When Quincy Retirement Board Executive Director Lisa McBirney announced in late 2020 she would leave her job as the end of that year she asked all essential parties involved with the Quincy Retirement Fund to make necessary changes for the transfer of responsibility. But apparently no one did that and now the city’s information technology department, retirement board and a manager for Aberdeen Standard Investments have all been blamed for the $3.5 million theft from Quincy’s pension system.
The theft originated on February 18, 2021, months after McBirney left her role, when someone used her still-active email address to send a request to Aberdeen Standard Investment to pull some funds, explaining that the Quincy pension systems “needed some liquidity for investments purposes “. In reality, that investment went right into the fraudsters own pension plan! The Aberdeen representative and the fraudster exchanged several follow-up emails that resulted in the investment manager agreeing to process a $3.5 million fraudulent transfer to an overseas account in Hong Kong. Maybe ask why not a bank in Quincy next time?
The Quincy Retirement Board did not review the trade confirmation notice that Aberdeen sent on April 5, 2021, until October 25, 2021- three days after the city of Quincy notified the state commission that it had discovered the unauthorized transfer by Aberdeen. That gave our fraudster eight months to slowly disappear.
Who is to blame? This is not a trick question! All parties involved could have taken basic steps to prevent the fraud, to detect it sooner. Following city issued policy, the retirement board left McBirney’s email address active after she left to ensure remaining staff could access necessary information, despite industry practices calling for deactivating the accounts of departed employees. The board also did not update its list of authorized signers- those who can approve transactions- for several months after McBirney left. And none of the banks appeared to be using multifactor authentication software, probably the simplest way to bolster any organizations resilience against fraud and risk.
Kudos to McBirney for leading by example. She seems to be the only one who did her job.
Today’s Fraud of the Day is based on an article “Cybertheft Drained $3.5M From Quincy Retiree Fund” published NBC News Boston on October 20, 2022
The retirement board for thousands of Quincy, Massachusetts, city employees, its investment partners and a bank all missed multiple warning signs or precautionary steps that could have prevented a bad actor from fraudulently transferring millions of dollars overseas, investigators concluded in a report that underlines the cybersecurity risks hanging over the public sector.
Months after the Quincy Retirement Board’s executive director left her role, someone used her still-active work email address in February 2021 to request and execute a $3.5 million transaction from investment manager Aberdeen.