TEWKSBURY — A phishing email spoofed to look like it came from a regular vendor cost the town six figures last month.
A town employee received an email in late December that appeared to be from a regular vendor requesting $102,000 via wire transfer for invoices authorized for payment, Town Manager Richard Montuori said in a statement Wednesday.
After the payment was made to a Wells Fargo bank account in late January, however, town officials realized the email was spoofed to appear to come from the vendor, and both the email and wire transfer were fraudulent.
“This is a very unfortunate incident, but we are certainly mindful that it could have been much worse,” Montuori said in the statement. “We have learned from this experience and are confident that our policy and procedure changes will leave us better prepared in the future.”
The town is working with its insurance carrier to recoup the lost funds. Tewksbury is covered for up to $100,000 with a $7,500 deductible, and so hopes to receive $92,500 via insurance.
Tewksbury pays several of its larger vendors via wire transfer, and began the practice during the early days of the COVID-19 pandemic to accommodate vendors who were working from home and could not easily receive checks via mail at their offices, Montuori said.
The town immediately contacted the police department and the FBI and began an investigation when the fraudulent payment was discovered. The vendor was also notified of the scam.
Montuori ordered a freeze on any new wire transfers in response to the incident, and the town will review all future wire transfer vendors on a case-by-case basis. Tewksbury has also implemented new wire transfer procedures including signature matching and “dummy” deposits to verify bank accounts with vendors. The Town Accountant and Treasurer’s Offices have also begun reviews of their protocols and controls around internal and external requests to address any other potential threats.
Tewksbury plans to have its audit firm review the incident and identify other potential enhancements to internal controls. Town staff are already engaged in cybersecurity training to help identify phishing attempts through a state grant.
According to the FBI, phishing and email compromise cost businesses and government agencies billions of dollars annually.
