For years, city officials in the executive branch of the city have known their human services department had issues with managing its budget of hundreds of millions of dollars. As the department’s budget ballooned in the last few years to deal with the homelessness crisis, they even made some changes to keep up.
But their staff did apparently break internal city policy when they responded to what turned out to be a fraudulent request last year, according to a spokesperson for the city’s finance department, which resulted in more than $800,000 being allegedly stolen from city coffers.
This summer, the city informed the FBI and the Secret Service that payments it thought were going to a homelessness nonprofit called Mary’s Place had actually been going to a fraudulent account for months, according to emails obtained by The Seattle Times last week.
The city’s budget director, the former head of human services who ran the department when the fraud was discovered, and other staff at the city’s executive branch overseen by the mayor declined to give interviews.
“I don’t know that they could have anticipated this particular thing coming, but they and other folks in the city were aware that there were financial-control issues,” said City Councilmember Lisa Herbold, who chairs the council’s human services and public safety committee.
Financial management lags
Just five years ago, the human services budget was $142 million, a large chunk of which was homelessness funding. As the city has poured historic amounts into fighting homelessness — with few real-world results — the department’s budget exploded to more than $300 million at the beginning of 2021 and has received $85 million more since.
“While the growth of HSD’s budget coincides with the great need in community, HSD’s financial management capacity has not grown comparably,” Ben Noble, the city’s budget director, said in an August email warning the City Council that the influx of coronavirus response money had made “long-standing financial capacity constraints” worse.
Noble didn’t mention the fraud — which had already happened — in the memo. Of the nine City Council members only Herbold had been notified of it, and not of how much.
The department did make efforts to fix looming issues, and hired a chief finance officer last year. But the department had expected to offload all homelessness contracts at the beginning of 2021 to the new King County Regional Homelessness Authority, an entity set up to try to streamline regional response and get city politics out of homelessness policy.
When that process was greatly delayed by the pandemic and officials started scrambling to prevent widespread outbreaks in homeless shelters, HSD was running on a skeleton crew.
The month after the pandemic hit, the city auditor released an audit of Seattle’s homelessness contracts and found, among other things, that human services didn’t give its contract specialists any formal training. Training is critical for a contract specialist because they communicate with homeless-services nonprofits, ensure contracts are managed accurately and “play an important accountability role.”
Department officials said told the auditor they use “peer to peer” on-the-job training, but the turnover in the contract specialist job has been so high — 30% in the first half of 2019, according to the city auditor — that “critical knowledge could be lost,” the report said.
“You need to write this down, have a policy and you need to keep the policy up to date. And that’s boring — it’s not exciting work,” said David G. Jones, Seattle’s city auditor. “You’re supposed to have a list — you contact this specific individual this way when someone changes a bank account.”
Fraudulent request
It may have only been a matter of time until fraudsters learned how to manipulate the system, but this particular incident may have happened because of an unfortunate coincidence, according to Herbold, who was briefed on it. The nonprofit Mary’s Place, which provides aid and shelter to homeless families, asked late last year for a change to billing. Very soon after, a fraudulent request came in asking for a change from what appeared to also be Mary’s Place.
But the human services department still likely broke internal policy. Melissa Mixon, a spokesperson for the city’s department of finance and administrative services, said in an email Thursday that city departments are required to “conduct—and attest to conducting—a multi-step, independent verification and authentication process any time one of their vendors requests a change to their payment method.”
As cyberfraud has become more common, the city has required that when changing billing info, departments use a contact number from an independent source, such as a previously paid invoice or a city project manager — never just an email or one source of communication from someone claiming to be the contractor.
“As a result of this incident, and due to the increasing frequency of this type of crime around the country, [finance and administrative services] has now centralized this verification process within our Finance group,” the spokesperson said. “This will ensure the policies set by [finance and administration services] and outlined above are adhered to.”
Mixon said finance and administrative staff have also been working with the city to help form “recommended opportunities for improvement” in the human services department and to oversee the outside consultant brought in to reform the department’s financial-management practices.
Internal fraud or phishing scheme?
John Warren, vice president and general counsel for the best practices group Association of Certified Fraud Examiners, said this type of fraud is common in both private businesses and government. Warren said members of the fraud examiners group estimated that about 5% of government agencies’ budgets get lost to fraud each year, in a 2020 study.
“Globally, we’re talking about trillions and trillions of dollars,” Warren said.
This kind of fraud typically happens in one of two ways: either through an internal employee or phishing scheme.
According to Warren, internal asset misappropriation usually involves an employee creating additional payments to an entity but sending the extra money to an account they or a partner can access, instead of the rightful recipient.
But Warren says the Mary’s Place incident doesn’t seem likely to be internal fraud since all of the payments were diverted, which would be abnormally blatant.
“If you’re committing fraud as an insider, a big part of your calculus is how do I keep anybody from noticing this,” Warren said. “Concealment is a crucial part of the scheme.”
Instead, Warren says what likely happened was a phishing scenario in which an outside fraudster tricked a city employee into changing the account information for all payments as part of a larger phishing scheme.
“If you’re a guy in Eastern Europe who’s done this and just diverting the money, you’re just going to keep having the payments go to this fake account until they figure it out,” Warren said. “And once they figure it out, you don’t really care. You shut it off, and you go on to the next victim.”
To avoid further fraud, Warren says the city should use multifactor authentication, set up alerts about information changes or even deliver the first payment after an account change as a check rather than direct deposit.
Whatever policies the city uses, Warren says frequent, thorough training on fraud prevention is paramount.
“But the thing people say in this area is your biggest vulnerability to these frauds are your employees, and that’s the bottom line,” Warren said. “You have to be right every time. The fraudster only has to be right once. That’s the problem with this kind of work.”