A phishing scam nearly siphoned off $6.7 million from the City of Portland’s public funds in a case that underscores the persistent vulnerabilities in government digital infrastructure. As investigators unravel the scheme, the incident marks a sobering reminder of how a single deceptive email can unravel millions in taxpayer money.
The Perfect Scam: How a Fake Vendor Nearly Got $6.7 Million
What started as a routine request in Portland’s new vendor management system ended up becoming one of the most audacious attempted frauds in the city’s recent history. On February 13, 2025, a person posing as a legitimate vendor sent an email from john.lisman@MWHKiewitJV.com, claiming a need to update banking details. The timing couldn’t have been more opportune — the city had just rolled out a new system meant to streamline vendor management for large-scale projects like the $2 billion Bull Run water filtration initiative.
The system, however, was designed with a basic safety net: any change in account information required confirmation from the existing email on file. When that step failed — the legitimate email didn’t respond — the system should have shut the attempt down.
But the fraudster persisted.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
According to a lawsuit filed in New York on April 14 and confirmed by a city spokesperson, a “deceived” city employee was eventually manipulated into sending a link that enabled the fraudster to bypass the verification process and successfully update the vendor’s banking information.
The Almost-Heist: When Red Flags Finally Raised Alarm
On March 21, the city approved a transfer of $6,748,680.68 to the fraudulent account, believing it to be a routine payment for the Bull Run project. But before the money could disappear into the digital abyss, alarm bells rang.
Banks involved in handling the transaction noticed irregularities and, in coordination with the FBI, intervened just in time. The payment was halted, and Portland avoided what would have been its largest theft of public funds to date.
Remarkably, the scammer — emboldened or desperate — made 10 follow-up calls to city departments in an attempt to track the progress of the payment. This aggressive behavior further confirmed the fraudulent nature of the communication and helped accelerate the city’s internal response.
By April 4, a full-scale investigation was launched. The city confirmed that the matter is under active investigation by local and federal law enforcement.
A Pattern of Cyber Vulnerability
While the timely intervention prevented actual loss in this case, the attack reveals critical weaknesses in Portland’s cybersecurity ecosystem. Just two years ago, in 2022, the city suffered a successful cyberattack that cost taxpayers $1.4 million — at the time, the largest public fund theft in its history.
That record was nearly broken.
The recurring breaches raise tough questions: Are city employees adequately trained to handle phishing attempts? Are automated safeguards strong enough to prevent social engineering attacks? How can municipalities secure multi-million-dollar payments in an age where a well-written email can outsmart an entire bureaucracy?
The City is taking this matter seriously and is making every effort to ensure the return of public funds and that those responsible are held accountable, said spokesperson Carrie Belding.
Yet with public trust on the line and cybercriminals growing more sophisticated, Portland — and countless other cities — now face the grim reality that fighting financial fraud is no longer a backend IT issue, but a frontline governance challenge.