Cyber criminals stole $2.3 million in town funds from Peterborough. (Matt Cardy | Getty Images)
To catch a glimpse of an impersonator is a strange experience – particularly if the person being impersonated is you.
When it happened to Ken Merrifield, who was serving as mayor of Franklin at the time, he said it was terrifying. The city’s finance director had called after receiving a strange email, which looked like it came from Merrifield, asking for banking information that he would never have requested.
“I was amazed looking at the email that for all intents and purposes looked like it came from my private email account,” he said.
But it was from cyber criminals using Merrifield as a disguise to try to get account information about the city’s finances. Merrifield and the finance director identified the scam before any sensitive banking information fell into the wrong hands. But criminals have been honing their craft in the five or so years since that incident – and they’re getting really good at it.
Peterborough made national news this week when it was revealed that cyber criminals had struck twice, once in July and once this month, and made off with a total of $2.3 million in town funds.
The town fell victim to what’s called business email compromise, in which criminals use a fake email account to pose as a known vendor or contact and make a seemingly legitimate request, much like what happened to Merrifield. According to the FBI, this is among “the most financially damaging online crimes,” where criminals take advantage of how much business is conducted over email.
For Merrifield’s finance director, it was obvious that Merrifield wouldn’t have requested account information. But in Peterborough, the town employees on the receiving end of the scam didn’t realize that requests to change account information were fraudulent. Security experts say that while impersonators used to be relatively easy to identify – emails would have grammatical errors or broken English – they are now extremely sophisticated; an email address might just differ by one letter or an extra period. By the time the town realized the money had gone to the wrong place (the first incident happened on July 26 and the second on Aug. 18, according to a press release the town put out on Monday), the criminals had already converted it to cryptocurrency. At this point, town officials are not hopeful they’ll be able to get the money back, and they don’t yet know if the loss will be covered by insurance.
Business email compromise is a common tactic, according to Jason Sgro, a senior partner at The Atom Group, a cybersecurity consulting group based in Portsmouth that works with the public and private sector. The town of Peterborough is now among Sgro’s clients.
“Compromises like this are not atypical,” Sgro said. “What’s atypical about this is the size of the transfer. We don’t typically see quite this much money from an entity that size.”
The town of Peterborough is home to just under 6,500 people, according to the 2020 census, and a $2.3 million hit is a significant loss for a town of any size. Business email compromise, the scheme used to defraud Peterborough, is among the top two threats that Sgro sees in his work. Ransomware, which relies on an unsuspecting person clicking on a link and downloading a virus that can lock up files on a computer, is the other. Hackers then demand a ransom to unencrypt the data. This kind of attack is now coming with the threat of publishing the information if the victim refuses to pay – especially problematic for towns or government agencies that collect sensitive and private information.
But Sgro said the organizations behind these attacks are not particularly concerned about who they are stealing from. They’re looking for easy money, and unfortunately it seems they’ve been successful at finding it in New Hampshire.
A prime target
Sgro said the type of attacks happening in New Hampshire are coordinated and sophisticated, suggesting that the perpetrators are criminal organizations located overseas. These organizations often operate in countries where local governments are somewhat tolerant of their activities – so long as their attacks aren’t happening locally. Sgro sees attacks coming from Africa, Russia, China, and Eastern Europe.
There are a few factors that make New Hampshire towns easy targets for this kind of crime. Public entities in the state don’t have dedicated money or staff to work on these issues. That can make it easier for a criminal organization to successfully attack a town rather than a large company that has a big budget for cybersecurity and expert employees.
“When they look at New Hampshire, they’re looking at a bunch of towns and cities who have minimal IT staff that have lower levels of technical sophistication, and a lot of truly well-meaning and trusting people that transfer and handle a lot of money,” Sgro said.
“And so, it is a prime target for an entity like a cyber organization or cyber threat organization to come after the easy money,” he said.
Some public officials are working to close these gaps, and Merrifield is one of them. Merrifield is now the head of New Hampshire’s Department of Labor, currently operating with an IBM mainframe – a kind of large computer system – that’s 40 years old.
He knows it could be a security problem and is now working to update it. In this year’s biennial budget, the agency got $600,000 to modernize the system, or about 6 percent of the department’s $10 million budget. Last biennium, the department got $1 million to update a 20-year-old document-management system. They are now launching the new system, which will house all of the department’s documentation moving forward.
“If you don’t have the latest and greatest technology, from a security standpoint, all of it’s at risk,” Merrifield said.
He emailed his entire staff after the Peterborough incident, reminding them to be cautious. “Let’s be very cautious over the information that we’re custodians of,” he told them.
Denis Goulet, commissioner of the New Hampshire Department of Information Technology, said the state has been requiring state employees to take cyber awareness training for the past four or five years.
But while training employees how to avoid these scams is one part of securing systems in the state, it’s not enough.
“You’re not going to train the risk away,” Sgro said.
And for now, town employees don’t have access to the trainings required for state employees. Goulet would like to work with towns more, and money from the federal infrastructure bill that’s currently being debated by Congress would help that happen.
The federal infrastructure bill would direct $10 million for cybersecurity in New Hampshire over a four-year period. Goulet said the amount isn’t huge, considering the challenge, but it’s a lot more than what towns and cities currently have to work with. For instance, right now Goulet’s department is applying for a $400,000 grant through the U.S. Department of Homeland Security. The money would be used to work with local communities.
Sgro said cybersecurity is a big problem that will require a more coordinated response. “We need to do something at a much larger programmatic level than the local level,” he said. He believes infrastructure is one part of that.
The state also uses technological tools to filter out nefarious emails. Goulet said anywhere from 94 to 96 percent of emails state employees receive never land in their inboxes and are instead filtered out as garbage.
And while Goulet said the transparent nature of government has made agencies more vulnerable, he doesn’t believe that less transparency is the answer.
“I just think that it’s a call to action for us to pay attention and be more careful as public officials,” he said.
Because some cyberattacks could potentially shut down major parts of government entities, Goulet also worries about the continuity of governance.
The town of Salem was targeted last October, right before the election. The attack used ransomware that locked up some of the town’s files after an employee clicked on a bad link, granting criminals access to the town’s system.
“They essentially encrypted our systems so that we did not have access to them any longer,” said Chris Dillon, Salem’s town manager.
Most of the town’s systems were down for a week, and it was a month before everything was fully restored to normal. The town avoided having to pay the ransom.
Dillon hopes it won’t happen again, but he’s not too optimistic given how prevalent cybercrime has become and how easy it can be to inadvertently hand over sensitive information.
“It just takes one person clicking on one link,” he said.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.