issued recommendations to address those concerns.
The department concurred with all three recommendations.
In October 2020, a scammer impersonating a grant recipient obtained $344,000 in an email phishing attack. A phishing attack occurs when a scammer purports to be a different person or entity conducting legitimate business in an effort to trick the victim into providing money or information.
People are also reading…
The department notified its chief attorney, then-Gov. Steve Bullock’s office and the Department of Administration’s Tort Defense and State Financial Services Division.
“The hacker attempted to receive two grant payments from the department,” the audit states. “The department was able to stop the first payment, but not the second. The Department of Administration modified state policy in response to this situation.”
A separate phishing scam occurred in April of 2020. In that incident a state employee purchased $1,000 in gift cards, later becoming suspicious and informing a supervisor. The gift cards were refunded, according to the audit.
Auditors found that the department did not fully comply with state law in response to the scams. The law requires notification of both the attorney general and legislative auditor in writing, “upon the discovery of any theft, actual or suspected, involving state money or property under that agency’s control for which the agency is responsible.”
In both cases, the legislative auditor was not notified. Department of Administration officials did notify the attorney general of the October phishing scam and theft. Agriculture officials told auditors they contacted the attorney general as well.
Department of Justice spokesperson Kyler Nerison said Friday the scam was classified as a “business email compromise scam,” described similarly to a phishing attack. He provided a link to the FBI’s website, which calls the scam “one of the most financially damaging online crimes.” An investigation remains open into the theft with DOJ’s Division of Criminal Investigation, he said.
The agencies told auditors they did not believe notification was necessary for the April phishing attack because it was not successful.
Auditors countered that state law also “requires the notification whenever theft is suspected,” and recommended the agency comply with theft reporting requirements.
Auditors also found issues with accounting in the department’s grant account for its wheat and barley program. Finally, antiquated software failed to flag overpayments for certain permits and licenses, and refunds were only issued if requested in writing. Auditors recommended changes to correct those issues.
In an August letter accompanying the audit, department Director Christy Clark concurs with the audits findings and recommendations.
“Prior to this calendar year-end, we intend to put revised department policies into place to ensure these oversights are not repeated in the future,” she wrote. “The Department Of Agriculture is committed to complying with state laws and accounting policies, as well as strengthening our internal controls.”
The Daily Montanan was first to report on the audit.
Tom Kuglin is the deputy editor for the Lee Newspapers State Bureau. His coverage focuses on outdoors, recreation and natural resources.