Perpetrators of a $2.3 million fraud against Peterborough taxpayers over the summer initiated the criminal enterprise by compromising the email of one town employee, according to a timeline prepared by local officials.
While simple human failure to follow established procedures allowed the scam to succeed, aspects of the theft do appear complex, including circumventing bank controls intended to prevent people from fraudulently setting up accounts.
“April – The email account belonging to a Town of Peterborough finance staff person was compromised by a Bad Actor utilizing IP addresses from outside the U.S.,” states the timeline prepared for the September 21 Select Board meeting.
“The staff person was likely targeted by a phishing email or a zero-day exploit of the Microsoft 365 platform which occurred last winter.”
The town has not identified the staff member who was targeted.
Finance Director Leo Smith, who took his long-planned retirement after the fraud was revealed, declined to comment, citing the ongoing investigation. Town accountant Shannon Kelley, who was in charge of accounts payable, resigned on Sept. 7. She could not be reached for comment.
The “zero-day exploit” refers to a systemwide breach of private information involving Microsoft and others. The town uses Microsoft 365, a suite of services that includes email. Microsoft provides the security for its own email servers.
Phishing is the sending of an email purporting to be from a reputable source with the goal of getting the recipient to reveal private information, such as the password for an email account.
Building the fraud
After accessing the staff person’s email, those running the scam were able to learn that the town’s two largest vendors, Main Street bridge contractor Beck & Bellucci and the ConVal School District made legitimate requests to be paid by electronic fund transfer rather than paper check.
“Some of the communications happened via email and some of it was telephone or video meeting conversations,” Town Administrator Nicole MacStay said in an interview.
Those running the scam then capitalized on their knowledge of the legitimate vendor requests.
“Through a bit of luck on their part, bad luck on ours unfortunately, they were able to insert themselves into those conversations as they were happening, fairly seamlessly,” MacStay said.
The perpetrators pretended to be these vendors and sent emails directing the town to send the electronic fund transfers to bank accounts they had set up.
Then, to further their scheme, they deleted legitimate emails from the vendors to the town.
“The bank account information provided by the Bad Actor redirected the payments to bank accounts in the Northeast that did not belong to Beck & Bellucci or the ConVal School District,” the timeline says. “Money was then transferred out of these accounts to accounts held at other institutions or converted into cyber currency.”
“Some of the accounts were opened fraudulently using falsified information.”
The U.S. Secret Service, which is investigating the crime, was able to recover $594,331 of the stolen money that had not yet been converted to cryptocurrency.
Know your customer
New Hampshire Bank Commissioner Gerald H. “Jerry” Little said banks have long been on the lookout for accounts that are opened fraudulently. Financial institutions are subject to major fines under anti-money laundering laws requiring banks to know the true identity of their customers.
They can do this by requiring clients to provide credentials that prove their identity and address and can be verified with photo comparison, biometrics or documents.
But mistakes can be made and new account fraud continues. Nowadays, people can open an account online without ever entering a financial institution.
“But this problem predates the modern era of digital banking,” Little said. “There are very robust federal laws and relative to efforts to prevent inappropriate opening or criminally intended opening of accounts.
“If anyone wants to open an account at a financial institution, frankly any type, whether it is a bank, a credit union, a securities firm, they are supposed to go through very rigorous steps to know their customer and to make sure all the proper documentation is in place so that proper forms get filed for instance with the IRS.
“So there is a very strong, large book of regulation relative to ‘Know Your Customer’ and all institutions are expected to comply with it.”
Despite such regulations and requirements, criminals find ways to use false information to set up accounts, and that is why all parties to transactions need to have strong policies for financial activities, Little said.
MacStay said the town did have solid requirements for verifying changes in the routing of vendor payments, but these requirements weren’t followed. She blames human error on the part of those who didn’t insist on the verification steps of a notarized form and a confirmatory phone call.
“We had two members of staff that were supposed to check and verify each other’s work on that front,” she said.
“The real challenge for end users like us is to verify everything and be vigilant and make sure that when these requests to make changes come in that they’ve been verified and they’re accurate.”
Meanwhile, all non-essential electronic fund transfers have been cancelled and mandatory cybersecurity retraining is being required for town employees.
Lisa Thompson, an attorney who is chair of the New Hampshire Bar Association Intellectual Property Section, said training is crucial.
“These kinds of phishing scams or email scams are getting more sophisticated, but they are common and it’s probably one of the first things that any cybersecurity training goes over,” Thompson said. “The thing that every cybersecurity training program discusses is how your employees are your first line of defense.”
Criminals are always waiting to cash in when an employee of a company or town doesn’t follow proper financial protocols.
“They send these phishing emails out, they cast a wide net literally like 99 of them and all it takes is one finance person in Peterborough, New Hampshire, to respond and then, boom, look how much money they got,” Thompson said.
“Municipalities are a prime target for this stuff because usually they’re under-resourced and they’ve got a lot of access to information that is very valuable to criminals.”
Towns take notice
Jon Frederick, town manager of Jaffrey, said the Peterborough fraud heightens the awareness of the importance of financial controls and the requirement for verifying changes in payment information.
The two towns are about six miles apart and each has a population of about 6,000 people.
He said his finance employees are required to make a personal contact to validate payment changes.
“We wouldn’t rely on email or anything,” Frederick said. “It would be a matter of picking up the phone to call and making sure the request was valid.
“We conduct cyber training here for new people coming in and we do have annual training to safeguard against these things.
“You can have all the equipment in the world to prevent these types of attacks but the system is only as strong as the person sitting at the keyboard. So that’s our focus, recognizing what is and is not real and then hopefully people are savvy enough to recognize it.”
He said phishing scams are not unusual.
“We get hit frequently with these, ‘I need you to deposit a check to this account right now,’ disguised as me or somebody else at the town,” he said. “We’re not strangers to it, it’s just a matter of communicating and making sure that everything is valid that you’re doing.”