November 15, 2024 | Makenzie Kellar

Despite the fact that cyber-crimes and data breaches are becoming more and more common,  it’s all too easy to become complacent when it comes to security and training. After all, why would a fraudster care about a special district or public entity when they could go after far more lucrative victims like large corporations or banks? This reasoning, while comforting, is flawed. Cybercriminals can and will go after anyone and will sometimes specifically target public entities because of the essential roles they play in their communities.

The story that follows is a true account of one special district’s near-brush with disaster. For the sake of privacy, none of the involved parties have been named. The purpose of this article is to use their experience as a case study so that others can understand what they did right, what they could have done better, and how to prepare for incidents like this one.

The Attack

It all started when a special district employee had their email address compromised through a network breach. The hacker behind the breach then began monitoring emails that came through for this employee, paying special attention to those which contained invoices or mentioned payments the district was supposed to make. Armed with this knowledge, the hacker sent an email to the district posing as one of the district’s contractors where they said they had not received payment for their services yet. The employee responded that “the check is in the mail” and to contact them if it didn’t come through in the next week.

The next week, the hacker emailed the district again to say the check didn’t arrive. They lied to the district employee by “explaining” their business has had some issues with checks being lost in the mail and it would be easiest to cancel the last check and just wire them the money directly. The hacker then sent instructions to the district on how to wire the money to them. These instructions had been edited to include the letterhead of a reputable bank. At this point, the correspondence was passed over to the special district’s manager who approved the wire transfer.

However, the culprit emailed them again to let them know the wire was returned and gave the manager a different bank account to send the money which did not match the initial approval. This tipped off the district manager into thinking that something wasn’t right. The manager took matters into their own hands and reported the issue, at which point the district learned about the network breach and took steps to ensure that the money remained in their account.

What They Did Right

Thanks to the diligence of this special district’s manager, the organization did not end up losing the money that would have been paid out as part of this scam. Even with mundane transactions, it’s important to thoroughly vet all documents and communication to be sure everything is legitimate. If there are reasons to be suspicious, immediately pause any dealings with the person on the other end of the screen, and report what happened to the proper authorities.

Taking Action Sooner

Although this is a success story, there were a few steps that could have been taken might have put a stop to the fraudulent transaction sooner. The district could have checked in with the real contractor over the phone during this process. The contractor would have been able to clarify that they had not reached out to the district about the check, and the district would then know the person behind the emails was lying. The district could have also established a more thorough vetting system to try and catch forged and falsified documents (like the wire instructions the scammer added bank letterhead information to) before they are approved and processed.

That being said, the solutions listed above are by no means foolproof. Not every transaction requires extra phone calls, and—even with the most stringent vetting procedures—something is bound to slip through the cracks. In this case, the hacker posed as a contractor the district knew and trusted. It’s hardly surprising that the first employee to get those emails took them at their word. This is why the best way to deal with cybersecurity breaches is to prevent them from ever happening.

What Should You Do?

The CSD Pool provides a variety of tools for members looking to improve their cybersecurity. The eRisk Hub contains best practices information, ransomware and phishing training for staff, and access to cyber breach lawyers. If the worst does happen, the site also includes an incident road map. Members get access to all this and more entirely for free as part of their Pool membership.

It’s also a good best practice to schedule regular trainings with your employees to make sure that everyone learns what to look out for. Vector Solutions offers free courses  to our members such Computer Security Awareness, but any good quality training will help stop incidents like this from occurring.

Although this case study outlines an incident that would have been covered under the district’s crime policy, the fact that there was a security breach where emails were being monitored sets up a situation where cybercriminals could commandeer digital operations of critical IT systems. If this had been the case, the potential for triggering a district’s Cyber coverage would have increased.

If you want an approach that analyzes your district’s cybersecurity and IT systems, we can arrange for a cyber assessment from NetDiligence . These assessments can help your district identify gaps in cybersecurity and provide advice on how to close them. While this is not a free service, the CSD Pool offers scholarships  to interested members and a higher sublimit for districts that complete the Health Check Assessment among other requirements. For members who complete an assessment with a passing score, higher limits are available up to $3M.

Finally, if all else fails and your district’s cybersecurity is somehow compromised, remember to report this incident to the CSD Pool as soon as possible so our team can guide you along the next steps. The longer a problem goes unreported, the more damage a cybercriminal can do.

Don’t wait until there’s been a breach to start thinking about cybersecurity. Start taking steps now to ensure that your district stays safe now and in the future. To learn more about any of the services mentioned above, or to chat with an underwriter about your Crime or Cyber coverage, email info@csdpool.org.