The retirement board for thousands of Quincy, Massachusetts, city employees, its investment partners and a bank all missed multiple warning signs or precautionary steps that could have prevented a bad actor from fraudulently transferring millions of dollars overseas, investigators concluded in a report that underlines the cybersecurity risks hanging over the public sector.
Months after the Quincy Retirement Board's executive director left her role, someone used her still-active work email address in February 2021 to request and execute a $3.5 million transaction from investment manager Aberdeen.
In a 48-page report published last week, the state Public Employee Retirement Administration Commission identified a suite of failures before and after the fraud, which went undetected by the Quincy Retirement Board or its partners for about eight months.
The panel that oversees 104 contributory retirement systems for Bay State public employees said the parties involved each share some degree of blame for the costly missteps, which prompted a new round of cybersecurity awareness notices and training and appears to have helped at least one other retirement board thwart a similar attempt.
Get New England news, weather forecasts and entertainment stories to your inbox. Sign up for NECN newsletters.
"All parties involved -- Quincy, investment manager Aberdeen, its investment consultant Meketa Investment Group ('Meketa'), and custodial bank People's United Bank ('People's') -- all of them statutory fiduciaries charged with protecting retirement funds, could have taken basic steps to prevent the fraud, to detect it sooner, or both," PERAC wrote.
The Quincy Retirement Board reported in its 2021 annual report that it had 1,546 active members, 1,521 retired members and assets of about $918.6 million, according to PERAC.
Quincy Retirement Board Executive Director Lisa McBirney announced in late 2020 she would leave her job at the end of that year. McBirney sent an email to People's United Bank, investment consultant Meketa Investment Group and her interim successor, Brigid Gaughan, with notice of her impending departure and requests for reports to be submitted to the bank, but PERAC investigators found the recipients did not circulate the information -- which "would have been vital to preventing the fraudulent transaction" -- to investment managers or other relevant parties.
One of those investment managers was Aberdeen, with which Quincy contracted in 2020 to invest $6 million.
Two major missed opportunities occurred on the Quincy side of the equation, according to PERAC, and the situation was exacerbated by delays in Quincy's board submitting annual statements and monthly cash books.
Following city policy, the retirement board left McBirney's email address active after she left in an attempt to ensure remaining staff could access necessary information, despite industry practices and state guidance calling for deactivating the accounts of departed employees.
The board also did not update its list of authorized signers -- those who can approve transactions -- for several months after she left. Ironically, that action occurred on the same exact day as the fraudulent transfer, and PERAC found "no evidence" that any investment managers received the updated list.
At some point, a bad actor gained access to McBirney's vacated account, and in February 2021, they set out to try and siphon money out of retirement investments.
The bad actor posing as McBirney emailed Aberdeen on Feb. 18, 2021 requesting to "pull some funds as we need some liquidity for investment purposes" and asking if the money could be "sent to a third-party beneficiary," according to a copy of the email included in PERAC's report.
An Aberdeen representative and the bad actor exchanged several follow-up emails that resulted in the investment manager agreeing to process a $3.5 million transfer to an overseas account.
The company told investigators the email account posing as McBirney attached a signed, written document on Quincy letterhead and that the fraudulent McBirney signature matched the signature on another form, but PERAC argued that Aberdeen missed multiple red flags that should have warranted increased caution.
"The letter that was attached had the same erroneous phone number in the letterhead that had been in all of 'McBirney's' email signatures. There is no hyphen between the first three digits of the phone number and the last four. The fax number is not listed as it is on actual Quincy letterhead. The Quincy letterhead is blurry in the PDF file and when printed it is a darker shade than the rest of the page, appearing to have been copied and pasted. The wire instructions in the letter contain two different account numbers, one for a Hong Kong financial institution. The date the wire is requested has the wrong year listed, February 26, 2020, instead of 2021. The body of the letter is askew from the letterhead. The alignment of paragraphs is off. The closing salutation and signature line are a different font than the rest of the letter," PERAC wrote in its report. "All of these are recognized signs of possible fraud."
In its response to PERAC, Aberdeen contended that investigators were benefiting from hindsight. Phone numbers often changed away from typical office numbers as employees shifted to remote work during the pandemic, the company said, adding that awkward wording and other formatting errors are common.
The probe found several other missteps after the fraudulent transaction that allowed it to go undetected for close to eight months, including failures by Quincy, People's Bank and Meketa to review a trade confirmation notice that Aberdeen sent.
A representative of Meketa, which offered consulting to the Quincy Retirement Board, did not view that confirmation until April 5, while Gaughan, the board's interim executive director, did not open it until Oct. 25 -- three days after discovery of the fraud, according to PERAC.
PERAC notified the other 103 retirement boards under its watch to take additional precautionary steps after it learned about the Quincy issue. That proved successful: according to PERAC Assistant Deputy Director Bill Keefe, another board in January "thwarted a similar incident where a bad actor posed as a retirement board official trying to liquidate funds from an investment manager."
Retirement boards also face several other kinds of cybersecurity scams, including attempts to use faxes, emails and phone calls to pose as a retiree asking to move direct deposit to a new location, Keefe said.
Another frequent threat is ransomware, where bad actors seize control of a system or network and demand payment. In 2020, NBC Boston reported that at least one in six Massachusetts communities of more than 260 that responded to a survey had been infected by ransomware, dozens of which negotiated with or paid attackers.
Beacon Hill leaders had the topic on their mind in the wake of PERAC's report. Gov. Charlie Baker told reporters on Monday he discussed cybersecurity in a private meeting with House Speaker Ronald Mariano and Senate President Karen Spilka.
"There's been a whole series of attacks on state and municipal government technology platforms," Baker said. "The creation of the [Article] 87 legislation that created a chief information officer and Executive Office for Technology Services and Security has turned out to be a really good thing and it's helped us significantly through that."
The administration, which oversaw creation of that executive office in 2017, is hesitant to discuss many specifics about the scope of the threats.
Asked to provide more details about the "whole series of attacks" Baker described, an administration spokesperson who would communicate only on background said Massachusetts -- like many other states across the country -- recently experienced a series of distributed denial of service, or DDoS, attacks but said EOTSS does not publicly discuss threats due to the sensitive nature of state cybersecurity.
Colin A. Young and Michael P. Norton contributed to this report.