Town manager Richard Montuori reports that Tewksbury has been the victim of an email compromise phishing attack, but that the town is working with its insurance carrier and bank to recoup most of the funds.

In late December, a town employee received an email from a regular vendor inquiring about invoices authorized for payment and requesting payment via wire transfer. Tewksbury pays several of its larger vendors via wire transfer.

The email, however, was spoofed to appear to come from the vendor. When payment was made in late January to a Wells Fargo bank account, town officials soon discovered that the email and wire request were fraudulent and part of a pervasive multinational spree of email phishing attempts that have been on the rise in recent years.

The town immediately initiated an investigation, notified the vendor of the scam, contacted the Tewksbury Police Department and notified the FBI of the fraud.

Of the $102,000 lost in the phishing scam, the town hopes to be repaid $92,500 via insurance, as the town maintains a $100,000 coverage rider with a $7,500 deductible.

In response to this incident, Montuori has ordered a freeze on any new wire transfers. Most of the town’s wire transfer accounts were set up during the early days of COVID-19 to accommodate vendors who were working from home and could not conveniently receive checks via mail at their offices. The town will review all future wire transfer vendors on a case-by-case basis.

The town also has implemented new wire transfer procedures that, among other requirements, implements signature matching procedures and “dummy” deposits to verify bank accounts with vendors.

The Town Accountant’s Office and Treasurer’s Office also have begun reviews of their departments’ protocols and controls around any requests that originate internally and externally to proactively address any other potential threats.

Tewksbury also will have its audit firm, which has expertise in fraudulent attacks, review the incident, and examine the attack and transfer procedures for further potential enhancements to internal controls. These types of phishing attempts are always evolving, and improving the town’s cybersecurity posture through training is critical.

The Town is currently engaged in staff training that is designed to help identify phishing attempts, through a state-sponsored grant.

Phishing Attacks Common

Editor’s note: Select Board member James Mackey previously provided additional tips to help residents stay safe online. Mackey also chaired a Municipal Cybersecurity Summit at the Tewksbury Library and helped apply for the $10,000 grant being used for training.

According to the FBI, phishing and email compromise cost businesses and government agencies billions of dollars annually.

The city of Quincy, Mass., lost $3.5 million from its pension fund recently when an employee made a transfer based on a request from an email address that had been hijacked. And, last April, a LinkedIn data breach resulted in an account database containing email addresses, phone numbers, links to other social media profiles and professional details for some 500 million users being sold online. Attackers can search for municipal or business employees, do some research on social media and create a convincing targeted phishing email.

The federal Cybersecurity and Infrastructure Security Agency provides tips to identify and thwart phishing attempts, including:

Watch for spoofed hyperlinks and websites. Before clicking on a link in an email, hover your cursor over it and ensure the link matches the text and goes where you expect. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain, like .com vs. .net. And be cautious with shortened URLs that hide the true destination of the link.
Avoid suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware.
Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, first verify his or her identity directly with the company. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. Never reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

“This is a very unfortunate incident, but we are certainly mindful that it could have been much worse,” Montuori said. “We have learned from this experience and are confident that our policy and procedure changes will leave us better prepared in the future.”