How does someone steal $700,000 from a senator’s campaign in the midst of an election?

Tom Williams/CQ Roll Call/TNS

Two weeks after Sen. Jerry Moran won his third term representing Kansas in the U.S. Senate, his campaign treasurer Timothy Gottschalk called the Republic County Sheriff’s Office and asked an officer to come to his office.

In the final six weeks leading up to the election, Moran’s campaign spent more than $2 million to have his face featured on television screens across the state. To get its ads on TV, the campaign used a Virginia-based company called SRCP Media. The media buyer reserved time slots for the ads in Kansas media markets and invoiced the campaign. The campaign then sent the money to SRCP Media, sometimes as much as $788,959 at a time.

So much money was moving from the campaign that it didn’t notice on Oct. 25, when an invoice for $345,000 for payment to SRCP Media came from an email address the company hadn’t been using. The campaign didn’t notice when it happened a second time, either, for the same amount, a day after the election.

It wasn’t until Moran’s team got a notification from Astra Bank, a small bank with seven branches in Kansas and one in Nebraska, that the campaign looked into its invoices. Someone had created an invoice that looked like one from SRCP Media, but had changed the account and routing numbers. The email it came from did not match the email used by SRCP Media.

More than two months later, it remains unclear who stole the money from the campaign. The Republic County Sheriff’s office handed it off to the Kansas Bureau of Investigation, which handed it off to the FBI, according to a police report obtained through the Kansas Open Records Act.

While the FBI’s Kansas City office would not say whether it was investigating the case, both the Moran campaign and SRCP Media say they are cooperating with investigators.

Both SRCP Media and the Moran campaign declined to comment on the record.

Even without a culprit, the theft exposes a constellation of vulnerabilities in modern day political campaigns, where millions often move through small, shoe-string operations with little to no security measures in place to protect themselves against online fraud.

“It’s not surprising that, given the the propensity of major donors to give in large amounts to incumbents, that a long-term member of Congress could lose hundreds of thousands of dollars in criminal activity and not have that be a significant event,” said Adav Noti, the senior vice president of the Campaign Legal Center, a nonpartisan government watchdog that focuses on campaign finance and elections.

A spokesman for the Federal Elections Commission would not say whether other campaigns have reported similar thefts from their campaign accounts this year.

The Star contacted the office of every senator who ran a campaign in a “safe” state in 2022, meaning they were heavily favored to win reelection. Because candidates running in “safe” states were expected to win their campaigns, they may be less focused on their campaign funds than candidates in tight races where every dollar counts. Few responded. Those that did indicated that they did not see any attempts to steal from their campaign.

While it may be the only reported theft so far this cycle, this is not the first time someone has stolen from a campaign.

“Usually it’s an inside job,” Noti said, explaining that most past cases have been traced back to campaign staff.

The FEC provided six examples of people who have reached conciliation agreements with the commission since 2010 after using campaign funds for their personal expenses. In all of the cases, the money was taken by someone close to the campaign. In all but one, the person who took the money was found guilty by the criminal justice system.

It appears Moran’s campaign does not believe it was an inside job. In Gottschalk’s letter to the FEC, he said the campaign was targeted by a “third-party cyber-criminal.”

Gottschalk did not return a phone call requesting comment.

The campaign’s description of the theft matches a scam that has been commonly used on realtors and mortgage brokers called a a business email compromise, or BEC, according to Thomas Holt, a criminal justice professor at Michigan State University who specializes in cybercrimes.

In this type of scam, someone is able to get access to the email account of a business that is moving large amounts of money in a short period of time (which is why realtors and mortgage brokers are often targeted).

“Anybody can be a target,” Holt said. “It’s usually any kind of entity that makes large payments that would make it worth the effort of the actor.“

A thief may get access to the account through something like a phishing attack, where they get someone to click on a link and gain access to their email address and passwords.

Instead of doing anything right away, the thief will monitor the email account. They’ll learn how the person makes transactions. They’ll figure out what kind of language the business is using, how much money is normally spent and when the charges usually go through. Then they change a minor detail, like a bank account and routing number, and hope that the person approving the payments doesn’t notice.

In Moran’s case, the campaign didn’t notice until the second transaction had already been approved. Wells Fargo was only able to return about $168,184 of the $345,000 the person was trying to steal, according to Gottschalk’s letter to the FEC.

Moran’s campaign said earlier this month it is “pursuing all avenues available to recover the money,” but getting it back may be difficult.

While investigators have an email address, bank account and routing number, thieves typically hide their identity before filing the false invoice. Then they use proxy bank accounts to quickly funnel the money into their hands, in accounts out of reach of the U.S. government.

“Even if you can get a pretty good handle on who the actor is, there are always issues with extradition or with prosecution,” Holt said.

The campaign could still face penalties with the FEC, for filing inaccurate reports if it didn’t fulfill a list of internal controls campaigns must have in order to escape penalties if someone steals money from their account. Cybersecurity measures are not included in the list of internal controls required by campaigns.

Campaigns are particularly vulnerable because of the way they’re structured. They scale up quickly, have relatively few paid employees, have high turnover between elections and often spend money as quickly as they get it. Over the course of the campaign, Moran had five paid staffers, most of whom received money for fundraising reasons.

“Candidate campaigns are cyclical unlike, say, party committees that exist in perpetuity,” Noti said. “Candidate campaigns have cyclical workers and go through long periods where nobody’s paying any attention. And then when they are paying attention, it’s mostly to raise money and spend it on advertising. So things like internal financial controls are rarely well built up a candidate campaigns.”

After the 2016 presidential election, when email accounts associated with the Democratic National Committee were hacked and released to the public, there were some discussions about boosting security for campaign accounts.

But Noti said many politicians are reluctant to add cybersecurity requirements into law to protect campaigns, particularly those who don’t have millions and need the money they raise to buy advertisements and other election expenses.

Holt said there are relatively simple ways of making emails more secure, like changing passwords often or two-factor authentication.

In 2020, Google announced that it would partner with a nonprofit called Defending Digital Campaigns in order to give campaigns a free two-factor authentication program to help prevent them from being hacked. Google ended up giving the program to 140 federal campaigns, according to a press release on Defending Digital Campaigns’ page.

But this type of gift can run afoul of campaign finance laws that say companies cannot give gifts to politicians.

“Corporations generally can’t give free stuff to members of Congress,” Noti said. “But there have been efforts to to create more wiggle room in those rules to allow for cybersecurity in particular.”

A political campaign is a high-profile and potentially risky target for the type of crime Holt described, given the fact that the victim has the ability to shape laws.

Holt said academics have pushed Congress to strengthen its laws surrounding economic cybercrimes, particularly when it comes to working with other countries. He said if Congress strengthened its jurisdictional agreements with other countries, particularly those that are allies, it could help them track down people who perpetrate this type of crime.

“It’s a very interesting one,” Holt said. “I imagine if there were others coming down the pike, absolutely, then there would be legislative action. But if this is a one off, maybe nothing will happen.”

The Star’s Jonathan Shorman contributed reporting to this article.