Town of Hollywood Park attempting to recover nearly $200,000 stolen in 2019 cyber theft

Despite missteps by town, Mayor partially blames banking partner for lost money

HOLLYWOOD PARK, Texas – On March 5, 2019 someone attempted to steal nearly half a million dollars from the sleepy San Antonio suburb of Hollywood Park. The thieves were likely international cyber-criminals, but 17-months later, no one has been arrested for the crime.

With the help of the United States Secret Service, the town managed to recover nearly $300,000 of the missing money, but there’s still a dispute over who should be held responsible for the nearly $200,000 that ended up in a bank in Turkey.

Hollywood Park Mayor Chris Murphy recently recalled the moment he learned about two large, unauthorized wire transfers from the town’s bank accounts on March 6, the day after the money had been moved.

“We got a call from Frost Bank asking us to confirm the two wire transfers and we said, ‘No, we didn’t authorize any wire transfers. We don’t do them.’” Murphy said. “I got physically sick to my stomach. I couldn’t fathom that it could even happen.”

Murphy says he immediately went to police chief Shad Prichard's office and an investigation was launched. They soon learned someone had transferred a total of $486,766.82 from city funds at the same time a city employee was processing payroll the day before.

Prichard called in the U.S. Secret Service to assist in the investigation.

“They dropped what they were doing and came to our aid and their six hours of work saved us a considerable amount of money and trouble,” Prichard said.

Secret Service agents traced one of the transfers for $192,883.31 to a San Antonio Bank of America account, but the money had already been moved to an off-shore bank account located in Turkey.

Agents were able to seize nearly $293,883.31 from the second wire transfer, thanks to an alert banker at a San Antonio Wells Fargo branch who thought the transaction was suspicious and froze the funds.

“(The banker) was trying to execute, on behalf of one of their customers, a transfer from a one day old bank account with Wells Fargo to a personal Wells Fargo account and she saw enough suspicious looking elements to call Frost (Bank) to find out if that was indeed a legitimate wire transfer,” Murphy said. “The Secret Service agents were pretty clear that had that not happened that quickly. We very likely would be out the entire amount.”

The Secret Service seized the money and continued their investigation. Agents ruled out any Hollywood Park city employees being involved as well as anyone at Frost Bank. A analysis of the city’s finance computer used to make the wire transfers revealed it was infected with malware designed to steal financial information. It was a simple spam email that let the banking trojan virus into the town’s system.

“How it spreads is these fake PayPal invoices. It’ll give you this red flag, past due or confirm your account, it’s been locked out. You know, these are those spam emails that you see and you probably see them every day,” Prichard explained. “That malware gets downloaded by using those e-mail spams. That’s how Emotet, the trojan virus that affected us, gets into our system. So an employee, especially a finance director who is getting invoice after invoice after invoice, he clicks on the wrong one. Now we’re infected. And if you don’t have the right protections in place, that perfect storm begins to brew. And then you lose money.”

Emotet, the malware that was used, was the focus of a 2018 Homeland Security bulletin that called it “among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors.” According to the bulletin, “Emotet infections have cost governments up to $1 one million per incident to remediate.”

Once it infects a computer, it can fool even the most savvy of users.

“It mimics the screen of your banking partner. It can be right over the top and you never even know it and it knows exactly what it needs to complete that transaction and it gets it,” Prichard said.

According to Mayor Murphy, the town learned from its IT provider that all of their computers had cyber-threat protection software except for the one that became infected. Turns out, the IT company had removed those protections from the finance computer three months earlier when downloading new software and had failed to reinstall the malware protection.

Making matters worse, the mayor learned from Frost Bank that their depository agreement, signed in 2009, had been expired for five years and there were no protections in place.

“The law requires it to be done every five years but none of the five prior mayors to me knew about it, nor I,” Murphy said. “In fact, when I took the oath of office, all they asked me to do is sign a card for signatures. I would have been glad to sign something that would have provided us with updated cybersecurity protocols, alerts and safeguards.”

Murphy believes had that agreement been up to date, they would have been covered for the loss. He said Frost Bank insisted on signing a new agreement after the incident and that it offered more protections than the 2009 agreement.

“A whole category of cyber protection. It wasn’t existent in the original depository agreement. That would be the key difference. It’s just exactly the kind of thing that happened to us,” Murphy said.

Murphy sent an email to Frost Bank executives in June 2019, asserting the bank was partially responsible because they failed to notice the suspicious nature of the transaction.

On June 4, Murphy wrote, “We have yet to execute an outgoing wire transfer since our agreement was signed in 2009. As our competent banking partner, we expect and trust you to at least verify suspicious, extremely large, and unusual withdrawal requests. One was made by a one day old account.”

The bank pushed back in an email dated June 18, sent by Senior Vice President, Anthony White. It stated the bank’s position and pointed out numerous missteps made by the town of Hollywood Park including IT equipment that “had been infected with multiple viruses and malicious software.”

The bank executive wrote, “It appears that a fraudster took control of a City employee’s PC and used that employee’s security credentials to access Cash Manager and initiate two wires. The fraudster then sent pop-op messages to the same City employee and enticed the employee to use another employee’s security credentials to approve the wires. The City employee informed Frost Bank fraud officers and US Secret Service that he had used security credentials belonging to another employee on this occasion and on numerous previous occasions. Sharing log-in security credentials is a serious compromise of electronic security protocols and is a violation of the Treasury Management Agreement with Frost Bank.”

The bank also brushed off the mayor’s assertion that they should have noticed something was suspicious about the transactions.

“Both wires went to domestic banks. There was nothing unusual or noteworthy about the wires that would have caused Frost to hold them. The Town of Hollywood Park has initiated large wires via Cash Manager previously. For example, the City executed a $400,000 wire on February 4, 2016,” White wrote.

Bill Day, senior vice president, corporate communication for Frost Bank, said the letter sent by White last year remains the bank’s position today. He said the incident “resulted from failed security measures at Hollywood Park.” As far as they are concerned, the issue has been resolved.

When asked if an updated depository agreement would have protected Hollywood Park, Day said in an email, “For confidentiality reasons, I’m not able to discuss specifics of customer accounts. I can say generally that even if a depository agreement had expired, that does not absolve either party from their respective responsibilities. For example, an expired agreement doesn’t absolve an account owner from ordinary care in managing their accounts and security. Also, municipalities are required by state statute to issue a request for proposal for bank services at least every five years, so it’s incumbent on municipal customers to keep their accounts up to date.”

While Murphy was hopeful the two sides could come to an agreement to recoup the nearly $200,000, it appears the city will likely never recover the stolen money.

“I’m shocked and still disappointed. I’m still hopeful that they’ll want to make us whole and do right by us,” Murphy said. “Fortunately, we’ve been in sound financial shape and we can weather this storm. It would have been a completely different story had that teller with Wells Fargo not been alert and allowed the Secret Service to freeze that $300,000.”

Murphy said the town is no longer banking with Frost and they have improved their cyber security and continue to educate their citizens about the dangers of cyber criminals.

The Secret Service said they couldn’t comment because the case is still open but did confirm no arrests have been made.

Read also:

Federal court denies appeal of ex-city manager of Crystal City convicted in bribery scheme

Dashcam video contradicts SAPD’s narrative that woman pointed weapon at sergeant prior to being fatally shot

About the Authors:

Tim Gerber is an investigative reporter and anchor on the KSAT Defenders team.

Dale Keller is senior news photographer at KSAT-12.