Cyberattacks cost town of Arlington, Mass. nearly $450,000

June 10, 2024
Arlington town employees received emails in September 2023 that appeared to be from a known vendor who had been working on a construction project on the community’s high school discussing payments for the job.

Arlington town employees received emails in September 2023 that appeared to be from a known vendor who had been working on a construction project on the community’s high school discussing payments for the job.

However, those behind the screen were not who they claimed to be and had far more malicious intentions than simply getting paid for a school building project. They were fraudsters — or “threat actors,” as described by officials — who would go on to perpetrate a series of cyberattacks that would swindle the town out of nearly $450,000.

Through what is known as a business email compromise, the fraudsters, who law enforcement believe to be members of an organization that is well-resourced and based overseas, “used phishing, spoofing, social engineering, and compromised email accounts to ultimately facilitate wire fraud totaling $445,945.73,” Arlington Town Manager Jim Feeney wrote in a letter to the community Wednesday.

By the time the fraudsters emailed the town employees, they had already compromised certain employees’ user accounts and were monitoring emails.

The scammers then impersonated the vendor with an email domain that appeared on its face to be genuine and requested the employees change their payment method from check to electronic funds transfer, a common method used by municipalities for ongoing payments. The fraudsters kept up the facade by fabricating and subsequently deleting emails from employees’ accounts and creating inbox rules to manage and hide incoming messages.

Once the payment method was set up, a series of four monthly payments were made to the fraudsters until the actual vendor reported not receiving any payments in February 2024. It became immediately apparent the town had been scammed.

Officials subsequently alerted law enforcement and the town’s banking institution, began a digital forensics investigation, retained a breach coach and took immediate measures to secure the community’s network.

The investigation found the fraudsters had run their scheme in the municipality’s Microsoft platform from as early as Sept. 12, 2023 until Jan. 30, 2024. Officials also discovered the scammers had unsuccessfully tried to intercept wire payments amounting to roughly $5 million during the same time period.

Feeney noted in his letter the fraudsters never actually infiltrated the town’s network and no sensitive or resident data was compromised.

Since officials first became aware of the fraud, they have been working with local and federal law enforcement as well as specialized consultants, and in the aftermath of the scam, the town has performed a force disconnection from the community’s network, required password changes for all users, enabled multi-factor authentication for key employees, instituted mandatory cybersecurity training for all staff through a state cybersecurity grant program for municipalities and applied for additional state funding to be able to roll out multi-factor authentication for all staff, Feeney detailed.

Unrelated to the cyberattacks, but because of a spike in phishing attempts, the town’s Information Technology Department had already begun to reconfigure email security settings in November to improve the town’s email security, Feeney added. Officials have reviewed other existing wire payments and hired an auditor to make its policy regarding such payments more secure.

The town was also already in the process of rolling out a digital platform expected to help detect and prevent malware, ransomware and other cyberthreats, according to Feeney.

“I want to you assure you that we are exhausting every avenue to recoup the funds that we were defrauded of, and we are making every effort to improve our cybersecurity posture,” Feeney wrote in his letter.

Of the nearly $450,000 lost to the scammers, the town’s banking institution was able to recover only $3,308. The municipality has since filed a claim with its insurer to hopefully offset the loss, Feeney noted.

In the meantime, the vendor tasked with the construction project on the high school still had not been paid for the work he had already done over the four-month period, so at its meeting Thursday, the Arlington High School Building Committee voted to authorize payment to the vendor from the project’s funds.

“Any monies we recoup from this fraud will go back into this fund,” Feeney said, noting the stolen money does not negatively impact the completion of the construction “in any way.”

©2024 Advance Local Media LLC. Visit Distributed by Tribune Content Agency, LLC.