The Massachusetts town of Arlington reports it has lost $445,945 in funds intended for a contractor working on a high school building project that were instead diverted to hackers orchestrating a wire fraud scam.
Town Manager Jim Feeney alerted the public that the cyber criminals obtained the funds through what is known as a business email compromise (BEC) using phishing, spoofing, social engineering, and compromised email accounts to commit the wire fraud.
The fraud was uncovered in February after the legitimate vendor reported it had not received payments for months.
Feeney said the town has been working with local and federal law enforcement and cybersecurity consultants since it first became aware of the fraud.
The investigation found that threat actor activity occurred in the town’s Microsoft environment between September 12, 2023 and January 30, 2024. It was also discovered there were other attempts to intercept wire payments totaling approximately $5 million during this time period; however, these attempts were unsuccessful.
The town said investigators believe the BEC attack was perpetrated by an organization located overseas. Feeney said they did not infiltrate the network and no sensitive or resident data was compromised.
The criminals impersonated the vendor with an email domain that appeared genuine, requesting a change in its payment method from check to electronic funds transfer (EFT), a common method used by municipalities for on-going payments. The scam was aided by fabricating and subsequently deleting emails from employee accounts, as well as creating inbox rules to manage and hide incoming messages. Once the payment method was established, a series of four monthly payments were made.
In February, the legitimate vendor contacted the town to ask about payment. “It was immediately apparent that we had been defrauded, so we alerted law enforcement and our banking institution, began a digital forensics investigation, retained a breach coach, and instituted immediate response measures to secure our network,” Feeney said.
The town’s bank was able to recover $3,308. The town has filed a claim with its insurer in hopes of further offsetting the loss. Feeney said any monies recouped will go back into the high school building fund.
The town has begun implementing increased IT security measures. In a June 6 video update, Feeney apologized to residents for the incident but said it will have no effect on the school building project. He said the town will continue to take steps to harden its cybersecurity, while also noting that cyber attacks are an “evolving threat” facing all institutions and businesses for which there is no “once-and-done” fix.
He said he expects a response from the town’s insurance carrier soon.
Arlington is not the only municipality in the state victimized by a cyberattack. Since 2020, Tewksbury, Franklin, Quincy, Lowell, and Concord have all been victims of some form of cyberattack.
Topics Cyber Massachusetts
Was this article valuable?
Here are more articles you may enjoy.
As Rates Rise, Majority of Homeowners Say Insurance Industry Is in Crisis: Survey 
Zurich to Buy AIG’s Travel Insurance Business for $600 Million 
Supreme Court Overturns Chevron Rule in Blow to Regulators 
‘Extremely Dangerous’ Hurricane Beryl Takes Aim at Caribbean 
