Email Impersonation Scheme Costs Massachusetts Town Big Money

PK Tech Blog Image (1)

It’s easy to miss news of the cybersecurity threats and attacks happening almost everywhere. At PK Tech, our goal is to educate and offer proactive steps for cybersecurity safety. It’s important to be aware – without being afraid – of the cybersecurity threats that are real threats to your business. PK Tech aims to be a leading educator and support tool in the world of cybersecurity. 

This month, we’re highlighting a cyberattack on the town of Arlington, Massachusetts (reference) which experienced more than $445,000 in losses. What happened, what was the fallout, and why should you care? We’re covering it all here. Let’s dive in.

What the “Hack” Happened?

The town of Arlington, Massachusetts, experienced a recent cyberattack that had financial implications for 46,000 residents. Cyber actors infiltrated the town’s email system by impersonating a vendor working on the Arlington High School Building Project. The five-year project is working to expand a local secondary school due to increased enrollment. 

Cybercriminals sent a string of legitimate emails to town employees beginning in September that discussed issues with processing vendor payments. The cybercriminals had compromised town employee user accounts and were monitoring email correspondence as part of their scheme. Emails included requests to change payment methods from check to electronic funds – a red flag in their own right. 

Still, town employees made the requested changes and proceeded to make four monthly payments between October and February to what was believed to be a legitimate third-party vendor. However, in February, the legitimate vendor reported having not received funds. 

The Fallout

Once the town realized it had been scammed, the town manager alerted law enforcement agencies and their banking institution. Investigations began to attempt to intercept wire payments over the four-month period. The total accumulated over the four months amounted to $5 million. 

After investigations and remediation, it was determined that through phishing, spoofing, social engineering, and compromised email accounts, the cybercriminals managed to steal $445,945.73 by wire fraud. 

Lessons Learned #ITCouldHaveBeenWorse

Impersonation schemes are on the rise – from illegitimate emails to phone and text spoofing. Cybercriminals are using AI to expand their toolkit for financial gain. 

Unfortunately for the town of Arlington, cybercriminals were all too successful in this instance. The stats tell us that Arlington is not alone. The FBI’s Internet Crime Complaint Center published a report in April. They received 21,489 business email compromise complaints in 2023 that amounted to $2.9 billion in monetary losses. That’s a BIG number.

Lucky for Arlington, no sensitive or resident data was compromised as part of the breach.

Still, the attack marks an essential point for businesses to note. Impersonation attacks are on the rise and are here to stay. With continued advancements in AI, verification and authentication are becoming necessities for organizations prioritizing cybersecurity. 

Is your organization looking to invest in your cybersecurity plan for 2025 and beyond? PK Tech would love to connect with your business. We provide managed IT services for small to medium-sized businesses in the Greater Phoenix Area. Book a complimentary call with a member of our team here