A New Hampshire town has been scammed by cyber-criminals out of $2.3 million via two business email compromise (BEC) scams.
Peterborough, New Hampshire, is a small town with a 7,000-person population, and a total annual budget of $15.8 million. The cyberattack has cost the town 14% of its annual budget.
The town’s cybersecurity vendor, Atom Group, determined that the criminals used a combination of forged documents and compromised email accounts, to pose as staff of the ConVal School District. In doing so, they were successful in diverting a million-dollar transfer into a bank account under their control.
The town became aware of the scam when the School District reported that it had missed its $1.2m monthly payment from the town on 26th July. The incident is currently being investigated by the U.S Secret Service, which determined the funds have since been converted into cryptocurrency. The staff of the town’s finance department has been placed on leave while the investigation is in progress.
Officials have stated that recovering the money is unlikely, from either the criminals themselves or an insurance policy, since most policies don’t cover losses to BEC.
In a telephone interview, town administrator Nicole MacStay said: “It’s very shocking to us to be quite honest. It’s just been very difficult to work through all this, and try to do the best we can to recover these funds … to mitigate the burden on our residents and taxpayers.”
The incident was not an isolated event. The cybercriminals were successful in a further attack on the 18th August, in which they employed a similar tactic and posed as a general contractor hired by the town to repair Main Street Bridge.
Officials have confirmed that the criminals are based outside the United States in a press release:
“These criminals were very sophisticated and took advantage of the transparent nature of public sector work to identify the most valuable transactions and focus their actions on diverting those transfers,” the press release states.