Email breach costs Portland, Ore., $1.4 million

The "fraudulent financial transaction" occurred in late April, and was discovered May 17 when another attempt was made, officials said.
email icon
(Getty Images)

Officials in Portland, Oregon, said last week that the city recently lost $1.4 million to fraudulent activity when a malicious actor gained access to a government email account.

The city’s Office of Management and Finance said Friday that the “fraudulent financial transaction” occurred in late April, but was only detected May 17 when the same account attempted another transfer of funds. While officials have said little else about the incident, they said it appears to stem from an email scam.

“Preliminary evidence indicates that an unauthorized, outside entity gained access to a City of Portland email account to conduct this illegal activity,” a press release reads.

The city said the incident is under investigation by the FBI, U.S. Secret Service and the Portland Police Bureau. City officials also said that a cyber incident response team was “immediately activated” to address the phony payments.


While ransomware garners most of the headlines on cyberthreats against local government and similarly sized organizations, business email compromise remains the most dominant form of digital threat against enterprises and individuals in the United States, accounting for nearly $2.4 billion in losses last year, according to the FBI’s most recent Internet Crime Report.

The bureau last year also warned that BEC schemes are on the rise against state and local governments, with the widespread adoption of remote work often acting as an accelerant for scammers. “

“Rapid adoption of ad-hoc teleworking environments driven by the COVID-19 pandemic coupled with the ease of BEC operability against SLTT government entities and vendors has exacerbated cybersecurity challenges,” the March 2021 alert read.

Between 2018 and 2020, the bureau noted at the time, BEC payouts from local governments ranged between $10,000 to as much as $4 million. Last August, leaders in Peterborough, New Hampshire, said their local government paid $2.3 million to a bogus account, with little hope of ever getting the money back. As of last December, the town’s insurer had only covered $125,000 of that loss.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts