A “phishing” email
fraud that tricked an employee into making an incorrect bank
transfer cost the Botanica condominium in Key Biscayne
$105,000, according to a police report. The president of the
condominium fired a top manager Friday and called a meeting
to discuss whether the building’s 293 unit owners will have
to cover the loss.
The fund transfer was part of a regular monthly payment that
is made from the Botanica condominium to the complex’s
master association for its share of the luxury complex’s
upkeep. According to the police report, an October invoice
from the Key Colony HOA to Botanica came from a different,
but very similar-looking email address.
“It’s still an active investigation,” said Key Biscayne
Police Chief Frank Sousa. Phishing frauds aim to trick
victims into revealing information or making transfers by
impersonating legitimate businesses and individuals. They
can appear in email, text messages, and even chats.
Botanica President Matt Bramson said he was alerted when the
Homeowners’ Association notified him it had not received
payment in their regular account in late December.
According to Bramson, the phishing email looked almost
identical to email correspondence Botanica regularly gets
from Key Colony. But on closer inspection, the “fake” email
had an “r” in the address that is different from the proper
address. The phony email claimed the next payment needed to
be made to a different account, because the old one was
being audited.
“It was very clever,” said Bramson, referring to the way the
fake email was formatted to look like it was coming from the
HOA. “Botanica was the victim of a crime.”
Still, he said, the board of directors agreed that building
manager Antonio Rodriguez be terminated for several
performance and skill set issues. Bramson was careful to
note that phishing frauds can and do happen widely, and he
was not assigning blame, but he said the incident was “the
straw that broke the camel’s back” in light of other
problems.
In a letter to owners Friday, he thanked Rodriguez for his
service and said a new manager would be in place Monday.
Rodriguez declined to comment.
The building’s 293 unit owners may be asked to cover a
portion of the loss with a special assessment, and a meeting
to discuss payment was scheduled for Feb. 2. Bramson said
the Association has cyber crime insurance but the amount of
the coverage may be limited.
The HOA employee whose email was faked, Victor Unda,
resigned from Key Colony’s management company at the
beginning of the year, just days after the funds were
noticed missing. He was adamant that the error lay solely
with Botanica and said his leaving the HOA position was
purely coincidence.
“That is insulting,” Unda said. “Before I left, I told them
I could help.” He said the fake email exchange should have
been spotted by the Botanica staff and noted the style of
writing was clearly very different from his. “I use
professional language,” he said. “Whoever did it had access”
to management systems, he said. As a Botanica resident, Unda
would be impacted by any special assessment as well.
It’s not the first successful phishing attempt at the
seaside complex of more than 1,100 units. In 2019, the HOA’s
systems were compromised and residents started receiving
emails that appeared to come from association email
accounts. The HOA sent warning notices to residents not to
click emails.
Key Biscaye’s government offices have also been hit in the
past by hackers. Also in 2019, systems were down for days
until the Village contracted with a cybersecurity firm. The
village neither confirmed nor denied that it paid ransom
after its files had been locked. Phishing hacks can lead to
follow-up ransomware attacks.
Key Colony President David McDanal declined to answer
questions on whether the missing funds would put any strain
on the master Association’s finances. He did say the HOA has
cybersecurity systems in place after the 2019 incident but
would not go into details.