When Peterborough lost $ 2.3 million to an email scam, it joined a growing list of businesses and cities falling victim to a widespread but easily avoided type of fraud that may not be covered by insurance.
Officials in three other cities contacted by the Ledger-Transcript, one in Massachusetts, one in Florida and one in Colorado, said insurance had not reimbursed them for most of the losses suffered in similar situations.
Across the country, crooks are committing thousands of these crimes, which fall under the category of business email compromise.
The 2020 FBI Internet Crime Report says the agency received 19,369 such complaints last year with losses of more than $ 1.8 billion. The report says complaints are on the rise and this type of fraud is taking advantage of people’s speed and convenience with email.
In a typical version of this scam, a criminal posing as a known vendor sends a seemingly reasonable email requesting a change in the financial routing of an upcoming payment. Due diligence requires a simple phone call to the supplier to confirm the request, but if this is not done, millions of dollars in payments can be sent to the perpetrator.
It played out in Peterborough with money that was supposed to go to the ConVal school district and Beck and Belluci, a bridge contractor. Instead, public funds went to those behind the bogus emails, which city administrator Nicole MacStay described as “incredibly good counterfeit work.”
“Although it is now believed that no city staff was criminally involved in the transfers, finance ministry staff who were directly targeted in this fraud are on leave until the ‘ongoing investigation by the US secret service is completed, “she said, announcing the crime on August 23.
MacStay also said city officials don’t believe the funds can be recovered by voiding transactions and aren’t sure if the losses will be covered by insurance.
Peterborough is insured by Primex, the New Hampshire Public Risk Management Exchange.
Mike Ricker, general counsel for Primex, which provides insurance to municipalities across the state, said a full investigation of the incident is needed before making a decision on whether the loss is covered.
Ricker said he was not sure whether the cyber policy Primex is offering to municipalities across the state is conditional on certain performance or accounting standards being maintained by the policyholder. He said he couldn’t discuss the Peterborough coverage.
Naples, Fla., Lost about $ 700,000 two years ago in a fraud similar to Peterborough, but found it couldn’t collect the insurance because the policy had a condition requiring verification when the city ââreceives a request to change the route of a payment to a seller.
“This is a common condition in most cyber policies for public entities,” said Lori McCullers, deputy director of human resources and risk manager in Naples. âObviously since that time we’ve marketed our liability insurance quite heavily to find more or better or different coverage and I know this is a very common condition in most policies, if you can even find one. social engineering or spear phishing coverage. “
Tricking someone into unknowingly helping with a fraud is sometimes called social engineering. Spear phishing is a fraudulent e-mail addressed to a specific person.
McCullers said the $ 700,000 loss was absorbed into a city budget of more than $ 150 million and no tax increase was needed.
In addition, there are limits to insurance coverage. Naples had $ 250,000 in coverage for this type of fraud, so an insurance payout would not have covered the entire loss anyway.
MacStay, the city of Peterborough administrator, said on Friday she was still trying to find out about the coverage conditions and loss limits of the city’s insurance policy regarding this type of incident.
Even in the worst-case scenario where it couldn’t get insurance money, the city has a fund balance of $ 3 million that could potentially be applied against the loss, so it wouldn’t. necessary to raise taxes, MacStay said.
Payments were sent to the bridge contract to make up for the misdirected money. A public hearing will be held to approve the withdrawal of money from the fund balance to pay the school district.
She declined to say which members of the city’s finance department had been put on paid leave, or if more than one employee was involved in the transactions. She also said the city has an ongoing policy of requiring verification when a vendor changes payment information.
In Naples, the city employee at fault for not having followed the verification procedures was demoted and her salary was reduced. Those who perpetrated the crime have never been arrested.
The town of Erie, Colorado lost $ 1.01 million in a commercial email scam at the end of 2019. Town spokeswoman Gabi Rae said the investigation was continued and no insurance payments had been received. The fraud occurred after a city employee changed a supplier’s payment information based on a request received through the city’s website. The employee ended up resigning.
In Franklin, Massachusetts, at the end of 2020, the city treasurer was suspended for a month and her pay was reduced after a municipal payment of $ 522,000 was misdirected to a fraudster posing as a vendor in an email from a water treatment plant project. The city was able to recover $ 200,000 from the insurance, well less than half of the loss.
City administrator Jamie Hellen said after this incident the city tried to publicize the need to be diligent in responding to requests sent by email.
âIf we really don’t know that something is coming into our inbox, an email, and we don’t know where it came from, just delete it,â he said. âIf the person wants to get in touch with you and you mistakenly delete something that was real but looks wrong, they will contact you. “
Another step that some municipalities have taken is to have more than one person approve any change in the routing of payments.
What’s remarkable about the Peterborough fraud is that misdirected payments have happened more than once, said Lisa Thompson, lawyer and chair of the Bar Association’s intellectual property section. from New Hampshire.
One payment for the school district and two for the bridge contractor were misdirected.
âAny insurance company is going to try to find a way not to pay a claim,â she said. “If I have a fender bender, they’re going to find a reason not to pay for it, so you can bet they’re going to do the same here.”
âIt’s a very special circumstance. I haven’t heard anything like it, especially in New Hampshire, but also in other states.
âMy first thought when I read about this was that it sounds like a training problem, that people are not getting proper training in cybersecurity. “