North East Lincolnshire Council was defrauded out of £22,000, it has been revealed.
A fraudster managed to trick council staff into paying the cash into a different bank account than the one it was intended for.
The council says the loss, which happened in August, was highly regrettable and it has been reported to Action Fraud.
Criminals can use hacked email addresses to impersonate other people and convince organisations to change the account which money is being paid into, an increasingly-common crime known as mandate fraud.
In this case, the new bank details being supplied by the fraudster were not independently verified, allowing the fraud to happen.
This is the only time the council has been defrauded in the last three years.
Its finance help-desk team successfully stopped another attempt which would have seen £32,000 paid out to a fraudster in the same month.
Changes have now been made to prevent crimes of this type in the future.
Councillor Stan Shreeve, the cabinet member for finance, said the theft of taxpayer money was ‘despicable’.
He said: “Any successful fraud attempt is highly regrettable, particularly when the council is facing financial challenges.”
“The council deals with around 100,000 financial transactions each year, worth more than £200million, and attempts at fraud are commonplace for many large organisations.
“What is far less common is the success of any fraud attempt. We have been successful in stopping all but one fraud attempt, this one, in the last three years.
“Fraud is despicable, and quite frankly, a crime, which in this case was reported to Action Fraud. Anyone aware of fraud should do the same.”
Details of the loss have been made public in a report to North East Lincolnshire Council’s Audit and Governance Committee.
“Fraudsters are using technology to hack email addresses and spoof emails to make them look like genuine ones from suppliers. This type of fraud has also become more prevalent over the past few months, with numerous attempts reported by public authorities,” the report says.
“Whilst the council has procedures to mitigate such attempts, unfortunately it was subject to a successful attempt to defraud in August, causing a loss of £22,000.
“On this occasion there was a failure to appreciate the fraud risk resulting in the change to bank details not being independently verified, allowing the fraud to occur.
“As a result, we have taken the opportunity to review those procedures in relation to requests for changes to supplier information.
“Changes have been identified and implemented to provide additional security when updating such information.”