Tewksbury Loses $102K To Phishing Attack

TEWKSBURY, MA — Tewksbury lost $102,000 to a phishing attack in January, Town Manager Richard Montuori said Wednesday.

The town hopes to recoup $92,500 through insurance — it has $100,000 in coverage with a $7,500 deductible, the town said.

"This is a very unfortunate incident, but we are certainly mindful that it could have been much worse," Montuori said. "We have learned from this experience and are confident that our policy and procedure changes will leave us better prepared in the future."

In late December, a town employee received an email seemingly from a regular vendor which requested payment via wire transfer. The town pays several of its larger vendors via wire transfer, according to the town manager's news release.

The email turned out to be a spoof, and when the payment was made in late January, town officials discovered the email and wire request were fraudulent, "part of a pervasive multinational spree of email phishing attempts that have been on the rise in recent years."

"The town immediately initiated an investigation, notified the vendor of the scam, contacted the Tewksbury Police Department, and notified the FBI of the fraud," Montuori said.

The town manager ordered a freeze on new wire transfers and the town will review all future wire transfer vendors on a case-by-case basis, according to the news release. Most of the town's wire transfer accounts were set up during the early days of COVID-19 "to accommodate vendors who were working from home and could not conveniently receive checks via mail at their offices."

Other measures include:

• "The Town of Tewksbury also has implemented new wire transfer procedures that, among other requirements, implements signature matching procedures and "dummy" deposits to verify bank accounts with vendors.
• The Town Accountant’s Office and Treasurer’s Office also have begun reviews of their departments' protocols and controls around any requests that originate internally and externally to proactively address any other potential threats.
• The Town of Tewksbury also will have its audit firm, which has expertise in fraudulent attacks, review the incident, and examine the attack and transfer procedures for further potential enhancements to internal controls. These types of phishing attempts are always evolving and improving the Town’s cybersecurity posture through training is critical. The Town is currently engaged in staff training that is designed to help identify phishing attempts, through a state-sponsored grant."