When Peterborough lost $2.3 million through an email scam, it joined a growing list of businesses and towns victimized by a prevalent but easily avoided type of fraud that can fall outside insurance coverage.
Officials from three other towns contacted by the Ledger-Transcript, one in Massachusetts, one in Florida and one in Colorado, said insurance has not reimbursed them for most of the losses they incurred in similar situations.
Across the country, swindlers are committing thousands of these crimes, which fall under the category of business email compromise.
The FBIโs 2020 Internet Crime Report said the agency received 19,369 such complaints last year with losses of over $1.8 billion. The report said complaints are growing and this type of fraud takes advantage of peopleโs accelerative use of and comfort with email.
In a typical version of this scam, a criminal posing as a known vendor sends a seemingly reasonable email asking for a change in the financial routing of an upcoming payment. Due diligence demands a simple phone call to the vendor to confirm the request, but if this is not done, millions of dollars in payments can be sent to whoever is running the fraud.
This played out in Peterborough with money that was supposed to go to the ConVal School District and to Beck and Belluci, a bridge contractor. Instead, the public funds went to those behind the fake emails, which Town Administrator Nicole MacStay described as โan incredibly good forgery job.โ
โThough it is now believed that no town staff were criminally involved in the transfers, the Finance Department staff who were directly targeted in this fraud are on leave until the U.S. Secret Serviceโs ongoing investigation has been concluded,โ she said in announcing the crime on Aug. 23.
MacStay also said town officials do not believe the funds can be recovered by reversing the transactions and do not know if the losses will be covered by insurance.
Peterborough is insured through Primex, the New Hampshire Public Risk Management Exchange.
Mike Ricker, general counsel for Primex, which provides insurance for municipalities across the state, said a thorough investigation of the incident is required before any decision is made on whether the loss is covered.
Ricker said he isnโt sure if the cyber policy Primex provides for municipalities across the state is conditioned on the policyholder maintaining certain performance or bookkeeping standards. He said he couldnโt discuss Peterboroughโs coverage.
Naples, Fla., lost about $700,000 two years ago in a fraud similar to the one in Peterborough, but found out it couldnโt collect from insurance because the policy had a condition requiring verification when the city receives a request to change the routing of a payment to a vendor.
โIt is a common condition under most cyber policies for public entities,โ said Lori McCullers, deputy human resources director and risk manager in Naples. โObviously, since that time we marketed our cyber liability insurance rather heavily to find more or better or different coverage and I know that it is a very common condition in most policies, if you can even find social engineering or spear phishing coverage.โ
Tricking someone to unknowingly assist in fraud is sometimes called social engineering. โSpear phishing,โ is a fraudulent email directed to a specific person.
McCullers said the $700,000 loss was absorbed in a city budget of more than $150 million, and no tax increase was required.
Also, there are limits to insurance coverage. Naples had $250,000 in coverage for this type of fraud, so an insurance payoff wouldnโt have covered the entire loss in any case.
MacStay, Peterboroughโs town administrator, said Friday she is still trying to learn about coverage conditions and loss limits in the townโs insurance policy as regards this type of incident.
Even in a worst-case scenario in which it couldnโt get insurance money, the town has $3 million in a fund balance that could potentially be applied to the loss, so there would be no need for a tax increase, MacStay said.
Payments have been sent to the bridge contract to make up for the misdirected money. A public hearing will be held to approve removal of money from the fund balance to pay for the school district.
She declined to say which members of the townโs finance department were placed on paid leave, or if more than one employee was involved in the transactions. She also said the town has a standing policy of requiring verification when a vendor changes payment information.
In Naples, the city employee at fault in failing to follow verification procedures was demoted and her salary was reduced. