Norwalk wired $900K to scammers; may settle reimbursement lawsuit

The Norwalk Common Council on Tuesday will consider settling a lawsuit filed against The Hanover Insurance Group, which denied Norwalk’s claim stemming from a nearly $900,000 loss to online scammers in 2016.

Correction, 10 p.m., Dec. 15: Bob Barron is Chief Financial Officer. Updated, 8:11 a.m.: Copy edits; 7:42 a.m.: New headline, copy edits

NORWALK, Conn. – Norwalk’s finance department in October 2016 transferred nearly $900,000 to “an unknown criminal third party” which perpetrated a scam against the city, according to legal documents available online.

The City’s insurance carrier refused to cover the loss, the City sued, and the Common Council is set to discuss settlement of the case Tuesday.

C.H. Nickerson Construction, Inc. was doing construction work for Norwalk in 2016 and the City was contractually obligated to wire installment payments to the company, the City’s lawsuit states.

In September 2016, Norwalk received and followed email instructions to change Nickerson’s payment account information, and send future payments to Nickerson’s “new account.”  After the change, the next installment of $894,464.83 was transferred to the “new account” on Oct. 6, 2016.

Norwalk discovered on Nov. 4, 2016, that Nickerson hadn’t received the payment but that it had gone to “an unknown criminal third party,” the complaint states.  The request to change payment instructions was fraudulent and had come from scammers.

An additional payment had been scheduled, but the City notified the bank and the payment was stopped, Deputy Corporation Counsel Jeffry Spahr wrote in a November 2016 letter that is included as an exhibit in the complaint.

Payroll & Accounts Payable Supervisor Lena Hilliard is the City employee who transferred the money to the fraudulent “new account,” another exhibit states.

“We were told it’s an ongoing investigation and we are not supposed to issue any comment on it,” Corporation Counsel Mario Coppola said Monday.  He added that City officials don’t want to jeopardize an ongoing investigation being conducted by state and federal law enforcement as well as Norwalk Police.

NancyOnNorwalk contacted Mayor Harry Rilling to ask if there have been any changes to Norwalk’s invoice payment practices since the payment to the fraudsters; Rilling said a future press release will addresses the question, and also cautioned that there’s a criminal investigation underway.

The news that Norwalk had lost a significant amount of money to a fraud scheme first became public in January, after a discussion about cybersecurity at a Planning Commission meeting. Commissioner Tammy Langalis said she’d heard Norwalk lost a considerable amount of money due to a scam or erroneous payment; Information Technology (IT) Director Karen DelVecchio said it had been a case of social engineering.

Farmington was similarly duped into directing a $2.04M payment due to C.H. Nickerson to a criminal network based in China,” Attorney David D. Dowd of Curley and Curley PC wrote on Feb. 24, 2017, in a letter presented in April as an exhibit in the lawsuit.

A January 2017 Patch news story quotes Farmington police Chief Paul Melanson as calling the scam “a very sophisticated international operation… able to mimic the procedures used by a private company to collect payment from municipalities with which the company does business.”

Dowd represents CIRMA (Connecticut Interlocal Risk Management Agency), which placed Norwalk with Hanover, Hanover Compliance Analyst Adam Stanhope wrote in a letter included as an exhibit.

“It is easy to criticize with the benefit of hindsight, but I don’t think it unreasonable to expect a City Comptroller and the Accounts Payable Supervisor under his direction to call or otherwise communicate with a vendor to confirm a change of account information before authorization of a payment of almost $900,000,” Dowd wrote. “Arguably, there has been a failure of the record­ keeping and pre-payment audit duties of the Comptroller as dictated by the {Norwalk} Charter.”

Norwalk Comptroller Frederic Gilden is retiring this year, Chief Financial Officer Bob Barron said in May.

A chart included in the documents shows that the Crime Policy has a $500,000 limit for each instance of computer fraud, with a $10,000 deductible.




