IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

How Email Scammers Hit Arlington, Mass., Covered Their Tracks

Cyber criminals diverted four monthly payments meant for a vendor involved with rebuilding the town’s high school, and they carefully managed compromised employee email accounts to hide the fraud.

email inbox open in a browser window
Shutterstock/Ciprian Stremtan
The town of Arlington, Mass., recently disclosed that it had lost nearly $446,000 in a monthslong business email compromise (BEC) scam, and it is now updating its cybersecurity protections.

The Boston area suburb — and birthplace of Uncle Sam — said in a public letter that fraudsters had compromised “certain employee user accounts,” and monitored inboxes. This began in September, when the cyber criminals discovered real emails from a vendor about payment processing issues, and they jumped on the opportunity for fraud, wrote Town Manager Jim Feeney in the letter.

Cyber criminals impersonated the vendor, sending the town a message from an email domain appearing to belong to the company. In their message, the perpetrators requested switching vendor payments from check to electronic funds transfer. The next four monthly payments then went to the fraudsters instead of the real vendor.

Attackers kept their ruse a secret by deleting emails they’d sent from compromised employee accounts and setting up inbox rules to “manage and hide incoming messages.” The town believes the threat actors were located overseas, but perpetrators directed the payments to a legitimate, domestic bank account. As such, the town’s financial institution didn’t notice anything suspicious.

“It was very much so a textbook business email compromise attack,” Feeney said in a June 6 video.

Email compromise is a common type of attack, with Feeney noting in his public letter that the FBI’s Internet Crime Complaint Center received 21,489 reports of it in 2023. And perpetrators of that type of attack frequently use bank payments and transfers to steal the funds.

It wasn’t until the vendor reported nonpayment in February that the crime was discovered. And the ensuing investigation revealed that this wasn’t the only fraud attempt. From September through January, attackers apparently attempted to intercept a total of $5 million worth of wire payments but “were unsuccessful as the targets were well-established existing wires.”

Upon discovering this fraud, the town “performed a force disconnection from the network, required a password change for all users and enabled multifactor authentication for key personnel,” Feeney wrote. It also reviewed its other wire payments and brought in a third-party auditor to tighten internal controls around wire transfer payments.

Arlington had already begun work to reconfigure its email security settings, in response to rising phishing attempts. As of publication time, the town had not responded to a query on how attackers are believed to have gained access to the email accounts.

The town is also looking to raise its cyber defenses by using state grant money to fund mandatory cybersecurity training for all staff. It is also applying for additional state funds to help it deploy multifactor authentication on all staff accounts. Arlington plans to collaborate with the state on penetration testing and said that it is introducing an endpoint detection and response platform.

Arlington’s bank was only able to recover about $3,000 of the stolen money, and the town is waiting to learn what its insurance will cover. Even so, the loss, while painful, isn’t a disaster: The vendor had been hired to work on a high school rebuilding project, and Feeney said that project has enough money to cover the loss, without delaying timelines or shrinking its vision.

The vendor was not compromised, nor was any of the town’s sensitive data or resident data, Feeney also noted in his letter.