Together with another resident, I have review the public records pertaining the wire fraud that happened in August and that unfortunately led to a loss of ~ $50k of the taxpayer’s money. Below are some details and a conclusion.
The fraudster was sending emails that used the exact same email address as the Mayor. He or she sent it to the Town’s email system from outside. This is commonly known as email spoofing and is relatively simple to do. Normally, any reply to a spoofed email would go back to the Mayor’s proper address. However, in this case the sender also added another email trick. The fraudster added a separate reply-to address into the email. A separate reply-to address that is different from the senders is a standard feature in email but is not commonly used. The reply to address that showed up once you hit reply was an outlook.com address. This is a free consumer grade email address that anybody can sign up to.
The Fraudster asked the Town to wire money to a different bank. From there, the money probably went through multiple additional wire transfers until they finally reached the fraudster.
- Fraudster sends “phising” email impersonating the Mayor and asking for a wire transfer.
- Town personnel replies and ask what account to transfer money to.
- Fraudster copy/paste email from outlook server and replies again with an email impersonating the Mayor.
- Wire is sent out. Fraudster typically is using several layers of wire transfers to receive the money.
July 12th – Failed attempt to fraud. This attempt was flagged by the Clerk/Treasurer and sent to the IT- administrator. Clerk/Treasurer notes that she is getting a suspicious reply-to email address when she hits reply.
Aug 16th – Successful attempt that resulted in ~ $14k being wired out of the Town’s account.
Aug 21st – Successful attempt that resulted in ~ $35k being wired out of the Town’s account.
Aug 22nd – Mayor discovers the fraud. Police and FBI informed.
Sept 1st – Yet another request for wire transfer received. This was flagged as fraud.
- This was a classic and common type of phishing email.
- Town’s email system lacked good spam/fraud protection. An email coming from Nigeria with this type of odd header should have been flagged and deleted by the system. As of 10/17/2017 The Town’s website is indicating that they are upgrading their email system.
- Town’s email system does not use Sender Policy Framework and is therefore susceptible to spoofing. This is still the case as of 10/17/2017.
- The sender’s IP-addresses from can be traced back to Smile Telecom in Nigeria. This means that a system in Nigeria sent the fraudulent email that initiated the wire transfer.
- Sender knew names and short names of people working in the Town’s administration. This information was potentially harvested from the Town’s website. However, some of the names used were not mentioned on the town’s website at the time of the fraud. The harvesting must have taken place earlier in the year.
The chances that the perpetrator will be found is probably slim at this point. But not all hope is lost. There are avenues open that I know the Mayor is exploring to try to recoup some or all the money. I’m happy to assist in any way I can. If I get elected to the Town council on November 7th, I believe that my background in IT, Networking and Security will be helpful to make sure the town have a modern IT infrastructure.