Sunday, June 16, 2024

A graph provided by Cambridge city government shows the number of suspect emails received recently by the city by date.

The Cambridge Housing Authority was the victim of a “phishing” attack in which the agency wired more than $7,000 to an imposter in response to a fake email requesting payment of a bill, the head of the agency disclosed Wednesday.

The authority isn’t alone in being the target of cyberattacks. City government gets an average 15,000 suspect emails a day that include ransomware, phishing and other malware – roughly one-third the total messages sent to departments aside from schools and public safety, spokesman Lee Gianetti said Monday. He implied some phishing attempts are successful, but didn’t say how many or disclose the results.

Phishing is sending a fake email that looks like it came from a legitimate source. Ransomware is a form of malicious software, or malware, that can hold a computer user’s files hostage until a ransom is paid.

Phishing “is one of the most time-consuming challenges we face today,” Gianetti said. The city uses a protective program that “helps reduce the number of successful [phishing] attempts; however, it is far from perfect and incorrectly classifies many messages.”

“Everything was correct”

At the housing authority, Executive Director Michael Johnston told its commissioners that the fake email that arrived in early February reproduced a genuine bill with amazing verisimilitude. “I have to say that if I had received an email like that I wouldn’t have known the difference,” Johnston said. “Everything was correct except for one letter in the company name.” In response, the person who got the bill at the agency asked an employee in the fiscal department to pay it, and the employee wired $7,824.

The Cambridge Police Department is investigating; officials have little hope that the money will be recovered, police spokesman Jeremy Warnick said.

Johnston declined to identify anyone involved, and said investigators suspect that a hacker or hackers breached the company’s system to enable them to create the fake email. The bill was overdue and the agency previously had wired money on occasion to pay a bill “in instances where a payment was needed quickly.”

The agency has changed its procedures to require two people to approve wire payments, he said.

Prime targets

Security experts have said government agencies are prime targets for Internet scams such as phishing, in which an email appears to be from a source known and trusted by the target. Attackers may seek money, such as what happened to the housing authority, or they may insert a link in the message that contains malicious code that executes when the target clicks on the link, enabling the hacker to penetrate the victim’s system.

The city of Atlanta was recently hobbled by a “ransomware” attack in which hackers disabled many services and demanded money to restore them. In that case, security experts suspect that the attackers took advantage of vulnerabilities in the city’s online systems, not a credulous employee clicking a link in a phished email.

Cambridge’s Information Technology Department uses “multiple levels of defenses” to protect its critical technology, Gianetti said, “including firewalls, intrusion detection, intrusion protection, Web filters, anti-bot and anti-virus applications.” The city is also looking for outside security companies that could help reduce phishing attempts, he said.

“We do understand there is no solution that will 100 percent successfully block everything, but we are constantly researching new tools and ideas to remediate low-level threats and prioritize investigation of critical threats that require human judgment,” he said. The city has stepped up efforts to train employees to recognize fake messages, he said.

Taken in Kendall Square

Private companies in Cambridge have also fallen victim to phishing, Warnick said.

One Kendall Square firm lost more than $1.5 million in an elaborate Internet scheme in 2016. According to the police report provided by Warnick, in September 2016 a “computer-savvy thief had gained access to the email account of the company’s controller.”

The suspect or suspects began sending messages from the controller’s email account to other firms that owed money to the Kendall Square company and affiliates, asking that payments be transferred to “new bank accounts” that had been set up to accomplish the scheme, the police report said. In three transactions in September and October 2016, the unsuspecting companies transferred a total of $1,565,858.87 into the bank accounts.

The scheme unraveled when it was discovered in late October 2016 that “someone had hacked into” the company’s system “and had been monitoring their business/accounts for at least 30 days previous to ‘stealing’ their funds,” the police report said.

The report didn’t say whether the company and its affiliates had recovered money. Warnick said no one has been prosecuted.

Attempts at training

At the housing authority, officials have tightened payment systems and have trained all employees in detecting “phishing” emails, Johnston said. Consultants are also testing workers by sending them messages once a month both genuine and fake, he said.

The results so far have confirmed what many experts say: It’s difficult to resist the lure of opening a message or clicking on a link. On the first test, 16 out of the more than 200 employees at the agency took the bait of a phishing message, Johnston said.

“It really makes me nervous,” he said. “You have to take the time to hover the mouse over the link and see where it’s going.”

That’s one recommendation from computer security experts. The Federal Trade Commission offers that and other tips on its website here.