Saw a few news articles that Peterborough (pop. 5,100 about 45 min drive from us) was recently scammed out of $2.3M. Investigations are still ongoing but we’ve got an outline:
-Some unknown people learned that the Town was scheduled to make substantial payments to the school district and a bridge contractor.
-These unknown people forged documents advising that the school district changed banks, and separately that the bridge contractor changed banks. These documents were sent by spoofed e-mail (forged emails to look like they came from legit sources).
-People in the town office received these emails and dutifully changed the payment instructions for the accounts. Some sources imply that there was back-and-forth e-mail communication between Town employees and the scammers. The scheduled payments were made to the “updated” accounts.
-Within hours of receipt the undeserving recipients of the funds had already moved the money out of those accounts and into overseas crypto markets (untraceable, nearly impossible to recover).
-By the time the school district and vendors started asking about late payments and investigated the money was LONG GONE.
I hesitate to call this a “sophisticated attack.” This was a textbook phishing/wire fraud scam. The novel part here was that the scammers did some homework to learn that payments were being made.
There are some technical measures we can (our clients do) put in place to prevent these. E-mail protection systems that block new and known-scam senders. Systems that can identify and block many spoofed emails and messages with suspicious contents.
At its core this is a business matter. Important information like invoices and payment instructions must be vetted no matter how they’re received. Business and finance group leaders and staff are the keys. People need to ask questions:
“Did the school committee say anything about changing banks?”
“We started this contract and already sent payments, but they’re asking us to change again?”
“Didn’t Greg tell us to never follow wire instructions without confirming by phone?”
“Hey, Josh – can you vet this message and let me know if it seems legit to you?
“Shouldn’t we call the district treasurer and confirm the change in wire instructions?”
And finally, “What DOES our cyber policy cover?”
Please, people, don’t trust e-mailed wire instructions without calling a trusted contact at a trusted phone number. Ask the questions. Follow your procedures for confirming communications. Ask your colleagues, IT partners, law enforcement & security pros for advice.
We need good tech but we also need good business practices in place.
This is a BIG problem, and we technical folks need to do a better job of sharing what we’ve learned with other leaders. We’re gearing up to offer no-cost in-person or virtual cybersecurity and business practice training to businesses, municipalities, staff, departments, businesses, anyone who says, “I’m not a tech person and I’m scared of this.” This is where we start to shift from primarily technical matters to helping with business practices and overall safety.
Be careful, folks.
[UPDATED 8/24 based on sources reporting back-and-forth e-mails between town officials and the scammers to authenticate the payment changes]