Understanding exactly how cybercriminals were able to break into a staff member’s email account and eventually bilk the Town of Peterborough out of $2.3 million last summer, forcing the use of unrestricted fund balance to fill the gap, remains unclear.
What is clear, according to Peterborough Town Administrator Nicole MacStay, is that the crime could have been prevented had a few procedures and preventative measures been followed.
The type of crime that was committed in Peterborough and the way the criminals gained access are not uncommon, according to cybersecurity experts. What was uncommon in this case was the sum of money stolen and the repeated transfers of money.
The crime began during the winter and spring of 2021, when overseas criminals were able to access the email credentials of a staff member working for the town in the Finance Department. This allowed them to gain access to that person’s email account where they could watch emails and wait for a time to strike.
“We’re not exactly sure what happened. What we do know is that there was one attempt to use those credentials and that their first attempt was successful,” MacStay said, referring to the phishing scam the criminals used to access Finance Department staff’s email credentials. “They had the user name and the password by April 2021. That’s when we know someone from overseas logged in and was able to gain immediate access.”
From there, the criminals began a process of waiting and watching, and ultimately falsifying Automated Clearing House (ACH) documents that were used to transfer money between the Town of Peterborough and the ConVal School District, as well as the construction company Beck and Bellucci.
The type of breach that took place in Peterborough is known as a business email compromise, said attorney Ande Smith of Deer Brook Consulting, who explained the first step is gaining access to an employee’s email account. He explained that this can happen when criminals mine dark web stores for stolen passwords.
“The most-common way this happens, unfortunately, is that people will find people’s passwords on dark web password stores. They will look up you or me and then try these credentials out on systems using different passwords they’ve found,” Smith said, explaining that criminals will learn what a staff person does and then monitor big transactions to find out where the money is being wired. “Often, they derive the critical information from those dark webs because people recycle passwords. I don’t know if that’s the case [in Peterborough]. If their email system was internal, it’s possible they hacked the system and gathered credentials inside with Microsoft 365 or Gmail. But usually it’s a password-guessing exercise.“
On July 26, 2021, Peterborough officials knew something was wrong after receiving word from ConVal that their regular $1.2 million monthly payment hadn’t arrived. The town immediately launched an investigation by alerting the U.S. Secret Service, cybersecurity consulting firm ATOM group and NH Primex, the town’s insurer, but by then the money had been stolen.
About a month later, on Aug. 18, the initial investigation was still ongoing when town Finance Department staff discovered that two more large transfers, both intended for Main Street Bridge project contractors Beck & Bellucci, had been diverted in a similar manner. Peterborough was ultimately defrauded on three payments — one intended for ConVal on July 23 and two intended for Beck & Bellucci, one on July 9 and the other on Aug. 13.
“They had been paying attention to who the players were and they inserted themselves into the conversations of those groups,” said MacStay, who had been the town’s finance director for eight months at the time the crimes took place. “[The criminals] copied the signatures. Even though their email addresses were a little bit different, you have to look really closely in a couple of cases to see the differences. They were very clever and they manipulated the process and were able to divert those funds.”
ACH forms sent via email and not notarized
The diversion MacStay is referring to involves Automated Clearing House (ACH) transfers that require a notarized form before a transaction can take place.
Where “things really went wrong,” MacStay said, was with the forms used to complete the ACH transfers between the town, the school district and Beck & Belluci.
“Not only were [staff] not paying close enough attention to the emails to make sure they were absolutely correct, they also weren’t paying close enough attention to the [ACH] forms,” MacStay said, explaining that ACH transaction forms require a notarized signature. “You can receive a copy of a notarized form via email, but the form itself has a stamp and signatures on it. [Staff] accepted forms via email that were not notarized and they acted on those forms.”
MacStay said this isn’t surprising because of the increase in business transactions being done via email during the pandemic. But she said notarization never changes and that it was the town’s policy at the time.
“There’s only one way to get a notarized form, and that’s with a notary right in front of you stamping that form,” she said. “And that was at the last point the scam could have been stopped. It was a misunderstanding of what notarization meant. It was a failure of training really.”
Peterborough’s use of unrestricted fund balance
MacStay said there was no direct impact on taxes as a result of the theft, but that the use of money from the unrestricted fund balance meant the town’s Select Board did not have the option to use those funds as an offsetting revenue in the fiscal 2022 budget, which would have lowered the tax rate.
When asked if she could say how much the tax rate would have been reduced if the fund balance had not been needed, MacStay stated, “I cannot, because the Select Board never deliberated on that question. By the time we got to setting the tax rate in October, the funds from the UFB were already appropriated to cover the fraud losses.”
The town’s unrestricted fund balance on July 1, 2021, was slightly more than $3 million, and following a public hearing in September 2021, the town was allowed to use $1,753,479 million to make up for the funds that were stolen.
MacStay said the town’s directors were able to find ways to avoid spending over $1 million across the town’s entire fiscal 2022 budget adding that the credit for this is owed directly to the chiefs and directors “who worked so diligently to keep their department’s spending under tight control through the year.”
