Arlington drained of several hundred thousand dollars in e-mail spoofing scam

Arlington Town Manager Jim Feeney reported yesterday that the town had $445,945.73 drained from a high-school construction account by the same sort of spoofing attack the left a Dorchester union nearly $6.4 million poorer.

In e-mail to residents, Feeney detailed what happened:

In September of 2023 Town employees received legitimate emails from a known vendor working on the Arlington High School Building Project to discuss issues with payment processing. Unbeknownst to the Town, threat actors had already compromised certain employee user accounts and were monitoring emails. They seized the opportunity to impersonate the vendor with an email domain that appeared genuine, requesting a change in their payment method from check to electronic funds transfer (EFT), a common method used by municipalities for on-going payments. The scam was aided by fabricating and subsequently deleting emails from employee accounts, as well as creating inbox rules to manage and hide incoming messages. Once the payment method was established, a series of four monthly payments were made. The monthly payments were diverted until the vendor reported not receiving payments in February 2024. It was immediately apparent that we had been defrauded, so we alerted law enforcement and our banking institution, began a digital forensics investigation, retained a breach coach, and instituted immediate response measures to secure our network. The investigation found that threat actor activity occurred in the Town’s Microsoft environment between September 12, 2023 and January 30, 2024. It was also discovered there were other attempts to intercept wire payments totaling approximately $5 million during this time period. Fortunately, these attempts were unsuccessful. It was further determined the threat actors had not infiltrated the network.

Feeney continued the town's bank was able to recover $3,308 and that the town has filed a claim for the rest with its insurer. He added that no personal information about town employees or residents was taken and that the high-school construction project is continuing.

He wrote that once the town learned of the problem:

The Town's Information Technology Department (IT) performed a force disconnection from the network, required a password change for all users, and enabled multi-factor authentication for key personnel. Unrelated to this incident, but due to an increase in phishing attempts, the IT Department had already begun to reconfigure email security settings in November to improve our email security. The Town reviewed other existing wire payments and also contracted a third-party auditor to bolster internal controls with a stricter policy related to wire transfer payments such as EFT and ACH (Automatic Clearing House).

As additional efforts to reduce the risk of falling victim to future cyberattacks, the Town has instituted mandatory cybersecurity training for all staff through the state's Municipal Cybersecurity Awareness Grant Program and has applied for additional state grant funding to be able to roll out multi-factor authentication for all staff. The Town was already in the process of rolling out an endpoint detection and response platform as part of the upcoming fiscal year. This platform will help prevent and detect malware, ransomware, and other advanced threats, providing security of critical systems and sensitive data.

H/t mcain.