Tailor-made… for thieves
Since September, criminals have struck national trade and lobbying organizations like the Consumer Technologies Association and the National Association of Manufacturers, corporate PACs for Trinet and Corning, and elected officials like Reps. Elise Stefanik (R-NY), Matt Gaetz (R-FL), and Sen. Jerry Moran (R-KS), whose campaign was taken for a stunning $690,000 by what it calls a “cyber-criminal” posing as a vendor in the hectic days surrounding the 2022 election.
James E. Lee, CEO of the Identity Theft Resource Center, told The Daily Beast that political groups are in some ways “tailor-made” targets for fraudsters.
“This is part of a bigger trend indicative of how well-organized and sophisticated these cyber thieves are becoming. But when you’re talking about some of these national-level campaigns, there’s a whole lot of money and data flowing through, but not a lot of processes in place,” Lee said.
“Campaigns are also temporary organizations by design, without a lot of structure, and on top of that, elections can be very chaotic,” he said. “Those circumstances are tailor-made for someone to come in for identity fraud.”
Crime wave
A review of Federal Election Commission online data shows reports of fraud dating back to 2004. However, that rate has dramatically increased, especially in the back half of 2022. While it’s not clear whether there are truly more incidents or just more reports of incidents, the data indicates about 180 instances of reported fraud during the 2021-2022 midterm cycle, around 15 more than 2019-2020—a presidential cycle. The 2017-2018 midterm saw about 83 reported incidents.
That total of 83, spread over two years, is about 20 fewer fraud reports than in the last six months of 2022 alone, when a number of committees—most specifically business groups—were targeted for theft, far more than any other six-month period.
Paper planes
While some of the techniques appear more sophisticated, a number of those incidents involve old school check fraud.
Over the last four months of the year, check fraudsters struck at least five corporate PACs—belonging to health care firm Trinet, NextEra energy, McKesson pharmaceuticals, Corning manufacturing, and biomedical company Boston Scientific—as well as PACs affiliated with the National Association of Manufacturers (NAM-PAC) and the Consumer Technology Association, whose membership comprises some of the largest tech companies in the country.
While those groups use different banks, all but one of the committees used the same compliance firm—DDC Public Affairs—and their notices to the FEC about the fraud share almost identical language: “an unknown individual created, forged and cashed” a small number of “fictitious PAC checks.”
Also in November, the corporate PAC for Boston Scientific (which doesn’t use DDC Public Affairs) lost more than $65,000 in what the PAC later disclosed as 21 fraudulent check transactions, ultimately overdrafting the PAC’s account.
A spokesperson for BUILDPAC (the National Association of Home Builders, which also doesn’t use DDC Public Affairs) told The Daily Beast that the theft didn’t involve checks, saying its bank has returned the tens of thousands stolen in September.
Dunn dunn dunn
For instance, the campaign committee for Rep. Neal Dunn (R-FL) reported a Nov. 3 loss of $10,855 due to what the treasurer called “an external check fraud situation” in a letter to the FEC last month.
In addition to Dunn, the campaign for Rep. Russell Fry (R-SC) was taken for more than $2,600 just ahead of the midterm election, according to its post-general report. The fraudulent transactions included about $250 at The North Face, nearly $550 at Nordstrom, and more than $1,000 at a Safeway grocery store—all located across the country in Seattle.
A Gaetz spokesperson referred questions about the hundreds of dollars in disputed Apple charges last November to the language in the campaign’s latest FEC report. According to the filing, the committee disputed charges on the campaign card “that they believe to be fraudulent,” without further detail, adding that the campaign is awaiting word from the card company.
A former Gaetz aide told The Daily Beast it was widely known among staff that another former employee was fired in recent months after allegedly embezzling campaign and office funds.
Happy Happy DeJoy DeJoy
While none of the above criminals have been publicly identified, Stefanik’s campaign has actually named its suspect: The U.S. government.