Legal arguments

The Hanover Insurance Group, which insures the City, refused to cover the City’s loss, and claimed the policy did not cover it.  In July 2017 Norwalk sued, claiming that the company was obligated to pay.  The City’s lawsuit alleges bad faith, breach of contract and unfair practices. The Common Council is set to discuss a legal settlement in the case on Tuesday, in an executive session; Coppola declined to comment.

Hanover on Nov. 18, 2016, denied coverage of the loss, although Norwalk was up to date on its payments for its Crime Policy, the City’s complaint states.

The complaint goes on to allege that Hanover in bad faith attempted to mislead Norwalk into believing the loss was not covered, and retroactively added a False Pretenses Endorsement to limit its coverage at $15,000.  It also alleges “immoral, unethical, oppressive and/or unscrupulous conduct” by the insurance company that goes against Connecticut statutes and shows a “reckless indifference” to Norwalk’s rights.

Hanover in its reply admits that Norwalk paid its premium in full, but denies that the policy was in effect from July 1, 2016 to July 1, 2019. It denies that it breached a contract, and denies all the allegations, including a statement that it has issued crime policies to other Connecticut municipalities. It also argues that Norwalk could have reasonably avoided the loss.

“Hanover denied coverage under the Faithful Performance of Duty Coverage Endorsement, the Funds Transfer Fraud Insuring Agreement, and the Forgery or Alteration Insuring Agreement (the Insuring Agreements the City alleges Hanover violated in its Complaint) based on well-established case law providing that these types of ‘social engineering schemes’ are not covered under any of the enumerated coverages,” Hanover wrote in a February brief.

Hilliard was faithfully executing her duties and there was no fraudulent instruction as defined in the policy, because the fictitious email did not direct Norwalk to transfer funds, Hanover claims, going on to assert that forgery is not the issue here.

The policy defines “Computer fraud” as a person gaining unauthorized access to Norwalk’s computers, and that’s not what happened in this case, Hanover states, asserting that Norwalk opted not to purchase False Pretenses Coverage.

In response, Norwalk in March wrote that Connecticut law holds insurance companies responsible for ambiguities in policy contract documents and “the policyholder’s expectations should be protected as long as they are objectively reasonable from the layman’s point of view.”

Regarding bad faith, Dowd in his letter points out that Hanover’s Nov. 18, 2016 disclaimer letter did not mention the “faithful performance of duty endorsement, which added significantly broader coverage to this ‘Employee Theft’ Insuring Agreement” cited by Hanover as a reason for denying the claim, and called the nondisclosure “very likely an unfair claim settlement practice proscribed by Connecticut law.”

Dowd also wrote that Coppola’s coverage analysis is cogent and his advocacy exemplary, but “forgery or alteration” misses the mark, concluding that “a judge would probably be oriented toward finding coverage, if possible.”


Milly November 27, 2018 at 8:22 am

Anytime you receive an email telling you to change something you should always call the company directly to confirm it is a legitimate change – that is the number one warning sign it is a scam.

Patrick Cooper November 27, 2018 at 8:28 am

Emperor Rilling –

Let it be known that your feat’s and accomplishments have become well known in our budding metropolis. The whispers are you preside over a virtual spigot of cash that is spewed out indiscriminately but with an aim towards good friends and supporters.

We wish to help. I have been given custodial agency over a dozen AMEC contractor truckloads of diamonds, rubies, jewels, ancient artifacts, and several cases of Ouzo straight from your favorite vacation spot. It is my desire to ship these to you as soon as possible.

Please have a low-level staffer send me the bank routing, username and password for the Norwalk rainy day fund, so that I may secure a small deposit towards UPS charges. Or you can simply send the fund to our Nigerian bank for safe keeping. Make sure to wear gloves, and give the instructions during executive session. A short missive from Josh on how “it’s been raining – we need those funds” should more than satisfy your loyal supporters.


Prince L. King
C/O Ima Knucklehead
419 Fraud Street
Mokolo, Nigeria

Rayj November 27, 2018 at 8:33 am

Lest this too pass with inevitable sigh and resignation, I’d like to add, please also disregard emails from Nigerian Princes. I hope our Leagle Dept has better standards of practices than Accounts Payable.

Bob Welsh November 27, 2018 at 8:42 am

You count on Nancy to bring you stories such as this one.

Can Nancy count on your support to continue vital reports on your community?

Your impact is tripled today thanks to NewsMatch 2018 plus a challenge grant from the NoN Board of Directors. Every dollar you give becomes three dollars!

Please give now. It’s so important!


Steve Mann November 27, 2018 at 10:38 am

Exactly,Bob. Without Nancy, this news is never reported. This is news that ALL Norwalkers should be aware of.

Please help us all maintain this valuable resource by making your contribution today, while NewsMatch is in effect.

carol November 27, 2018 at 12:02 pm

unbelievable that our super “money watchers” were duped and we are left holding the bag.

Rick November 27, 2018 at 12:26 pm

Norwalk was duped on Firetree as well but that 1 million was not covered , suppose Harry or Mario can’t talk about that until the next administration .

Thank you Nancy that must leave a dozen other cases the city has going on no one can talk about.

Its worth the donation folks Bob is correct You count on Nancy to bring you stories such as this one.

James Cahn November 27, 2018 at 12:57 pm

To Harry, directly:

Remember that time I suggested that we build and implement specific, outlined systems and processes for things like this and you talked to Ray Burney and he said that we didn’t need that? That instead you’d figure it out on the fly, as you went, to determine “what’s working and what’s not?” If you need a refresher, here’s one:


You can see there that you use the language that he coached you on regarding what a “reorg” was, you look over to him to see if you did a good job and he nods to let you know that you hit all the cues you guys rehearsed. Great work, there. Being coach-able is an asset in most organizations and it’s good to see that you look to Ray as someone whose approval is important to you.

Anyway, this is precisely the type of thing that is prevented by the having the resource you said we didn’t need. I find myself wondering if the firm that we didn’t hire to look at things EXACTLY like this would have cost the $900,000 that this did. (The answer is, “Probably not,” if you were curious.) This is something that we now know “isn’t working.” Did I get that right?

Let’s stop the charade of “we can’t talk about it because it’s a pending criminal investigation.” Really? Is it? Are we sending a detached spec ops unit of the NPD Internet Crimes and Cyber Police over to China to give these guys a stern talking-to? Finally, the defense that “these guys tricked people in Farmington, too” is no defense at all. The reason those “Greg from Microsoft” scammers call as many people as they can is because eventually, they’ll get someone dopey enough to buy their story.

I understand that education is expensive, particularly at the “Norwalk Experimental School for Amateur Improvisational Municipal Government” on East Ave. But it seems like this was a particularly expensive one for me and my fellow tax payers to have to shell out for.

I sincerely hope that the insurance company decides that paying some amount of money less than the $900,000 that someone sent out unverified and based on a “very convincing 2 line email” will cost them less than monkeying around with the crack legal team at City Hall.

Lisa Brinton Thomson November 27, 2018 at 1:06 pm

I heard about this scam over a year ago, but was told the city’s insurance company would cover the costs. Apparently, this unfortunate event was even too stupid for their books. Glad someone finally got this story to you Nancy!

Does anyone see a trend with this administration – lawsuits to cover their screw ups? Right now, Milligan and POKO come to mind or even the Main Library parking dispute. Don’t worry our increased property revaluations will cover it!

Elsa Peterson Obuchowski November 27, 2018 at 1:57 pm

Even if the insurance company did cover it, I would guess it would mean our premiums would go up in the future.
This is a classic example of a “social engineering” scam, where the bad actor fools the victim into thinking that a request is legitimate.
It seems clear we should have a standard procedure that our employee must always call a known phone number — not a phone number provided by the (potentially fraudulent) email — and actually speak with a known person at the company in question before changing any account, login credential, or other data affecting disbursement of payment to said company.

Elsa Peterson Obuchowski November 27, 2018 at 2:00 pm

P.S. Do we not have a dollar threshold requiring a second approval when a change like this is to be made and the amount is nontrivial?

Steve Mann November 27, 2018 at 2:36 pm

Trust but verify. I must get three calls per week from the IRS, from “the ‘billing department’, to verify funding source for payment”, and assorted others. I just assume malice. How much common sense does it take these days to check the source of the email? When one believes themselves infallible, the defenses go down the toilet.

Bryan Meek November 27, 2018 at 2:44 pm

Short of any external criminal investigation, the city should be able to produce its procedural controls for vendor master file maintenance. It would be shocking if these were not demanded by and produced for the insurer after the mishap. A quick google search on “vendor master file maintenance controls” yields scores of articles on best practices in this area. The most important one being proper segregation of duties that would not allow AP administrators any kind of access to update the vendor master file. Do we have these in place? Or is it not cost effective to have these? Or is this included in the $ million re-org some day if we’re lucky to ever find out what that entails exactly. Why does it take a forthcoming press release for transparency here on an event that took place a long time ago. Producing the city’s policies on internal controls shouldn’t be precluded due to some criminal investigation. Lots of questions. Are the monies off shore? Is the investigation limited to the State Police? Is the FBI involved? State Department? What resources are being employed to protect the taxpayers and citizens of this city besides a PR agent?

Gypsy November 27, 2018 at 2:51 pm

If the city’s IT department had half a brain, it would have installed firewalls that would have prevented this type of thing in the first place.

David Chu November 27, 2018 at 3:46 pm

As long as payment wasn’t made in crypto-currency like Bitcoin, you’d think law enforcement should be able to track where payment went to.

Lauren November 27, 2018 at 4:01 pm

omg it is literally not difficult to verify whether or not an email is fraudulent, how was this mistake even made? It blows my mind that people employed in these positions are dumb enough to let things like this happen. This is where our tax dollars are going. Freaking fantastic.

Debora Goldstein November 28, 2018 at 12:09 am

Questions, fearless Norwalkers.

If you were to now find out that this fraud and loss took place before the last municipal election and it was kept from you, would you have considered voting differently?

Do you believe that the reorg would have prevented this?

How much have we paid in legal fees in the course of the investigation, and now the lawsuit?

How much more will we pay for the inevitable consultant to come in and tell us how to prevent a repeat of this fiasco?

How inflated was your property assessment?

Aren’t you glad you are paying for such excellent government?

Seth Kent November 28, 2018 at 12:04 pm

It is absolutely basic procedure in almost any type of organization to perform a “call-back” to the contact number on file to confirm any and all vendor payment instruction updates or changes.

Mitch Adis November 28, 2018 at 1:07 pm

According to our fearless leaders (no fear of losing tax payer money) “Stuff Happens”. So when we are asked to cut a $1,000,000 from the School budget, we should remember where it went and how flippant the City leadership was.

Bob Partisan November 28, 2018 at 1:22 pm

Is/has there being an audit conducted to be sure that this is the only “error” that has occurred?

If it is so easy to simply change a vendor over and make a large payment, I wonder if there are any financial anomalies hiding in the records.

Also, what procedures have changed to be sure this doesn’t happen again?

Scarlet ohara November 28, 2018 at 1:37 pm

Norwalk police can’t even get off their bums to direct traffic, why or how could the people of norwalk ever expect the npd to conduct an investigation of this nature? Lol! That’s truly comical.

As for the highly incompetent “employees” at city hall, does ANYONE get fired for committing such a gross negligence??!! That cost us taxpayers housands of thousands of dollars??!! Nope…thats why this {…} keeps happening.

