Seven Phishing Attacks that Targeted State and Local Governments

September 11, 2019 | by David Bisson | cybersecurity, phishing

Recently I wrote about how bad actors have stepped up their use of email to target U.S. schools and colleges. Unfortunately, education isn’t the only sector that’s seen a surge in email-based attacks. Small governments also have encountered their fair share of incidents. Indeed, Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO), told CRN how state and local governments have experienced a “fivefold increase in phishing attacks in the last three years.”

These campaigns have employed various lures and techniques to steal sensitive data or funding from these government entities. 

Phishing attacks targeting state and local governments have been particularly prolific in the first three quarters of 2019. Here are seven incidents that made headlines during that time.

Ottawa, Ontario, Canada

In April 2019, KnowBe4 reported on an incident in which Marian Simulik, the treasurer for the City of Ottawa in Ontario, Canada, received an email from someone posing as the city manager back in July 2018. The fraudster instructed Simulik to wire money to a supplier in the United States. At the time, the city’s website was undergoing an overhaul, so the treasurer figured the request was related to this ongoing project. After researching the supplier and conversing via email with someone she thought to be the city manager, Simulik sent $128,000 to a US bank account. It wasn’t long thereafter that Simulik received another money request from the scammer. This time, she asked the city manager in person; they said they knew nothing of either money request. The treasurer then realized she had been a victim of an email-based attack.

Chicago, Illinois

CBS Local reported that the City of Chicago’s Department of Aviation received in January what appeared to be an email from Skyline Management, a city-approved vendor. According to city documents, Chicago had paid this company $284,628,921.17 as of April 2019 for custodial services performed at Midway International Airport and O’Hare International Airport since 2008. Because of the existing relationship with Skyline, it was not unusual for the Department of Aviation to receive an email from the company. So when an email from what appeared to be Skyline Management requested the Department of Aviation officials to change the receiving bank account from one at US Bank to Wells Fargo Bank, officials complied and sent $1,150,759.82 for Skyline’s services. The mistake was not realized until several weeks later when Skyline Management contacted the department to report they had not received payment for services. That’s when the department realized they had been a scam victim. Fortunately for the Department of Aviation, Wells Fargo Bank had put a hold on the scammer's account and the department was able to recover the funds.

Burlington, Ontario, Canada 

In a press release issued by the City of Burlington, officials explained that city staff members had received a “complex phishing email” purporting to come from an established city vendor. The email leveraged falsified documents that had a “level of sophistication not typically seen” to trick recipients into believing that the vendor needed to change its banking information. As reported by CBC, city personnel ultimately transferred $503,000 to the falsified bank account on May 16. City officials realized the mistake a week later, at which point they notified their bank and Halton Regional Police. They also implemented additional security measures to help protect against similar attacks in the future.

Riviera Beach, Florida

On May 29, digital criminals infected the computer systems of Riviera Beach, Florida, with ransomware after someone in the police department clicked on a link within a malicious email. IT officials quickly worked to investigate the attack, but during the investigation, the city took all of its operations offline. The decision to take the services offline prevented 911 dispatchers from entering calls into emergency computer systems, and it forced officials to pay city employees using handwritten checks. Ultimately, Riviera Beach listened to the advice of external security consultants and paid the attacks ransom of 65 Bitcoin (then worth more than $600,000), reported Naked Security.

Arlington County, Virginia

The Government of Arlington County disclosed a security incident in which fraudsters targeted its employees with phishing emails. Per the reporting of ARLnow.com, bad actors used phishing emails to infiltrate the government’s payroll system. Arlington County officials revealed that the incident did not last long nor affect too many employees. They clarified that the security event had not compromised any resident data. Officials identified and notified all affected individuals and provided recommendations on how they could secure their personal data. It took the additional step of implementing security measures designed to safeguard its email and other critical computing systems against phishing attacks and other digital threats.

Collier County, Florida

In mid-August, news emerged that Collier County in Florida had been a victim of a business email compromise (BEC) scam in December 2018. Fraudsters crafted and sent an email made to look as if it originated from Quality Enterprises USA, Inc., a contractor which had performed work for the county. This email instructed Collier County to transfer funds to a new bank account supposedly maintained by Quality Enterprises. County officials responded by wiring $184,000 to the new bank account. Naple News reported that it didn’t take the county long to figure out what had happened; fortunately, the county was able to recover those funds with the help of its insurance carriers.

City and Borough of Juneau, Alaska

Collier County wasn’t the only small government entity targeted by BEC scammers in December 2018. At that time, an individual reached out to the government for the City and Borough of Juneau (CBJ), Alaska. They said that they were associated with SECON Construction, an approved CBJ contractor. Several months later, the individual sent over a voided check and updated W-9 form so that CBJ could update the bank account number assigned to SECON Construction. CBJ validated the account by successfully sending over a zero-dollar transaction test; in the meantime, SECON Construction continued to perform construction services. In April 2019, CBJ sent $329,630.21 over to SECON Construction as payment for its work, but in May, SECON Construction reached out and said it had never received compensation for its services. That’s when CBJ contacted the Juneau Police Department, the FBI and its bank. CBJ received $250,000 in reimbursement from its insurer while the FBI continued with its investigation.

How Small Governments Can Protect Themselves

The security incidents discussed above highlight how fraudsters are more than willing to go after small government entities. In response, these government bodies need to make sure they have robust measures in place that can help secure their email. One of the easiest ways they can do this is by investing in a solution that analyzes incoming email for malicious campaign patterns, suspicious URLs, known malware signatures, behavior indicative of zero-day threats and other tell-tale indicators. This solution should operate in real-time so that it can block potentially malicious email while allowing legitimate messages to get through.