Crime
The town has only recovered a little over $3,000.
Through phishing, spoofing, social engineering, and compromising email accounts, perpetrators were able to facilitate $445,945.73 in wire fraud from the town of Arlington. The town has not recovered the majority of the funds.
On Wednesday, the town manager announced the stolen funds in a letter to the community. The town is working with local and federal law enforcement and specialized consultants to recover the funds and secure Arlington from future attacks.
The town manager reported that officials believe a well-resourced organization located overseas carried out the attack. No sensitive or resident data was compromised.
Arlington joins a growing list of Massachusetts municipalities that have been victims of cybercrime. Since 2020, Tewksbury, Franklin, Quincy, Lowell, and Concord have all been victims of cyberattacks.
Criminals took the funds through a business email compromise scheme, which, according to the FBI’s website, is one of the most financially damaging online crimes. The scheme exploits the fact that many companies rely on email to conduct business.
The FBI reports that in a business email compromise scheme, criminals send an email message that appears to come from a known source making a legitimate request.
In 2023, the FBI’s Internet Crime Complaint Center received over 21,000 complaints about a business email compromise scheme, with over $2.9 billion in losses.
“It’s a staggering number and a sobering reminder that malicious actors are common and during the course of this experience, I learned, well resourced,” wrote the town manager, Jim Feeney, in the letter. “That being said, I want to assure you that we are exhausting every avenue to recoup the funds that we were defrauded of, and we are making every effort to improve our cybersecurity posture.”
In September 2023, Arlington town employees received a legitimate email from a known vendor working on the Arlington High School Building Project to discuss issues with payment processing.
Unknown to town officials then, threat actors had already compromised employee user accounts and monitored emails. The criminals seized the opportunity to impersonate the vendor with a genuine email domain. They requested a change in their payment method from check to electronic funds transfer, a standard technique municipalities use for ongoing payments.
The scam was aided by fabricating and deleting emails from employee accounts and creating inbox rules to manage and hide incoming messages.
The letter said that once town officials set up the new payment method, the town paid four monthly payments. The payments continued until the vendor reported not receiving payments in February 2024.
Once alerted, officials quickly realized that the town had been defrauded, prompting them to alert law enforcement and their banking institution.
An investigation found that the scheme happened in the town’s Microsoft programs between September 12, 2023, and January 30, 2024. Investigators also found another unsuccessful attempt to intercept wire payments totaling about $5 million. The attackers did not infiltrate the town’s network.
Arlington recovered $3,308 through the town’s banking institution. The town has filed an insurance claim to offset the costs further.
However, the town was still responsible for paying the vendor for the four months lost. At a June 4 meeting, the Arlington High School Building Committee voted to authorize payment to the vendor from the project funds. Any money recouped will go back into this fund.
The town has implemented increased IT security measures, including multi-factor authentication for key personnel, instituted mandatory cybersecurity training for staff, and will roll out a platform that continuously monitors end-user devices to detect and respond to ransomware and malware threats. The town applied for state grant funding to roll out multi-factor authentication for all staff.
According to Jeff Thielman, chair of the Arlington High School Building Committee, despite the loss, the project is still expected to be completed in the fall of 2025 and within budget.
“I would like to thank Mr. Feeney and the Town for their thorough response to this extremely unfortunate and troubling incident,” Thielman wrote in a statement.
Newsletter Signup
Stay up to date on all the latest news from Boston.com