“With the addition of unanticipated revenues, and the savings in the fiber expansion project, the town’s (unrestricted fund balance) only dropped by $111,179 from July 1, 2021. The projected starting unrestricted fund balance on July 1, 2022, is $2,937,482 million,” MacStay said.
Security measures taken
Since the theft last summer, Peterborough has taken measures to ensure it can avoid similar scams in the future.
The town has implemented multi-factor authentication – an electronic authentication method in which a user is granted access to a website or email application only after successfully presenting two or more pieces of evidence to ensure a user’s identity – for all Finance Department staff and department directors.
Mike Ricker, general counsel for New Hampshire Public Risk Management Exchange (Primex), which represents nearly all New Hampshire towns and cities with property and liability issues, said cyber crimes have increased across the state over the past several years. He said his organization wasn’t able to disclose information about its handling of the Peterborough cyber claim because of a state confidentiality statute, but he did say because of the increased threat, Primex continues to make cyber coverage available to their members.
“We also provide them access to cyber loss prevention training, consulting and other resources,” he said. “Cyber threats have become a major risk management concern for both the public and private sectors.”
One of the simple ways to avoid business email compromises, cybersecurity experts agree, is installing multi-factor authentication.
Jason Sgro, senior partner and head of cybersecurity at the ATOM Group, which the Town of Peterborough has been working with to improve its privacy functions, said the vast majority of the 550 entities it represents in New Hampshire are municipalities and that cyber crime is on the rise.
One of the systemic problems across the state, Sgro said, is that municipalities fail to use multi-factor authentication and that there is no way to get statewide statistics on how many municipalities are hit with cyber crimes because people seldom report incidents. And even if they did, he explained, this wouldn’t solve the problem, Sgro said, referring to House Bill 1277, which goes into effect this month, mandating towns and cities to report all occurrences of cybersecurity attacks to the state Department of Information Technology as soon as they occur.
“I do not believe the legislation that passed will have a serious impact on cyber crime. I expect our clients will participate, but a lot of this is governed between breach council privacy attorneys and victims. [N]otification to a state body, as required by statute…I don’t know if that will materially help in terms of preparing our understanding the size of these crimes,” Sgro said, adding that municipal governments and public entities in New Hamsphire have become soft targets because many have not made significant investments in cybersecurity, not because they haven’t been required to report incidents. “We know cyber crime is a huge problem. Knowing how much crime is not really the solution. The problem is that we don’t have a lot of cyberprofessionals dealing with cyber crime, or training on the state, local, federal levels.”
One reason for this, Sgro said, is that it’s expensive.
“Most municipalities are chronically understaffed,” he said. “When you’re in a state with well-meaning people like New Hampshire, they’re easier to defraud. And without investment in tools and training to understand how complex these crimes are – it’s not a Nigerian prince anymore – the problem will continue.”
Ryan Barton, CEO of Mainstay Technologies, a New Hampshire IT company that has been in business since 2004, serves 200 organizations throughout the state, including municipalities. He said the good trend that counteracts cyber crime is that protections against it are getting less expensive and available for smaller organizations.
“But they have to actually do it,” he said. “They have to spend the money and implement the right layers, including multi-factor authentication. They have to train their staff. If this is all done, it does an incredibly effective job preventing crimes like [those that happened in Peterborough].”
Barton, like other IT professionals, said email compromises of accounts, or compromising someone else and getting false payments sent, are by far the most common types of cyber crime.
And this is why he said every business needs a business and organization needs an email system like Office 365.
“And they need to work with trained staff in a qualified third party to keep up to date with this,” he said. “Things we talk about today become out of date very quickly. It’s not the responsibility of an office administrator to tackle that.”
Peterborough was able to retrieve close to $700,000 of stolen money thanks to the help of its insurer Primex, who continues to work with the FBI. Kristen Setera, the public affairs adviser at the FBI’s Boston office, said she was unable to comment on the case.
MacStay said her biggest takeaway from the experience applies to any individual or organization hoping to prevent a fraud like this from happening.
“[T]he best cybersecurity software that money can buy still cannot prevent all fraud, but together with an informed and critical person you can keep yourself and your organization safe,” she said. “In our case, as with many others, the criminals were sophisticated and were able to get around our security software to gain access to an employee’s email account, but the fraud could have been prevented if our staff had paid closer attention to the red flags and followed to the letter the internal policies that were already in place.”
MacStay’s advice to everyone, not just government employees, is to take the time to examine email addresses “and make sure that you are actually communicating with the person you think you are, especially if the conversation has to do with access to your accounts or the transfer of money.”
And protecting email accounts by using multi-factor authentication is key, MacStay said.
“Most banks have this security feature built into their websites and apps, which require you to log in with your email and password, and then require an additional verification that is unique to you, such as a code that can be sent to your cellphone or a key fob, thumb print, or face scan,” she said. “Having this extra layer of security makes it very difficult for a criminal to gain access to your account.”