The news that criminals used fake e-mails to fool the town of Peterborough into sending them million-dollar payments comes as no real surprise to the state’s cybersecurity chief.
“We’ve heard about this multiple times over the past four years,” said Denis Goulet, commissioner of the state Department of Information Technology. “Ransomware is getting all the news, but there is still the risk of business email compromise – BEC – which is really focusing around this type of activity.”
Scammers don’t hack into computers, they use a ruse that gains them access to financial systems and ultimately cash.
“This comes from two directions. You can get a large hit like (Peterborough), although having it more than once is unusual. The other type is a bunch of small hits,” such as redirecting monthly payments to an account, he said. “The bad guys are very good at creating believable emails at getting you to give up your credentials.”
Growing concern about criminals using online tools led New Hampshire to establish the Cyber Integration Center to coordinate cybersecurity efforts throughout the state government, and generated high-level training efforts such as Plymouth State University’s “cybersecurity bootcamp” certificate program, and the Center for Cybersecurity at UNH in Durham.
Peterborough’s situation is unusual in that town officials fell for the scam twice involving two different accounts in the space of a month. But otherwise the crime follows a common pattern.
The criminals, who appear to operate overseas, use public information to create legitimate-looking email threads that told officials in the finance department to send regularly scheduled payments to a different bank account. These were followed up by forged forms known as ACH needed to establish money transfers, which the town used to send $1.2 million in taxes to the regional school district in July, and another $1.1 million in scheduled payments to a construction firm replacing a major bridge in August.
By the time the two scams were spotted the money had been turned into cryptocurrency and was gone. The U.S. Secret Service, which has jurisdiction over interstate financial systems, is heading the investigation.
Goulet said the details of the Peterborough crime showed how online crimes usually happen because of what people do, usually starting with a deceptive e-mail, rather than what technology does.
“This represents a great example of the fact that cyber-security is not an I.T. thing, it’s a business-risk management thing,” he said.
In Peterborough’s case, for example, it appears that a phone call confirming the change in bank deposit locations would have stymied the crime. However, large companies or institutions dealings with vendors are so exclusively online these days, often automated to a large extent, that contacting individuals at different stages of the process would be a major change.
And trying to block deceptive e-mails from getting to people in the first place is an endless task. Goulet said the state government’s filtering system intercepts 94 to 96 percent of e-mails sent to “nh.gov” addresses because they are suspicious, “but we still see invalid messages getting through.”
Goulet agreed with statements from Peterborough’s town administrator that governments are particularly vulnerable to this kind of attacks because so much information is made public. Criminals can use it to craft deceptive emails targeting a specific person, known as “spear-phishing.”
In Peterborough’s case, for example, the amounts and dates of the payments were public information, as were the names and jobs of individuals in the finance department.
“We’ve seen specific examples in New Hampshire where they were using our transparency to develop very compelling spear-phishing,” said Goulet. “They know, for example, who my payroll administrator is, who I am – just imagine if my payroll administrator got an email that looked just like I sent it saying ‘hey, can you change my direct deposit account?’”
The response is to train people to not be fooled, but that’s easier said that done.
“We been mandating this in the state, annual cyber awareness training … and we keep seeing the courseware associated with email spoofing get more sophisticated because the bad guys are more sophisticated,” Goulet said. “To train average people how to hover over a link and interpret whether it’s bad or not – it’s not an easy thing. There’s a lot of subjectivity.”