Do Something

Protect yourself from wirefraud

From the FTC: What To Know Before You Wire Money

Connect WITH OUR SOCIAL ACTION TEAM


Read More

Solutions for better citizenship

In Brief

How did the School District lose $700,000?

In October 2022, the School District of Philadelphia was scammed out of $500,000 by someone posing as a vendor. Nearly all of that has been recouped, but as a result, the District’s Office of Inspector General made recommendations to prevent it from happening again. Unfortunately, in March 2024, the District made two payments of nearly $700,000 in two separate incidents to “bad actors” who had hacked the vendors’ emails and requested a change to the normal payment method.

The District wouldn’t answer whether the Inspector General’s recommendations were implemented or how this latest breach occurred, nor would they answer whether employees had been trained in verification and payment confirmation techniques that cybersecurity experts recommend, which employees were involved, why the incidents weren’t made public when they occurred, whether the District has a cyber insurance policy that could help them recoup their losses, or what they believe the likelihood is of them getting that money back and to the correct vendors.

In reality, all organizations are susceptible to “social engineering attacks, also known as business email compromise. To prevent attacks from succeeding, organizations require both adequate security resources and effective training. Right now, the District is not being transparent about what, if anything, they are doing to protect themselves.

About that Missing $700,000 …

For the second time in three years, the School District of Philadelphia was defrauded out of hundreds of thousands of dollars. What’s really going on?

About that Missing $700,000 …

For the second time in three years, the School District of Philadelphia was defrauded out of hundreds of thousands of dollars. What’s really going on?

BY Jessica Blatt Press

Jun. 06, 2025

Print

When City Controller Christy Brady announced at a May 22 press conference that the School District of Philadelphia had lost $700,000 to wire fraud, it didn’t take long for the angry chorus to chime in.

“Here’s a District forever going to Harrisburg with their hand out, and they can’t manage what they do have?” one District parent harrumphed.

“The USS PSD is leaking again. No wonder Tony [Watlington] & Co. always have their hands out begging!” a commenter on Facebook identified as Jim Perry posted. Another, identified only as Kathryn Elizabeth, kept it short: “Classic.”

       Listen to the audio edition here:

Spokespeople for both Brady and the School District said they’re not at liberty to comment on the case given that it’s an ongoing investigation with the Department of Justice.

What we do know, based on District-issued press releases as well as Brady’s report and press conference, is that last year, the District made two payments of nearly $700,000 total to “bad actors.” In March 2024, a hacker posed as a trusted vendor and requested payment of $536,000; also that month, a bad actor requested and was paid $126,000. In both cases, the scammers hacked the vendors’ emails and requested a change to the normal payment method, from a paper check mailed at the address on their contracts, to an electronic bank payment to the scammer’s account.

Scams and hacking happen — even to the most secure systems, like the federal government. But both the breach in protocol and the District’s subsequent matter-of-factness about the matter raise some serious questions, including: Just who is minding the store at 440 North Broad anyway?

More questions than answers?

This is not the first time the SDP has been a victim of serious financial fraud. In October, 2022, a similar incident scammed the District out of $500,000 (nearly all of which has been recouped). After that, the District’s Office of Inspector General made recommendations to prevent this from happening again, including implementing formal policies regarding the ACH payment system; taking additional steps to verify requests to change vendor payment information, such as independent confirmation with the vendors themselves; and training of new employees and annually for existing employees.

The District wouldn’t answer whether those recommendations were implemented, whether they were followed, or how this latest breach occurred.

It can be hard to be that forgiving when incidents happen repeatedly with no assurance of a fix. After all, fool the District once, shame on you; fool them twice, shame on … you know.

Spokespeople for the District also wouldn’t answer whether employees had been trained to call a verified phone number to confirm a request in a change to payment form — as cybersecurity experts recommend. Neither would they reveal which employees were involved in the case, and whether it was one or multiple involved in each incident. Nor would they say why Dr. Watlington didn’t go public with this information in March 2024, when he first reported it to appropriate internal sources. And finally, they wouldn’t reveal whether the District has a cyber insurance policy that could help them recoup their losses, or what they believe the likelihood is of them getting that money back and to the correct vendors.

Instead, the District sent out a press release with the headline: “District Does Not Lose $700k in Cyber Fraud Attack,” noting that the schools are not out any more money than they would have spent on the work being paid for. (This, of course, minimizes the fact that some vendors out there did lose $700,000, a pretty significant sum.) The press release went on:

To combat cyber fraud, the District has implemented several measures, including revising bank confirmation processes, improving the process to validate payment changes with vendors, and strengthening internal controls. These steps aim to reduce the risk of phishing attacks, business email compromise (BEC) scams, and other cyber threats.

Watlington, meanwhile, promised, as cited in The Inquirer, that the District is “absolutely committed to transparency.” Philly taxpayers will expect nothing less, and just might remain enraged until the truth is out.

This happens … to everyone

But some wire fraud experts are more empathetic. “This is not unique to any specific type of organization,” says Aunshul Rege, professor in the Department of Criminal Justice at Temple University, whose work focuses on critical infrastructure and cybersecurity.

At most organizations, Rege says, the focus is on operations first, security second. But all organizations, large or small, cash-strapped or flush, are susceptible to these “social engineering attacks,” or what experts call business email compromise. In such cases, cyber criminals often impersonate a trusted vendor, contractor or partner, and might request changes to payment instructions. Cyber criminals exploit trust and past relationships, so that employees’ guards are down.

Former City Controller Rebecca Rhynhart points out that, especially when it comes to government and public entities, vendor information is often public and easily available online. “[Criminals] look online and see who the vendors are and then try to impersonate them” by, say, creating email addresses that are similar but for a random middle initial, or using a dot-com in lieu of a dot-org.

And these types of scammers are often in it for the long haul, Rege adds. “They have to research the vendor to pose as them; they have to study them,” she says. “It’s really kind of connecting the dots and putting that story together to make yourself believable as someone from that company. They’re going to be patient and do their homework.”

School districts around the country have increasingly been victims of this kind of fraud — with varying degrees of success recouping their losses, and varying degrees of catching the criminals at hand. Rhynhart says that cyber insurance can help organizations recoup financial losses — and obtaining it often requires employees to complete more rigorous training.

And Rhynhart points to the fact it’s not just public organizations that are vulnerable. Last February, CNN reported on the case of con artists creating a Zoom filled with AI deep-fakes — who successfully convinced an employee in Hong Kong to wire over $25 million.

The elephant in the room

The news comes as another school year comes to a close with the same narrative: Despite slight improvements in learning and graduation rates, just 17 percent of Philadelphia fourth graders read at or above grade level; facilities are falling apart; teachers are leaving the classroom at an unsettling rate. And, as per usual, the District is hoping for an increase in state funding in the 2026 fiscal year.

It is also looking for help from parents, foundations, football players and other donors to supplement its $4.6 billion budget — especially as this may be the last year that funding reserves will prevent serious cutbacks. In March, the District announced that it is using 40 percent of its reserves, but may face a $300,000 deficit in FY2027.

School districts around the country have increasingly been victims of this kind of fraud — with varying degrees of success recouping their losses, and varying degrees of catching the criminals at hand.

Sure, as the District noted, the scammed $700,000 is money that would have been spent anyway so doesn’t immediately affect the bottom line. But the vendors still need to be paid — where is that money coming from? Who is being held responsible for the mishaps? And how confident are you that this won’t happen again — perhaps this time with money that has not been slated to go out the door already?

As superintendent, Watlington must be focused first on student achievement. But he is also responsible for minding the store.

Don’t blame the victim. Do be proactive

“No matter how you look at it, it’s still a crime — and the District is a victim,” Rhynhart says. “But just like locking your door at night, there are certain safeguards — like training employees to be on the lookout for strange email addresses and verifying requested payment changes by phone using a known phone number — that can be helpful in this situation.”

Unlike the personal act of locking your door at night, however, organizational protection requires organizational resources and training. “The human is vulnerable, but it’s the training that’s the problem,” Rege says. “Especially because the landscape is changing so quickly, I’m pretty confident in saying that training is not up-to-date.” She believes organizations need to implement training that is relevant, recurring, relatable, specific to one’s job description, and offered to everyone.

She also calls for more multi-person approval. Cyber criminals, research shows, count on hitting people when they’re most vulnerable — perhaps on a Friday, late in the day, when employees are tired and checked-out. Multi-person approvals, Rege maintains, can disperse or distribute that burden. (Again, the District would not answer specific questions about their safety protocols.)

“We [as a society] need a multi-pronged approach, and right now, we’re so behind,” Rege says. “It’s unfair to say, Oh well this happened because you dropped the ball. No. Multiple things happened.”

Sure. But also: It can be hard to be that forgiving when incidents happen repeatedly with no assurance of a fix. After all, fool the District once, shame on you; fool them twice, shame on … you know.

MORE ON PHILADELPHIA PUBLIC SCHOOLS

Related from The Citizen
Guest Commentary: Pennsylvania, Prioritize Literacy
By Rachael Garnick
Related from The Citizen
Guest Commentary: Philly Schools’ “Rubber Rooms?”
By David R. Osborne
Related from The Citizen
Integrity Icon 2025: Omar Crowder, Principal for Our Times
By Jessica Blatt Press
Related from The Citizen
How to Speak at Philadelphia City Council, School Board Meetings
By Andrew Lu
Photo illustration by Olivia Kram.

Advertising Terms

We do not accept political ads, issue advocacy ads, ads containing expletives, ads featuring photos of children without documented right of use, ads paid for by PACs, and other content deemed to be partisan or misaligned with our mission. The Philadelphia Citizen is a 501(c)(3) nonprofit, nonpartisan organization and all affiliate content will be nonpartisan in nature. Advertisements are approved fully at The Citizen's discretion. Advertisements and sponsorships have different tax-deductible eligibility. For questions or clarification on these conditions, please contact Director of Sales & Philanthropy Kristin Long at [email protected] or call (609)-602-0145.

Photo and video disclaimer for attending Citizen events

By entering an event or program of The Philadelphia Citizen, you are entering an area where photography, audio and video recording may occur. Your entry and presence on the event premises constitutes your consent to be photographed, filmed, and/or otherwise recorded and to the release, publication, exhibition, or reproduction of any and all recorded media of your appearance, voice, and name for any purpose whatsoever in perpetuity in connection with The Philadelphia Citizen and its initiatives, including, by way of example only, use on websites, in social media, news and advertising. By entering the event premises, you waive and release any claims you may have related to the use of recorded media of you at the event, including, without limitation, any right to inspect or approve the photo, video or audio recording of you, any claims for invasion of privacy, violation of the right of publicity, defamation, and copyright infringement or for any fees for use of such record media. You understand that all photography, filming and/or recording will be done in reliance on this consent. If you do not agree to the foregoing, please do not enter the event premises.