Online Requests To Change Payment Procedures: A Red Flag That Needs Thorough Investigation

A district court judge sentenced a man accused of stealing nearly $700,000 from the City of Fort Worth to 12 years in prison.

The accused, who pled guilty to theft of property greater than $300,000, allegedly stole the money through a phishing email scam.

Fort Worth's accounts payable department received a change of account request in October of 2017. The spam email claimed to come from two Imperial Construction employees, one of whom was an actual person. The email requested that the department change the construction company's electronic deposit to a Chase Bank account and included a copy of a check with the account and routing numbers. Imperial Construction later told authorities that the signature of the real employee had been forged.

The city changed the bank account, believing that Imperial Construction had changed banks. According to the affidavit, the scammer had access to the new account and withdrew thousands of dollars in cash from ATM machines in Houston.

After withdrawing the total - $693,625.77 - in the bank account, the 50-year-old man flew to Nigeria. He later returned to the U.S. and was arrested in Houston.

A terminated senior city IT manager filed a lawsuit, claiming the city mishandled the phishing scam. He also claims that the city allowed employees with criminal convictions access to a confidential FBI criminal database and allowed anyone to access employees' medical and personal information.

The plaintiff allegedly told the city's acting chief financial officer and acting chief technology officer that the city's cybersecurity had been compromised. The lawsuit claims they rejected the plaintiff's remediation proposal because it would have required City Council approval and public disclosure.

The plaintiff claims he was placed on administrative leave and then terminated in retaliation for reporting the security breaches to law enforcement after city officials failed to act. Emerson Clarridge "Court Sentences Man Who Stole $700K in City Phishing Scam" (May 14, 2021).


An email request to change the bank account associated with a direct deposit is only one type of phishing scam organizations may face. Cybercriminals target employers with a wide range of phishing attacks.

Any request to change accounts to which money is wired is a red flag and should require additional steps to make sure that the request is legitimate, including making independent confirmation that the request is legitimate, followed by a formal request in writing signed by the right authorities. A simple email request with an attachment is not enough to change payment protocols.

To spot this red flag and others, organizations must train employees on cybersecurity best practices. Teach them to always question any request sent through email and to call the official number for the organization, not a number included in the email, to confirm all requests.

Finally, inform employees to notify the designated individual or department immediately if they believe they have fallen victim to a phishing scam. The only thing worse than an employee complying with a scammer’s request is an employee covering it up for fear of termination.

Finally, your opinion is important to us. Please complete the opinion survey: