Pay Dirt is a weekly foray into the pigpen of political funding. Subscribe here to get it in your inbox every Thursday.
It’s a mysterious crime wave that has cost its victims more than a million dollars. But unlike usual heists, this one is hitting political groups, with fraudsters in recent months targeting corporate PACs, national trade association committees, and campaigns.
While there are no confirmed links yet between the incidents, federal filings indicate a surge in reported activity in 2022, as criminals have exploited vulnerabilities unique to political committees. And among a few targets, some patterns seem clear.
The victims include major figures in business and politics. Since September, thieves have struck national trade and lobbying organizations like the Consumer Technologies Association and the National Association of Manufacturers, corporate PACs for Trinet and Corning, and elected officials like Reps. Elise Stefanik (R-NY), Matt Gaetz (R-FL), and Sen. Jerry Moran (R-KS), whose campaign was taken for a stunning $690,000 by what it calls a “cyber-criminal” posing as a vendor in the hectic days surrounding the 2022 election.
James E. Lee, CEO of the Identity Theft Resource Center, told The Daily Beast that political groups are in some ways “tailor-made” targets for fraudsters.
“This is part of a bigger trend indicative of how well-organized and sophisticated these cyber thieves are becoming. But when you’re talking about some of these national-level campaigns, there’s a whole lot of money and data flowing through, but not a lot of processes in place,” Lee said.
“Campaigns are also temporary organizations by design, without a lot of structure, and on top of that, elections can be very chaotic,” he said. “Those circumstances are tailor-made for someone to come in for identity fraud.”
A review of Federal Election Commission online data shows reports of fraud dating back to 2004. However, that rate has dramatically increased, especially in the back half of 2022. While it’s not clear whether there are truly more incidents or just more reports of incidents, the data indicates about 180 instances of reported fraud during the 2021-2022 midterm cycle, around 15 more than 2019-2020—a presidential cycle. The 2017-2018 midterm saw about 83 reported incidents.
That total of 83, spread over two years, is about 20 fewer fraud reports than in the last six months of 2022 alone, when a number of committees—most specifically business groups—were targeted for theft, far more than any other six-month period.
While some of the techniques appear more sophisticated, a number of those incidents involve old school check fraud.
Over the last four months of the year, check fraudsters struck at least five corporate PACs—belonging to health-care firm Trinet, NextEra energy, McKesson pharmaceuticals, Corning manufacturing, and biomedical company Boston Scientific—as well as PACs affiliated with the National Association of Manufacturers (NAM-PAC) and the Consumer Technology Association, whose membership comprises some of the largest tech companies in the country.
While those groups use different banks, all but one of the committees used the same compliance firm—DDC Public Affairs—and their notices to the FEC about the fraud share almost identical language: “an unknown individual created, forged and cashed” a small number of “fictitious PAC checks.”
Of the corporate PACs, Trinet got hit the hardest, with five fraudulent checks totaling $44,700, now fully recovered from the bank. McKesson’s PAC lost $12,000 to a single forged check, and the committees for NextEra and Corning each got taken for $10,000 across two checks. (PAC representatives did not reply to requests for comment.)
The two DDC-contracted trade groups also claimed in their FEC notices that “an unknown individual or individuals” had “created” “forged images” of checks, cashing two NAM-PAC checks for a total $9,900, and six from CTA for $25,673.12. In both cases, fraudsters also initiated several fraudulent electronic transfers, for a combined take of more than $20,000. (A NAM spokesperson did not provide comment when contacted for this article.)
Also in November, the corporate PAC for Boston Scientific (which doesn’t use DDC Public Affairs) lost more than $65,000 in what the PAC later disclosed as 21 fraudulent check transactions, ultimately overdrafting the PAC’s account.
The PAC told the FEC in one letter that the transactions were “external fraud that occurred while the funds were in the possession of Bank of America. There was no internal misuse of BSC PAC funds.” Another update claimed that 13 of the checks were refunded—10 in full, three partially—for a total $35,626.23 recovered.
A Boston Scientific spokesperson told The Daily Beast that following the check fraud, the PAC has worked with its bank “to bolster security protocols, in addition to our robust data privacy measures.”
A spokesperson for BUILDPAC (the National Association of Home Builders, which also doesn’t use DDC Public Affairs) told The Daily Beast that the theft didn’t involve checks, saying its bank has returned the tens of thousands stolen in September.
“Unlike the others that dealt with fraudulent checks, our incidents involved electronic transfers. Thankfully, the bank acted swiftly to refund the amounts taken and we were able to move on with no further issues,” the spokesperson said.
Elected officials have also been pillaged, though at a slightly smaller scale.
For instance, the campaign committee for Rep. Neal Dunn (R-FL) reported a Nov. 3 loss of $10,855 due to what the treasurer called “an external check fraud situation” in a letter to the FEC last month.
In addition to Neal, the campaign for Rep. Russell Fry (R-SC) was taken for more than $2,600 just ahead of the midterm election, according to its post-general report. The fraudulent transactions included about $250 at The North Face, nearly $550 at Nordstrom, and more than $1,000 at a Safeway grocery store—all located across the country in Seattle.
A campaign statement to the FEC clarified the fraud was external and “not due to any internal staff or negligence on the behalf of the campaign.” A Fry spokesperson told The Daily Beast that someone had fraudulently used the campaign’s debit card for the purchases, noting the campaign has recovered the money.
A Gaetz spokesperson referred questions about the hundreds of dollars in disputed Apple charges last November to the language in the campaign’s latest FEC report. According to the filing, the committee disputed charges on the campaign card “that they believe to be fraudulent,” without further detail, adding that the campaign is awaiting word from the card company.
A former Gaetz aide told The Daily Beast it was widely known among staff that another former employee was fired in recent months after allegedly embezzling campaign and office funds.
While none of the above criminals have been publicly identified, Stefanik’s campaign has actually named its suspect: The U.S. government.
In December, Stefanik’s legal team at Wiley Rein sent a barbed letter to former President Donald Trump’s appointed Postmaster General Louis DeJoy, taking the U.S. Postal Service to task for failing to follow through on the alleged theft of nearly $20,000 in campaign contributions. But in this case, the contributions—taken between June and November out of envelopes sent by the Stefanik campaign—were allegedly stolen by USPS employees or contractors.
“Three of these incidents occurred in a single week. In each case, the evidence indicates that Elise for Congress’s packages were plundered by a USPS employee or contractor while the packages were in transit,” the letter read.
According to the letter, USPS had indicated it would be tough to identify a suspect “unless and until one or more of Elise for Congress’s supporters becomes the victim of identity theft or financial fraud.” The campaign also claimed that it was promised a report but “recently learned it has not been finalized or sent,” calling the agency’s inaction “unacceptable.”
A Stefanik spokesperson declined to comment for this article.
The USPS Inspector General says its office is investigating, according to the letter. When The Daily Beast reached out for comment this week, a USPS spokesperson promised a response, but said later on Tuesday that the appropriate contact was “away from their desk” and would reply soon. Agency spokespeople never replied to repeated follow-ups.
The Stefanik letter also noted that, “more alarmingly,” the theft “exposed hundreds of Congresswoman Stefanik’s campaign supporters to potential identity theft or financial fraud.”
That points to another vulnerability unique to political groups: the transparency written into federal law, which requires committees and the FEC to publicly disclose information about donors, vendors, treasurers, and banks.
“With the amount of data flowing in and out, it’s very easy to impersonate someone,” said Lee, of the Identity Theft Resource Center. “Criminals can fill in the gaps with data that is either readily available about people in online identity marketplaces or on social media, and use that to impersonate a vendor or contributor.”
Some groups have ramped up security in response to the crimes. NAM-PAC, for instance, set up a “positive pay” service with their bank.
That’s a smart step, according to campaign finance law expert Brett Kappel, who advises political committees at D.C. firm Harmon Curran.
“The PAC provides the bank with a list of the checks issued by the PAC and the bank will only honor those checks,” Kappel explained. “It’s a simple and effective system and the bank can charge a significant fee for this service. But that assumes that the PAC is working with a competent bank.”
Kappel pointed to a filing last month from Prudential Financial’s corporate PAC, pinning what the FEC had flagged as impermissible campaign donations on one of its bank’s positive pay systems.
“As the year unfolded, the Committee learned that it was experiencing widespread, on-going and intermittent issues with the Committee’s bank regarding the implementation of positive pay measures which has been instituted as a fraud prevention measure,” Prudential’s PAC wrote.
The PAC has since closed its old account with City National Bank. (In January, City National settled a $31 million federal lending discrimination lawsuit, which a Justice Department press release called the “largest redlining settlement agreement in department history.)
But both Lee and Kappel observed that some scammers now pose a different problem: submitting false invoices.
“Campaigns tend to be chaotic at times, so it could be very easy for someone to impersonate a vendor and submit an invoice demanding payment,” Lee said.
Kappel proposed that one solution would be to verify invoices ahead of time with known employees of the real vendors. “Easy to say, harder to do in the heat of a campaign,” he said.
That concern appears to have applied to Sen. Moran, whose campaign said in a December FEC filing that a “third-party cyber-criminal” had used fake invoices to steal a whopping $690,000.
According to the filing, “it was determined that two wires were sent for payment of fraudulent invoices” to a thief posing as a campaign vendor—one on Oct. 25 and one on Nov. 9, the day after Moran won re-election. The campaign said it had recovered $168,184, and that the FBI is investigating.
A Moran spokesperson did not reply to a request for comment.
That was also the experience earlier in the year for Secure Our Freedom Action Fund, a Republican super PAC run by a former political director for the National Rifle Association. In September, SOFAF notified the FEC that an email account belonging to one of the super PAC’s principals had been “compromised by hackers.”
“On June 21, 2022 the hackers impersonated the principal, and used his email account to send an invoice to Secure our Freedom Action Fund’s accounting personnel requesting a wire payment in the amount of $70,796.80. All processes and procedures were followed and the wire was sent,” the letter said, adding that the hackers repeated the feat three days later, scoring an additional $87,336.39.
The super PAC said it had so far recovered the $87,336.39 transfer, while the bank was reviewing the second disbursement “to determine whether it is recoverable.”
In late November and December, Retired Americans PAC—a Democratic super PAC aligned with the Alliance for Retired Americans—reported more than $150,000 in “fraudulent disbursements” attributed to Convera Corp (formerly Western Union). The filing doesn’t provide more information other than that the funds were recovered, and the super PAC did not reply to a request for comment. Kappel speculated that the dollar amounts involved would appear to fit the fake invoice scheme.
An FEC spokesperson did not comment on specific incidents of theft, but told The Daily Beast that the agency has established a “safe harbor” provision to accommodate fraud. The provision says the FEC “does not intend to seek civil penalties” against victimized committees, as long as the committee has “the specified safeguards in place.”
Beyond the federal requirements, Lee said, concerned committees should discuss security measures with their financial institutions, implement online authentication protocols, and train employees to spot social engineering or phishing attempts.
“A campaign needs to have cybersecurity. But you need to ensure your vendors have the same level of security that you do, because identity criminals will find the weakest link and infiltrate that organization, and that could open up a whole network,” he said.
“The toughest one for a campaign—but it’s important—is don’t collect more information than you need, and as soon as you don’t need it, get rid of it,” Lee said, a proposition that won’t likely sit well with campaigns that hold lucrative donor lists. “Ask yourself if you need anything more than the FEC says you do. If you don’t collect it, it can’t be used against you. That reduces the risk to you and your contributors.”
But campaigns aren’t just a target to financial criminals.
“Nation-states want to access this information too,” Lee said. “And while the risk there isn’t always financial, it’s still a risk.”