Anatomy of ETHS' $48k Wire Fraud
A follow up to a story from a few years ago, regarding money stolen from ETHS with allegations of foul play
FOIAGRAS is a free newsletter run by Tom Hayden (FOIA GRAS LLC) that explores various topics in local Evanston Governance, especially around ETHS and School District 65 (Evanston/Skokie). I publish and share all my data and reports. Subscribing is free, so please subscribe or share
This story starts here, from a 2020 article written by the Evanston Patch: ETHS Defrauded Of $48,570 In Hack That Exposed 1,139 Identities.
The Backstory
On May 22, 2020 during the early COVID days, at least one ETHS email was allegedly compromised and a fraudulent invoice for $48,570 sent for reimbursement. Seven days later on May 29, 2020 this invoice was paid electronically to a Wells-Fargo Account. Seven days after that, on June 6, 2020 the crime was reported to the Evanston PD.
You can read the police report.
A year later in June 2021, the Evanston PD was able to secure a subpoena for the Wells-Fargo account that received the $48,500.1
In furtherance of this investigation: On 6-10-21, I received the grand jury/court order for Wells Fargo Bank that was submitted to the Cook County State's Attorneys Office for Processing on 6-12-20. Later in the day, I traveled to Wells Fargo Bank at 2289 Howard and I submitted the subpeona in person to an on-duty manager.
The subpoena revealed that the funds were deposited in an account owned by a Ms. Valdez, of Bakersfield, California. I am omitting personal details out of respect for her privacy for reasons that will be apparent later. On October 11, 2021, the Evanston Police forwarded the case to Bakersfield.
During the interim, the subject came up at a February 2022 ETHS Board Meeting, where a community member inquired regarding the alleged “embezzlement.”
Superintendent Witherspoon responded out of turn, with a denial you can read below or watch at around 2:12:00 mark in the above video:.
Board, I would like to clarify something that has been made public several times. This district was hacked, and our insurance company hired expert national firms to do a forensic audit of that and they found that an organization outside of this state created criminal activity and that was the result of that hacking. And they were so satisfied with that, they paid every penny of that loss. It cost this school district zero2 because we are insured against that kind of criminal activity and I just want to make that clear because apparently that message has not yet penetrated and it’s very important that people understand.
Interestingly, the paid fraudulent invoice from 5/29/2020 was excluded from the Board Reporting’s list of bills for that time period. I FOIA’ed the District specifically for payments made during this window and again received statements that excluded the fraudulent invoice paid with check number V1559. It is unclear why this invoice was excluded from public reporting.
Meanwhile, over in Bakersfield, the Police visited Ms. Valdez on April 6, 2022. I’m not sharing a copy of this report in public, for reasons that will be apparent below. If you really want to read it, email me. Below are relevant snippets:
When I asked VALDEZ if she remembered receiving the $48,570 wire transfer into her Wells Fargo Bank Account on 5/29/20; then on 6/1/20 making two separate withdrawals totaling $40,500, VALDEZ stated yes. VALDEZ advised she did this for her fiancé, whom she knows as: "HUTCHINSON JORDAN SMITH"; herein referred to as "SMITH".
The story continues
VALDEZ advised in the last 6 years, she has sent thousands of dollars of her money via gift cards to SMITH. VALDEZ has numerous gift cards in her possession she had purchased for SMITH. VALDEZ stated she has also purchased 2 phones and 1 computer for SMITH.
…
VALDEZ stated SMITH then instructed her to pull out the $40,500 and send it to numerous locations. VALDEZ showed me paperwork with addresses and names of subjects in Africa. I asked VALDEZ about the remaining $7,000 and she didn't recall where that went; however, stated it was probably given to other subjects that SMITH instructed her to send.
After the interview, the Detective followed up with Ms. Valdez via email to confirm that the money was sent to locations in Africa. She replied, with a denial. The detective followed up and asked where the money went and she replied with the below:
The cash recipients were redacted in the FOIA process. I reached out to the Bakersfield Police who confirmed that the funds were sent to locations in the US.
The suspect had the money mule (VALDEZ) send cash via UPS/FedEx/USPS to locations in Idaho, Minnesota, and New York. VALDEZ has also sent money to Africa on many other occasions.
I attempted to locate Ms. Valdez but was unable to reach her by phone or email. I also attempted to contact the suspected hacker via email and got no reply.
Either way, Bakersfield PD closed the case
It was apparent VALDEZ has been a "Money Mule" and her motive was based solely on someday having an intimate relationship and marriage with SMITH.
Case closed and forwarded back to Evanston PD
I attempted to get a less-redacted copy of the report from the Evanston PD, but it doesn’t seem that they ever received the report from Bakersfield. So the case remains closed by both Evanston and Bakersfield, at least for the time being.
On Money Mules and Compromised Accounts
This leaves us with the following facts:
Someone used an email address for the Director of Alumni Services to send a fraudulent invoice to a subordinate staffer at ETHS. The ETHS IT Department confirms that this account was “hacked”.
ETHS then wired $48,570 with no approval process because the invoice allegedly had a known vendor ID3 and employees were working remotely.
The funds went to an individual in California, who very clearly was being used to launder money (ie a “money mule”)
This California individual took out cash and mailed it to three individuals in Idaho, New York, and Minnesota.
ETHS filed for reimbursement from insurance and was reimbursed sans a $2,500 deductible.
We’ll probably never know who received the money - the cases are closed and the names are redacted.
The comments on the original Patch story make all sorts of allegations of foul play. Can we rule it out (ie “embezzlement”) as Dr. Witherspoon suggests? The answer to that is no, especially since the funds did end up landing somewhere in the US and that was the end of it. Who received the money? Were they related to any insiders or was it just generic invoice fraud? We’ll probably never know.
However …
Having worked in the risk & payments industry, I can say this class of fraud is extremely common. When I worked at Facebook, we called this “compromised account fraud” and it happened thousands of times per day. A fraudster would compromise an account4 and aggressively use whatever vector possible to get money. I’m sure some of my readers have gotten the, "I’m stuck in Europe and need money right away” scam from a relative with a hacked Facebook account. Fake invoice scams are also rampant, and in fact, I got one for my business while I was writing this article!5 Fraudsters used to do this via postal mail, and Popehat did a great Anatomy of these Scams back in 2011.
Nowadays, these types of fraudsters are generally very well organized and in many cases, connected to organized crime rings. They have entire networks of money mules, such as Ms. Valdez they prey on to launder the funds along with vast automation of attacks, such as targeted phishing attacks. I even have a talk I give on this, featuring John Podesta, who just got absolutely pwned.
If anyone has any further information on this story, please contact me: tom@foiagras.com
Information Security Recommendations
I don’t normally write about this but to avoid being the target of a fraud like this, please take a moment and consider adding two factor authentication to your accounts. I recommend the Yubikey 5 for hardware-based 2 factor authentication but literally any form of two factor authentication (such as text message or Google/Microsoft Authenticator app) is better than nothing. Here’s how you can enable this on the big email providers:6
Hotmail/Outlook - How to Enable 2 Factor Authentication
If you work for a large or medium sized company or government (such as ETHS) they should already be requiring you to have this on your account. If they don’t, go bug your IT person and demand it.
I do not believe there is any foul play involved in the subpoena delays; it required a grand jury and interaction with the County Attorneys Office right in the middle of COVID. At that rate, a year sounds fast!
This is technically false; the District did pay a $2500 deductible according to reporting by the Evanston Patch.
The Vendor ID remains a mystery. ETHS refused to provide the vendor ID to the Evanston Patch and hides the payments from reporting that I FOIA’ed.
Usually via automated phish or spear-phishing
Of course, the email didn’t come from “inside the house” - it was just an email with a fake bill for Norton Anti Virus.
If you’re the handful of readers still using a mindspring or sbcglobal email address, you’re on your own here!
The Vendor ID issue seems to be most relevant here from the standpoint of management of public money.
I work in the private sector and if I want a payment of more than $5k to be issued (even to one of our venders) you need sign off from at least 2 people.
Have you contested the denial of vendor info from your foia with the Attorney General?
Don’t they have to give cite some part of the statute when denying info?
Doesn’t surprise me if it’s connected to alumni relations. It’s not a well run operation — they have totally outdated practices. How did a teacher with no advancement or alumni relations experience even get that job?