Cybersecurity is an increasing concern in NH as everything goes online, where a whole new set of bad guys are waiting. I wrote about it in May (Cybersecurity bootcamp launched) and April (Cybersecurity Initiative) and today I wrote about it because a small town was robbed twice by the same method:
Criminals pretending to be the ConVal School District and a construction contractor used forged email accounts and bank documents to fool the town of Peterborough into sending them $2.3 million, in the latest example of online theft via false identity.
“It’s so hard to stay ahead of them. They’re very sophisticated; they really knew what they were doing and they were very targeted,” said Nicole MacStay, town administrator of Peterborough, a community of 6,800 between Nashua and Keene.
She said the theft came from criminals who “appeared to be overseas” and that it made use of information about payment amounts and schedules which can be found online as part of open government.
The crime is being investigated by the U.S. Secret Service, which has jurisdiction over interstate financial and payment systems.
The first theft happened in July and involved a regularly scheduled monthly transfer of tax revenue from the town to the regional school district, totaling $1.2 million. The schedule for payments and their amount are set at the start of the fiscal year.
According to MacStay, the town had received emails that seemed to come from the school district saying the district was changing banks. These were followed by forged documents for the ACH process, or automated clearing house, necessary to transfer funds electronically to the new bank. The town Finance Department then followed regular procedures to send the money to the new account.
“We learned about (the theft) when the district … they called us and said the payment’s late, what’s going on?” MacStay said.
Finance Department staff put a stop payment order on the transfer but “the funds had already left the town’s account at Peoples Bank,” the town said in a press release. The money was traced but it had already been used to purchase untraceable cryptocurrency and cannot be recovered.
“On August 18, with the investigation still ongoing, Finance Department staff learned that two bank transfers meant to go to Beck and Bellucci, the general contractor working on the Main Street Bridge project, had also been fraudulently diverted to thieves through similar means,” the release said.
Together the losses totaled $2.3 million.
The theft is also being investigated by cyber security consulting firm ATOM Group through NH Primex, which provides liability coverage for Peterborough and many other New Hampshire communities. MacStay said the town has theft insurance, but it’s not yet certain how much of the loss will be covered by insurance.
“Though it is now believed that no town staff were criminally involved in the transfers, the Finance Department staff who were directly targeted in this fraud are on leave until the U.S. Secret Service’s ongoing investigation has been concluded,” the release said. MacStay declined to give further details because of the open investigation.
While surprising in their size and brazenness, the thefts are typical of crimes committed by pretending to be somebody else online, often through “spoofing” email or other accounts.
“These are real threats. It’s happening to people everywhere, whether it’s ransomware or someone calling an elderly person and making them feel their grandson is under threat in a foreign country,” said MacStay. “It just requires so much vigilance – being so careful that the person you’re corresponding with is the person you think they are.”