The Town of Peterborough handed over $2.3 million to internet scammers, who collected three large scheduled payment transfers and converted them to cryptocurrency. Town officials said the stolen funds can’t be recovered and it remained unclear whether the losses will be covered by the town’s insurance carrier.
Since the news became public, an IT expert has criticized town employees for falling for the scam, which could have been prevented with a phone call before transferring the funds. Authorities are continuing to investigate the crime while most of the town’s finance staff remains on paid leave.
Peterborough officials first got wind that something was wrong on July 26, when ConVal told the town their regular $1.2 million monthly payment hadn’t arrived. “Upon investigation we quickly realized that the town had been victim of an email-based fraud,” town officials said a press release issued Monday, and it was too late to stop the transfer. They immediately launched an investigation by alerting the U.S. Secret Service, cyber security consulting firm ATOM group, and NH Primex, the town’s insurer.
“Basically, they forged the emails and made it look like they were the employees of ConVal,” Town Administrator Nicole MacStay said Monday afternoon, describing the perpetrator’s work as “an incredibly good forgery job.” The thieves gave town staff new transfer and account information for the upcoming deposit, so although the town’s accounts remained secure, their payments went to a fraudulent account, MacStay said.
About a month later, on Aug. 18, the initial investigation was still ongoing when town finance department staff discovered that two more large transfers, both intended for Main Street Bridge project contractors Beck and Bellucci, had been diverted in a similar manner, according to the press release. Peterborough was ultimately defrauded on three payments: one intended for ConVal on July 23, and two intended for Beck and Bellucci, one on July 9 and the other on Aug. 13, MacStay said. The finance department has since canceled all Automatic Clearing House (ACH) transfers and the town is reviewing all electronic transaction policies and procedures, according to the press release.
Although it’s unclear at this point whether all the fraudulent emails were executed by the same perpetrator, the Secret Service has determined that all the fraudulent emails originated overseas, MacStay said. Although she wasn’t aware of any other towns that had been affected, Secret Service members said a town elsewhere in the country had $600,000 stolen from them in a “very similar manner” on Aug. 19, MacStay said.
The ConVal School District is also looking into the matter to determine how the theft occurred and whether there was a way to recoup the losses, according to a press release sent Monday evening. “District IT staff reviewed email and server access logs, as well as anti-virus logs and found no signs of malicious activity,” Superintendent Kimberly Rizzo Saunders said.
The Ledger-Transcript requested copies of the fraudulent emails that were sent, but the town is declining to share them at this point as they are part of an active investigation.
Although Peterborough officials don’t believe town staff were criminally involved in the transfers, the finance department staff members who were directly targeted are on paid leave until the Secret Service’s investigation is over, according to the town’s press release. MacStay declined to name the employees on leave, but said there are currently five active employees in the finance department.
Although the Town Treasurer is the elected office that oversees the finance department and its operations, “the day-to-day operations of the Finance Department are given to the finance department staff,” MacStay said, in an arrangement laid out in town policy. MacStay confirmed that Leo Smith still serves as Director of Finance, and his successor, Lilli Gilligan, started work on July 30. “There was a built-in crossover period,” MacStay said, prior to Smith’s planned retirement. When asked whether the transition of the role factored into the scam, MacStay said she didn’t know, and even if she had a definitive answer, it would remain confidential while the investigation continued.
MacStay declined to answer specifics on the Finance Department’s protocol regarding ACH transactions, including who oversaw them, because it could potentially compromise the ongoing investigation or be used by criminals to target towns in the future, she said.
“What I can say is that we do have redundancy in our finance department,” she said. Vendors are being paid in paper checks for now, she said, and direct deposits and electronic fund transfers are ongoing, as they remain uncompromised. Town business can proceed and employees can continue to get paid, she said. “We do have controls set up, there’s also redundancy in those controls to make sure we can function in a safe way,” she said.
“We are public entities, and we do business very transparently,” MacStay said. “That is, unfortunately, the real downside of open government,” she said.
Coaching clients on how to avoid phishing scams is part of Sequoya Technologies Group co-owner Tom Strickland’s work. His Peterborough-based company provides managed IT services for 60 small businesses throughout northern New England, and he used to service several small towns.
“Unfortunately, the ACH banking technology is a bit behind the times,” Strickland said, and has missed out on security advances that are commonplace in other applications. “There’s not really a verification that the entity you’re sending money to is the entity you think it is,” he said, unlike, say, the exchanges that take place while logging onto secure websites. That means an extra level of vigilance is required for those transactions, he said.
“I wouldn’t accept – ever, ever, accept, ACH instructions by email, ever. That’s like a huge red flag,” Strickland said. It’s much safer to require that information be sent by postal mail, which is much harder to forge, he said, and any change in ACH instructions should be verified, he said. “You don’t just accept that on faith, you call and verify to make sure that information is correct,” he said.
Although there were technical elements, the existing public information suggests that Peterborough’s security breach had a human element, Strickland said. That’s true for the majority of cybersecurity compromises, whether it’s clicking on a phishing email or using a weak password, he said. “This is just an old-fashioned con using computers,” he said.
Strickland does believe there are certain factors that make a “social engineering attack” easier to execute on public entities rather than private businesses: For example, it was public knowledge that Peterborough was sending money to ConVal and Beck and Bellucci, whereas in a private business, a scammer would first need to hack a private email account or confidential records to figure out where money is going, he said.
However, Strickland also believes that taxpayers deserve more transparency about a town’s cybersecurity efforts, and there are ways to share a government entity’s protocol without compromising it, he said. “I think we deserve more information than we’re getting,” he said. Whereas a town obviously shouldn’t share their passwords, or the brand and model or antivirus or firewall software, they can safely report elements of their protocol, like whether they have an advanced security firewall, a modern antivirus program that’s updated and checked daily, an off-site backup, or whether they provide end-user security training, Strickland said. “I don’t think that’s giving away anything,” he said.
Strickland observed some inadequate security profiles when he used to work with small towns, which led him to advocate for a statewide municipal cybersecurity standard, and a more transparent security audit process, he said. His ideas received pushback. “Technology has made things easier, but now we have to secure that,” he said, a process that can be pricier than a town is willing to pay. “A lot of the value of technology is, frankly, difficult for select boards to really grasp,” he said. “If they can’t see the value of it, they’re like, well, we don’t want to pay for that,” he said. That’s their choice, he said, “But I think that the taxpayers in the town have a lot at risk here,” he said.
Peterborough is still waiting to find out whether their losses are covered by their insurer, Primex, in whole or in part, MacStay said, although she said she hopes to hear from them “very soon.” A representative from Primex did not immediately respond to requests for comment on theft coverage for municipalities.
The town has also asked their legislators and the Governor’s office for help, according to the press release.
“This is a devastating attack, and my office stands ready to support Peterborough as it works to find the perpetrators of this attack,” Sen. Maggie Hassan said on Monday. “We also know that what happened in Peterborough will happen again, and we must do everything we can to give our communities the tools that they need to defend against cybercriminals in order to protect their online systems – and in turn, taxpayer dollars.” Hassan had held a roundtable on cybersecurity in New Hampshire earlier on Monday, in which she promoted the importance of pass ing the federal infrastructure bill, which includes a Hassan-authored provision to fund cybersecurity improvements for state and local governments.
The U.S. Secret Service declined to comment, citing an ongoing investigation. Peterborough Treasurer Mandy Sliver did not respond to a request for comment on this story.