In December, Stefanik’s legal team at Wiley Rein sent a barbed letter to former President Donald Trump’s appointed Postmaster General Louis DeJoy, taking the U.S. Postal Service to task for failing to follow through on the alleged theft of nearly $20,000 in campaign contributions. But in this case, the contributions—taken between June and November out of envelopes sent by the Stefanik campaign—were allegedly stolen by USPS employees or contractors.
According to the letter, USPS had indicated it would be tough to identify a suspect “unless and until one or more of Elise for Congress’s supporters becomes the victim of identity theft or financial fraud.” The campaign also claimed that it was promised a report but “recently learned it has not been finalized or sent,” calling the agency’s inaction “unacceptable.”
A Stefanik spokesperson declined to comment for this article.
The USPS Inspector General says its office is investigating, according to the letter. When The Daily Beast reached out for comment this week, a USPS spokesperson promised a response, but said later on Tuesday that the appropriate contact was “away from their desk” and would reply soon. Agency spokespeople never replied to repeated follow-ups.
Mind the gap
“With the amount of data flowing in and out, it’s very easy to impersonate someone,” said Lee, of the Identity Theft Resource Center. “Criminals can fill in the gaps with data that is either readily available about people in online identity marketplaces or on social media, and use that to impersonate a vendor or contributor.”
Some groups have ramped up security in response to the crimes. NAM-PAC, for instance, set up a “positive pay” service with their bank.
That’s a smart step, according to campaign finance law expert Brett Kappel, who advises political committees at D.C. firm Harmon Curran.
“The PAC provides the bank with a list of the checks issued by the PAC and the bank will only honor those checks,” Kappel explained. “It’s a simple and effective system and the bank can charge a significant fee for this service. But that assumes that the PAC is working with a competent bank.”
Throwing your voice
But both Lee and Kappel observed that some scammers now pose a different problem: submitting false invoices.
“Campaigns tend to be chaotic at times, so it could be very easy for someone to impersonate a vendor and submit an invoice demanding payment,” Lee said.
Kappel proposed that one solution would be to verify invoices ahead of time with known employees of the real vendors. “Easy to say, harder to do in the heat of a campaign,” he said.
That concern appears to have applied to Sen. Moran, whose campaign said in a December FEC filing that a “third-party cyber-criminal” had used fake invoices to steal a whopping $690,000.
According to the filing, “it was determined that two wires were sent for payment of fraudulent invoices” to a thief posing as a campaign vendor—one on Oct. 25 and one on Nov. 9, the day after Moran won re-election. The campaign said it had recovered $168,184, and that the FBI is investigating.
A Moran spokesperson did not reply to a request for comment.
That was also the experience earlier in the year for Secure Our Freedom Action Fund, a Republican super PAC run by a former political director for the National Rifle Association. In September, SOFAF notified the FEC that an email account belonging to one of the super PAC’s principals had been “compromised by hackers,” who stole upwards of $150,000.
In late November and December, Retired Americans PAC—a Democratic super PAC aligned with the Alliance for Retired Americans—reported more than $150,000 in “fraudulent disbursements” attributed to Convera Corp (formerly Western Union). The filing doesn’t provide more information other than that the funds were recovered, and the super PAC did not reply to a request for comment. Kappel speculated that the dollar amounts involved would appear to fit the fake invoice scheme.
Safe harbor
An FEC spokesperson did not comment on specific incidents of theft, but told The Daily Beast that the agency has established a “safe harbor” provision to accommodate fraud. The provision says the FEC “does not intend to seek civil penalties” against victimized committees, as long as the committee has “the specified safeguards in place.”
Beyond the federal requirements, Lee said, concerned committees should discuss security measures with their financial institutions, implement online authentication protocols, and train employees to spot social engineering or phishing attempts.
“The toughest one for a campaign—but it’s important—is don’t collect more information than you need, and as soon as you don’t need it, get rid of it,” Lee said, a proposition that won’t likely sit well with campaigns that hold lucrative donor lists. “Ask yourself if you need anything more than the FEC says you do. If you don’t collect it, it can’t be used against you. That reduces the risk to you and your contributors.”
Read the full story here.