KENOSHA — A former University of Wisconsin-Parkside employee believes an email phishing scam which defrauded the institution of more than $300,000 could have been prevented.
The college was lacking formal written processes in place for detecting such fraud at the time it occurred, according to Debi Rigney, former lead accounts payable specialist in the university’s business services department.
Rigney quit her job last month after 5½ years after she claims she was placed on “unpaid suspension” for five days in late July and issued a performance improvement plan after the university was defrauded.
According to documents related to her suspension, which Rigney shared with the Kenosha News, university officials faulted her for not developing “clear, secure and effective” accounts payable processes that they said directly led to the breach.
The university learned of the scam June 19 when a bank notified it of an issue with a new account. According to the university, an employee had changed the bank account routing numbers of two UW System vendors, after having been fooled by the email phishing scam.
According to Rigney’s personnel documents, an investigation determined that the banking information was changed by a Parkside graduate between May 1 and May 14, for two different vendors for the amounts of $125,000 and $190,000. The requests were then placed in an accounts payable box.
Rigney, who was on family medical leave at the time the scam occurred, said another employee had covered for her while she was gone.
According to the document, the employee reportedly followed what the employee believed the process to be for receiving and making vendor requested changes. That employee was also punished, Rigney claimed.
The document indicates Rigney said there was no process for verifying the information received to make changes to banking information. It also indicates that — in the five years she worked for the university — change requests were not verified and she never trained staff to do so.
That’s because there weren’t any written processes, she said in an interview with the News.
“There wasn’t (a process) and my job description doesn’t say to write or make processes. I’ve never done it,” said Rigney, who up until July had good performance reviews.
Rigney said among her duties were to “to make recommendations to procedures.”
“They’re saying I didn’t develop clear, secure and effective processes as it relates to the (accounts payable) function,” she said. She said management is responsible for developing processes and should have also been held responsible.
Incident two years ago
Two years ago, Rigney said she brought to UW-Parkside management’s attention an incident in which she prevented phishing scammers’ attempts to steal a smaller amount of money.
Rigney said she received an email she thought was unusual, with the “vendor” sending correspondence asking to change his bank information. When she contacted him to verify, the vendor told her he did not send the request.
“So, that one we caught,” she said. The vendor then filed a report with the Kenosha County Sheriff’s Department. “That one was prevented … because I caught it.”
Rigney said she went to her boss and told her what had happened and “nothing was done.”
You have free articles remaining.
In the time between the phishing scam that was prevented and the recent incident, Rigney alleges management also did not reinforce or talk to staff about what should be done in the event of a suspected phishing scam.
Claims scramble to write policies
She said it wasn’t until July that processes were written – nearly two months after the recent crime occurred.
“This isn’t all my fault. For one, I wasn’t there when it happened,” she said. She said she felt their actions were an attack on her integrity and work ethic.
That’s when she decided to quit. She has since found another job.
“They scrambled like crazy to get policies and processes in order when this happened,” she said. “There wasn’t one. So, we were writing them.”
Rigney said she was never given any training to specifically detect and handle phishing while employed at Parkside. She said employees take a yearly online video quiz, however, which includes keeping their workstation and information stored online secured.
Parkside cites ongoing training
Parkside spokesman John Mielke said Thursday all employees in the business services office undergo training when they’re initially hired and receive ongoing training during their employment.
“With regard to Business Services practices and policies, all UW-Parkside Business Services employees are trained on the proper response to any request for a change to vendor account information. Also, all UW-Parkside employees have completed mandatory State of Wisconsin cyber-security training,” he said.
He said the state-mandated training is conducted each year.
No developments in probe
In the meantime, no new developments have been reported in the investigation into the phishing scam.
“Federal agencies continue to work toward identifying the source of the phishing scam and will update the UW-Parkside Police Department with any new information,” Mielke said.
The university has already recovered some of the losses and insurance has covered much of the rest for a net loss that has been reduced to about $65,000.