Understanding exactly how cybercriminals were able to break into a staff member’s email account and eventually bilk the Town of Peterborough out of $2.3 million last summer, forcing the use of unrestricted fund balance to fill the gap, remains unclear.
What is clear, according to Peterborough Town Administrator Nicole MacStay, is that the crime could have been prevented had a few procedures and preventative measures been followed.
The type of crime that was committed in Peterborough and the way the criminals gained access are not uncommon, according to cybersecurity experts. What was uncommon in this case was the sum of money stolen and the repeated transfers of money.
The crime began during the winter and spring of 2021, when overseas criminals were able to access the email credentials of a staff member working for the town in the Finance Department. This allowed them to gain access to that person’s email account where they could watch emails and wait for a time to strike.
“We’re not exactly sure what happened. What we do know is that there was one attempt to use those credentials and that their first attempt was successful,” MacStay said, referring to the phishing scam the criminals used to access Finance Department staff’s email credentials. “They had the user name and the password by April 2021. That’s when we know someone from overseas logged in and was able to gain immediate access.”
From there, the criminals began a process of waiting and watching, and ultimately falsifying Automated Clearing House (ACH) documents that were used to transfer money between the Town of Peterborough and the ConVal School District, as well as the construction company Beck and Bellucci.
The type of breach that took place in Peterborough is known as a business email compromise, said attorney Ande Smith of Deer Brook Consulting, who explained the first step is gaining access to an employee’s email account. He explained that this can happen when criminals mine dark web stores for stolen passwords.
“The most-common way this happens, unfortunately, is that people will find people’s passwords on dark web password stores. They will look up you or me and then try these credentials out on systems using different passwords they’ve found,” Smith said, explaining that criminals will learn what a staff person does and then monitor big transactions to find out where the money is being wired. “Often, they derive the critical information from those dark webs because people recycle passwords. I don’t know if that’s the case [in Peterborough]. If their email system was internal, it’s possible they hacked the system and gathered credentials inside with Microsoft 365 or Gmail. But usually it’s a password-guessing exercise.“
The timeline
On July 26, 2021, Peterborough officials knew something was wrong after receiving word from ConVal that their regular $1.2 million monthly payment hadn’t arrived. The town immediately launched an investigation by alerting the U.S. Secret Service, cybersecurity consulting firm ATOM group and NH Primex, the town’s insurer, but by then the money had been stolen.
About a month later, on Aug. 18, the initial investigation was still ongoing when town Finance Department staff discovered that two more large transfers, both intended for Main Street Bridge project contractors Beck & Bellucci, had been diverted in a similar manner. Peterborough was ultimately defrauded on three payments — one intended for ConVal on July 23 and two intended for Beck & Bellucci, one on July 9 and the other on Aug. 13.
“They had been paying attention to who the players were and they inserted themselves into the conversations of those groups,” said MacStay, who had been the town’s finance director for eight months at the time the crimes took place. “[The criminals] copied the signatures. Even though their email addresses were a little bit different, you have to look really closely in a couple of cases to see the differences. They were very clever and they manipulated the process and were able to divert those funds.”
ACH forms sent via email and not notarized
The diversion MacStay is referring to involves Automated Clearing House (ACH) transfers that require a notarized form before a transaction can take place.
Where “things really went wrong,” MacStay said, was with the forms used to complete the ACH transfers between the town, the school district and Beck & Belluci.
“Not only were [staff] not paying close enough attention to the emails to make sure they were absolutely correct, they also weren’t paying close enough attention to the [ACH] forms,” MacStay said, explaining that ACH transaction forms require a notarized signature. “You can receive a copy of a notarized form via email, but the form itself has a stamp and signatures on it. [Staff] accepted forms via email that were not notarized and they acted on those forms.”
MacStay said this isn’t surprising because of the increase in business transactions being done via email during the pandemic. But she said notarization never changes and that it was the town’s policy at the time.
“There’s only one way to get a notarized form, and that’s with a notary right in front of you stamping that form,” she said. “And that was at the last point the scam could have been stopped. It was a misunderstanding of what notarization meant. It was a failure of training really.”
Peterborough’s use of unrestricted fund balance
MacStay said there was no direct impact on taxes as a result of the theft, but that the use of money from the unrestricted fund balance meant the town’s Select Board did not have the option to use those funds as an offsetting revenue in the fiscal 2022 budget, which would have lowered the tax rate.
When asked if she could say how much the tax rate would have been reduced if the fund balance had not been needed, MacStay stated, “I cannot, because the Select Board never deliberated on that question. By the time we got to setting the tax rate in October, the funds from the UFB were already appropriated to cover the fraud losses.”
The town’s unrestricted fund balance on July 1, 2021, was slightly more than $3 million, and following a public hearing in September 2021, the town was allowed to use $1,753,479 million to make up for the funds that were stolen.
MacStay said the town’s directors were able to find ways to avoid spending over $1 million across the town’s entire fiscal 2022 budget adding that the credit for this is owed directly to the chiefs and directors “who worked so diligently to keep their department’s spending under tight control through the year.”
“With the addition of unanticipated revenues, and the savings in the fiber expansion project, the town’s (unrestricted fund balance) only dropped by $111,179 from July 1, 2021. The projected starting unrestricted fund balance on July 1, 2022, is $2,937,482 million,” MacStay said.
Security measures taken
Since the theft last summer, Peterborough has taken measures to ensure it can avoid similar scams in the future.
The town has implemented multi-factor authentication – an electronic authentication method in which a user is granted access to a website or email application only after successfully presenting two or more pieces of evidence to ensure a user’s identity – for all Finance Department staff and department directors.
Mike Ricker, general counsel for New Hampshire Public Risk Management Exchange (Primex), which represents nearly all New Hampshire towns and cities with property and liability issues, said cyber crimes have increased across the state over the past several years. He said his organization wasn’t able to disclose information about its handling of the Peterborough cyber claim because of a state confidentiality statute, but he did say because of the increased threat, Primex continues to make cyber coverage available to their members.
“We also provide them access to cyber loss prevention training, consulting and other resources,” he said. “Cyber threats have become a major risk management concern for both the public and private sectors.”
One of the simple ways to avoid business email compromises, cybersecurity experts agree, is installing multi-factor authentication.
Jason Sgro, senior partner and head of cybersecurity at the ATOM Group, which the Town of Peterborough has been working with to improve its privacy functions, said the vast majority of the 550 entities it represents in New Hampshire are municipalities and that cyber crime is on the rise.
One of the systemic problems across the state, Sgro said, is that municipalities fail to use multi-factor authentication and that there is no way to get statewide statistics on how many municipalities are hit with cyber crimes because people seldom report incidents. And even if they did, he explained, this wouldn’t solve the problem, Sgro said, referring to House Bill 1277, which goes into effect this month, mandating towns and cities to report all occurrences of cybersecurity attacks to the state Department of Information Technology as soon as they occur.
“I do not believe the legislation that passed will have a serious impact on cyber crime. I expect our clients will participate, but a lot of this is governed between breach council privacy attorneys and victims. [N]otification to a state body, as required by statute…I don’t know if that will materially help in terms of preparing our understanding the size of these crimes,” Sgro said, adding that municipal governments and public entities in New Hamsphire have become soft targets because many have not made significant investments in cybersecurity, not because they haven’t been required to report incidents. “We know cyber crime is a huge problem. Knowing how much crime is not really the solution. The problem is that we don’t have a lot of cyberprofessionals dealing with cyber…
