A recent report from The Seattle Times provides details on a series of social engineering and ransomware attacks successfully perpetrated on a Seattle suburb during the second half of 2017. The incidents of cyber scams demonstrate the pervasive nature of these financial crimes, the need for increased vigilance and the challenges that require policies and procedures designed to prevent financial harm.
The attack targeted Yarrow Point, a small town directly across Lake Washington from Seattle. It began with an early morning email to Yarrow Point’s then fiscal coordinator John Joplin, asking simply, “Are you at the office?” and signed “Mayor Richard Cahill.” Joplin’s reply led to a series of emails resulting in Joplin wiring $14,624 to a bank in New York the same morning. However, the emails were not from the mayor, but were a phishing attack. The transfer was authorized without any apparent suspicion. Even emails from the town’s bank alerting it to a “forgotten password attempt” and a later security alert from the bank advising of the wire transfer and providing contact information to report fraudulent activity failed to raise suspicions.
The scammers then struck again. Approximately one week later, the attackers, again posing as the mayor, sent a similar email asking Joplin if he was in the office that day. This email initiated another series of emails, this time resulting in a wire transfer of $34,624 to a bank account in Florida. The transfers were detected as fraudulent the next day, when Joplin copied the (real) mayor on an email containing instructions for a third attempt by the scammer on obtaining a wire transfer.
The ordeal of Yarrow Point is yet another example of the reality that all manner of groups and organizations can be the target of cybercrime. Here are some lessons to take away:
- Employees must be trained to be on the lookout for warning signs and abnormalities that provide clues that email correspondence is not genuine. The emails received by Joplin from the scammers were signed “Mayor Richard Cahill” but the mayor almost always went by his nickname “Dicker,” an anomaly which should have been an indicator to investigate whether the email was in fact from the mayor.
- Another hint that the email was not genuine was that Yarrow Point had never sent a wire transfer before. Employees should be trained to recognize that a request to do something unusual requires a pause before complying, particularly when involving the transfer of money or sensitive information.
- Similarly, all appropriately at-risk employees must be trained. A similar scam attempt directed to a different town employee had been attempted a few months before the successful attempt. That attempt was sniffed out as a scam and as a result the incident was discussed with the town’s staff as a training exercise. Joplin, however, was not part of that discussion because he was a contract employee with the town.
- Regular evaluation of the extent of an organization’s insurance coverage against cybercrime is as much a part of preparation as training and technical measures. Though a separate ransomware payment was covered by Yarrow Point’s insurance policy, the fraudulent wire transfers were excluded because they were initiated by a town employee.
- For smaller organizations which outsource much of the IT work, regular evaluations of the outside contractor’s capabilities is a must. Yarrow Point has changed some of its outside contracting, seemingly to beef up capabilities. It also was required to bring in new outside tech companies and law firm to address a later ransomware attack and other issues. Make sure your consultants and legal counsel are able to help prevent attacks and to assist in responding when one eventually occurs.
- Don’t ignore alerts from outside sources such as legal counsel, insurers, banks and other financial institutions. If Joplin had recognized the “forgotten password” emails from the town’s bank as initiated from outside the town staff and unauthorized, the entire attack could have been thwarted. These alerts are sent to warn and educate and should prevent tell-tale signs from being ignored without investigation.