TEWKSBURY — According to a news release issued on Wednesday, Feb. 23, 2022, the Town of Tewksbury revealed that it had been compromised by an email phishing attack which resulted in the transfer of $102,000 to an account unintentionally.
Town Manager Richard Montuori reported that “the town is working with its insurance carrier and bank to recoup most of the funds.”
As reported in the release, a town employee received an email from a familiar vendor requesting payment via wire transfer, also known as ACH (automated clearing house) or EFT (electronic funds transfer). Payment to large vendors via wire transfer is not uncommon for a municipality.
Payment was made to a Wells Fargo account which apparently had been spoofed to appear legitimate. Spoofing involves the use of legitimate information by illegitimate actors to appear credible in an email. While many people are familiar with receiving fraudulent emails from vendors into their own inboxes which pretend to be real vendors, this was a calculated attack.
“This was not just a random phishing email asking for money from a prince,” said Select Board member James Mackey, “this was a highly targeted spear phishing email.”
According to the Office of the Director of National Intelligence, “Spear phishing” is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents. Mackey is a cyber security expert and is also part of the cyber security unit of the Massachusetts National Guard.
The town learned it was the victim of an attack when the real Wells Fargo contacted the town to report a late payment. The town immediately initiated an investigation, notified the vendor of the scam, contacted the Tewksbury Police Department, and notified the FBI of the fraud, according to the release.
The email and wire request were fraudulent and part of a pervasive multinational spree of email phishing attempts that have been on the rise in recent years.
Mackey said the town hopes to be repaid $92,500 via insurance, as the town maintains a $100,000 coverage rider with a $7,500 deductible for cyber security issues such as this. Tewksbury is not a lone victim in this type of attack. The City of Quincy was the victim of an attack in February of 2021 targeting their employee retirement fund, resulting in the theft of more than $3.5 million.
Montuori ordered a freeze on any new wire transfers and is reviewing all vendors. Internal department protocols are also being reviewed and the town is engaged in staff training designed to help identify phishing attempts through a state-sponsored grant.
The towns auditors will review the incident and use their expertise in cyber controls to examine the attack and transfer procedures for further potential enhancements to internal controls.
According to Mackey, the attack was specifically targeted at an individual and used real information from a legitimate contract.
Mackey said, “All it takes is a determined threat actor with the time and desire to aggregate publicly available data.”
“This is a very unfortunate incident, but we are certainly mindful that it could have been much worse,” Montuori said. “We have learned from this experience and are confident that our policy and procedure changes will leave us better prepared in the future.”
According to Montuori, at no time was resident data compromised.