NEWFANE — As soon as she received an email from herself telling her what new tax bills would look like, Town Treasurer Melissa Brown smelled a scam.
While Brown's name was listed as the sender's name, the email address it came from was “billing@rppsc.com.”
“Good morning, please read this ASAP. . . Your tax bill next year will have your name on the bill,” read the email, followed by Brown's name. A zip file was attached.
Brown did not open it.
“Especially since it said it came from myself,” she said. “And minutes before, I had had an email that said the town clerk was requesting money, and I could see her sitting right in front of me.”
Brown says it's not unusual to get this sort of email from potential scammers.
“We get them all the time,” she says. “A lot of the towns do.
The town takes digital precautions. “We want to be sure we're safe, and we definitely are,” Brown says. “We can't be hacked into or anything like that.”
“It's just the email stuff,” she says.
For all the convenience email provides, the basic technology has not changed appreciably since the early 1970s, a time when computer networking was the provenance of defense research and academic use.
That might explain why the technology developed that would let any email user configure the name and email address to which the recipient should reply - flexibility that in unscrupulous hands could let people pretend that an email is coming from a different user entirely, a technique known as spoofing.
That spoofed user is another victim of the scheme - a domain selected at random, with a generic username like “info,” “admin,” or, in this case, “billing.”
With this email, the reply address was billing@rppsc.com, and the innocent third party is Right Path Pain and Spine Center PLLC, a medical practice in Davenport, Fla.
This whole theft scheme is known as phishing, and its results can be devastating to those who trustingly click a link that looks like it's from a bank, who open an attachment that looks like an important communication, or who pay an invoice that looks real.
“We pay close attention, and we're pretty aware of it. They must Google the town website and get information there,” Brown says.
Names such as Town Clerk Carol Hesselbach's aren't easy to spell, Brown observes, which is why she believes scammers lift names and email addresses from thetown website.
“They spelled her name perfectly,” said the treasurer.
How much damage a scam can cause
In August, the town of Peterborough, N.H., lost $2.3 million to an email fraud scheme.
Town Administrator Nicole MacStay and Select Board Chair Tyler Ward issued a press release at the time noting that the town had fallen prey to an internet crime.
It started on July 26 when town officials learned the Contoocook Valley (ConVal) School District had not received its $1.2 million monthly transfer from the town and arranged for the payment.
“Upon investigation we quickly realized that the town had been victim of an email-based fraud,” the officials wrote.
The town finance department immediately put a stop-payment order on the transfer, but the money had already left the town's bank account.
At the same time, the town's IT staff followed the protocol to alert the U.S. Secret Service and a cybersecurity consulting firm. Those groups were able to identify email exchanges between finance department staff and thieves posing as ConVal School District staff using forged documents and email accounts but were not immediately able to identify who had perpetrated the fraud.
Then, on Aug. 18, with the original investigation still ongoing, finance department staff members learned that two bank transfers meant to go to the general contractor working on a local bridge project had also been fraudulently diverted to thieves through similar means.
“Investigations into these forged email exchanges showed that they originated overseas,” reads the press release. “These criminals were very sophisticated and took advantage of the transparent nature of public sector work to identify the most valuable transactions and focus their actions on diverting those transfers.”
(1)Peterborough has recovered almost $600,000 through working with the U.S. Secret Service, new town Finance Director Lilli Gilligan said Monday, but it's doubtful that full recompense will be forthcoming.
“It's very unfortunate that even if you have all these systems in place, the fact is that cryptocurrency [a collection of binary data designed to work as a medium of exchange] is not traced the way transactions in banking systems are, and so the trail goes cold for the Secret Service,” she says.
Tough to stop
While the primary defense to block the initial attack vector and identify scams in time to stop any fraudulent transfers of funds is a spam filtering solution, companies that do this work, such as SpamTitan, say it is “important for organizations to raise awareness of the threat of BEC [business email compromise] attacks with the workforce, especially employees in the finance department.
“Policies and procedures should also be put in place that require any change to payment details to be verified by telephone using previously confirmed contact information,” a process known as two-factor authentication.
“Implementing these simple measures can be the difference between blocking an attack and transferring millions of dollars directly to the attackers' accounts,” the firm said.
Newfane town officials want taxpayers to know not to open any email regarding new tax bills and that the treasurer - who does not use an outside company to create tax bill forms - will not be mailing new tax bills until July 2022.
If a revised bill needs to be sent to someone, it will be sent via the U.S. Mail. Brown says residents will receive tax bills emailed from her only if they call and make that request.
An email from The Commons to the address Brown noted in the suspicious email had not been responded to at press time.