(The Center Square) — Two Louisiana parish governments were recently hit by cyberattacks that diverted more than $1.3 million in public funds, according to new reports from the state legislative auditor.
In separate independent audits, St. Helena Parish Police Jury and St. Charles Parish government were identified as victims of vendor-payment fraud schemes that exploited weaknesses in local internal controls and cybersecurity.
In St. Helena Parish, auditors reported that $48,348 in American Rescue Plan Act funds was stolen from the police jury’s checking account on May 10, 2024, after staff received a fraudulent email and follow-up phone call from someone posing as a legitimate vendor. The imposter asked that the system the vendor uses to transfer money be updated, and provided a link in the email. Staff later received a phone call claiming issues with the online payment and were told to update the banking details before sending the funds.
The payment was made using the altered account information, and the fraud wasn’t discovered until the real vendor called on May 13 to say they had not been paid. An investigation determined police jury staff email accounts had been hacked. The incident was reported to the St. Helena Parish Sheriff’s Office, the legislative auditor and the police jury’s bank, and a claim was filed with the parish’s insurance carrier.
While the auditor classified the incident as theft of public funds, the police jury said it has “fully recovered” the $48,348 through insurance, meaning taxpayers ultimately did not bear the loss. The fraudster has not been identified, and the audit does not state whether any criminal charges are being pursued.
The auditor recommended St. Helena adopt stricter safeguards, including use of Positive Pay, an automated fraud detection tool, to match issued checks and electronic transactions. The auditor also suggested banning payments initiated through email links and improving monitoring and updating of firewalls and other security protections. Parish leaders told auditors they are reviewing and strengthening their internal controls, investing in new technology and rolling out employee training to better protect public funds and data.
St. Helena officials could not be reached for comment.
St. Charles Parish sustained a much larger loss. According to its independent audit, the parish was the victim of a cyberattack in which one of its third-party vendors was hacked. Information taken from that vendor was then used to change the vendor’s banking information on file with the parish, allowing a fraudulent payment of over $1.26 million to be routed to an unauthorized account.
As of the date of the audit report, the parish had recovered $360,180 from the financial institution involved and $500,000 from its insurance policies — leaving roughly $404,000 still unrecovered. The auditor said the investigation into the fraud remained active, and the perpetrator has not been identified.
Auditors concluded that St. Charles Parish’s internal controls did not detect the fraud in a timely manner and that “there were not appropriate controls over changes in banking information for vendors,” which allowed the payment to be diverted. Parish officials told auditors they have since adopted new internal control procedures and begun using new software that requires all vendors to submit their banking information through a system that subjects them to “rigorous scrutiny” before any payments are made.
St. Charles officials could not be reached for comment.
