Officials in Peterborough, New Hampshire, said Monday the government of the 7,000-person town lost $2.3 million to an email fraud scheme and that recovering the money is doubtful.
In a press release, Town Administrator Nicole MacStay and Board Chair Tyler Ward wrote that the scam came in two waves. On July 26, town officials were notified by the nearby ConVal School District that it had missed a $1.2 million monthly payment. An investigation revealed that the Peterborough finance department had, in fact, already transferred the funds to an account posing as the school district.
The town’s cybersecurity vendor, Atom Group, determined that criminals using forged documents and email addresses had impersonated the school district and tricked local officials into sending the $1.2 million to their account. The incident is also being investigated by the U.S. Secret Service, which determined that the stolen funds were eventually converted to cryptocurrency.
As the investigation into the phony school payments was still playing out, officials learned on Aug. 18 of more wrongful payments, this time supposedly meant for a local construction firm working on a bridge-repair project. Officials said the same criminal actors, who are based outside the United States, used similar tactics used in the school-payment fraud.
“These criminals were very sophisticated and took advantage of the transparent nature of public sector work to identify the most valuable transactions and focus their actions on diverting those transfers,” the press release reads.
Peterborough is also unlikely to recover the $2.3 million it lost. Officials said they do not believe the transactions can be reversed, and most insurance policies do not cover losses to business email compromise. That could be a significant financial blow to the town, which has an annual budget of $15.8 million.
“The town didn’t have enough of a double-check process,” a state official familiar with the incident told StateScoop. “When they got a change of [automated clearing house] address, they didn’t validate. That’s where everything goes to hell.”
Although ransomware gets the bulk of public attention, business email compromise still accounts for the vast majority of financial losses to cybercriminal activity, totaling nearly $1.9 billion in 2020, according to the FBI Internet Crime Complaint Center’s annual report.
New Hampshire held a cybersecurity training retreat for its local governments in April, but many towns lack dedicated cybersecurity personnel trained in preventing cybercrime.
“I can almost guarantee they have no dedicated info security person for a town of that size,” the state official said.
The New Hampshire state government has plans to continue training and awareness for local governments, but is waiting for federal grants before it can begin.