Massachusetts town loses $445,000 in email scam
A cyberattack on Arlington, Massachusetts, a town located about six miles northwest of Boston, recently lifted nearly half a million dollars from its coffers.
Town manager Jim Feeney admitted on June 5 that the town, home to a roughly 46,000 residents, had been the “victim of a cybercrime.”
“Through what is known as a business email compromise,” he wrote, “perpetrators used phishing, spoofing, social engineering, and compromised email accounts to ultimately facilitate wire fraud totaling $445,945.73.”
Feeney said hackers infiltrated the town’s email system by impersonating a vendor working on the Arlington High School Building Project, a five-year, partially state-funded rebuild of a local secondary school due to increased enrollment that began construction in 2020.
According to his statement, town employees in September received legitimate emails from the vendor to discuss issues processing payments. But, unbeknownst to the town, the cybercriminals had compromised some town employee user accounts and were monitoring email correspondence.
“They seized the opportunity to impersonate the vendor with an email domain that appeared genuine,” the statement read, “requesting a change in their payment method from check to electronic funds transfer.”
Once the new payment method was established, the town made four monthly payments — from last October to January — to what they believed was the vendor’s account. In February, the vendor reported it had not received the payments.
Feeney said once the town realized it had been scammed, it alerted law enforcement agencies and its banking institution, which began a “digital forensics investigation, retained a breach coach, and instituted immediate response measures to secure our network.”
The investigation discovered additional attempts to intercept wire payments over the course of the four-month fraud, totaling $5 million, though none of those was successful. The investigation found that no sensitive or resident data was breached during the incident.
The town’s banking institution was able to recoup $3,308, about 6% of the total money lost. The estimated total cost of high school construction project is roughly $240 million, according to the project’s website.
The Arlington High School Building Committee voted to authorize the missing payments to the vendor from the project’s funds, the loss of which Feeney said will not impact its design or timeline.
“We are making every effort to improve our cybersecurity posture. Cybersecurity is an ever-changing and evolving threat. As an organization we will continue to adapt our defenses to emerging threats,” his statement concluded.
According to a report published in April, the FBI’s Internet Crime Complaint Center received 21,489 business email compromise complaints in 2023, with adjusted losses totaling over $2.9 billion.