Nancy, maybe a full summary of how much rilling and his band of court jesters has cost the city by not having protocol in place, a plan to measure job performance or just being lazy and not reading important emails versus any and I mean any monetary improvements to this city (look real hard! Lol) {…}


Edited to remove ascribing of motives without proof, and a vulgarity. https://www.nancyonnorwalk.com/comment-guidelines/

EnoPride November 28, 2018 at 9:32 pm

Wow. Doesn’t instill confidence. $900,000 is a chunk of (our) change. Seriously, a corporate employee accountable for signing away that much money would be fired on the spot if this had happened on a private corporation’s dime… Ummm, I mean, $900,000. I guess because it merely happened on the Norwalk taxpayers’ $900,000, “Stuff happens”, which speaks volumes to the lack of discipline, lack of accountability and the nonchalance of this current administration. I will take a wild guess too that the employee who is accountable received the obligatory annual pay raise without being subjected to any semblance of an annual evaluation, let alone without being subjected to a pink slip. I sure hope I am wrong, but with this group, I may be right. God Help Us!

What procedures have been implemented to make sure this doesn’t happen again? Taxpayers deserve to know. Enough time has transpired since the unfortunate event to get a preventative control system in place here urgently, and to train employees on how to identify scam emails, etc. Sounds like no preventative measures as of yet? I wonder like Bob Partisan about if an audit has been conducted to investigate if more money has slipped through the cracks elsewhere. All these unanswered questions all the time… Ugh!!! New leadership… Pleeease?!?!

Debora Goldstein December 27, 2018 at 5:37 pm

It is always fun and instructive to take an end of year tour through some of the more impactful news items. This one, in particular, is troubling. Here is a timeline.

September 2016:
An employee changes payment instructions for an existing vendor, based upon an email.

October 2016:
An employee transferred nearly $900,000 to “an unknown criminal third party” which perpetrated a scam against the city, according to legal documents available online.

November 8, 2016:
ELECTION DAY – Locals were intensely focused on the Charter Revision Referenda. Four year term for Mayor and higher pay for councilmembers is defeated at the polls.

May 2017:
According to reports in May 2018, Mayor and others begin discussing and researching a staff reorganization which they can do under the charter without voter approval, but DOES require council approval.

November 7, 2017:
ELECTION DAY: Mayor Rilling re-elected and Common Council swings 14-1 in party registration.

January 24, 2018:
A City employee confirms for the first time in a public forum that the City was scammed out of a significant amount of money using “social engineering”, despite efforts to not comment on an investigation that was still “ongoing” fifteen months after the original theft.

February 21, 2018:
Vacant grant-writing position is down-sized by new council, and revamped to include communications. Some council objections to weakening the grant-writing requirement to “or equivalent experience”.

May 2018:
New Communications Director is hired. Morgan is said to have been “close to” grant writing at a former employer.

May 17, 2018:
Mayor unveils proposal for “span of control” reorganization to newly formed ad hoc committee of the common council. Though voters were unaware of it, “Discussions of a restructuring go back many months,” [then] Council President John Kydes (D-District C) said. According to [then Asst to the Mayor, Laoise King] “internal resources were used to examine what other cities have done.” Also according to King (in comments on the same article “The Mayor has spent over a year working closely with personnel department, legal department and impacted departments to design what he believes is a long overdue restructure of city departments. “

September 11, 2018:
Council approves City Hall “span of control” Reorg, handing out raises and “cabinet-level” titles to senior staffers.

October 23, 2018:
Pay plan for non-union, appointed and elected city officials (ordinance positions) is approved to allow Mayor Harry Rilling to grant those employees a 2.36 percent raise retroactive to July 1st and better evaluation system promised

November 6, 2018:

November 27, 2018:
City settles with the insurance company. Amount unknown for a claim that would have paid, at most $500k of the almost $900k loss. No word on the costs of the litigation that led to the settlement.

November 27th, 2018:
NancyOnNorwalk contacted Mayor Harry Rilling to ask if there have been any changes to Norwalk’s invoice payment practices since the payment to the fraudsters; Rilling said a future press release will addresses the question, and also cautioned that there’s a criminal investigation underway.
December 27, 2018:
Still waiting for that press release…

Leave a Reply

Your email address will not be published. Required fields are marked *



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>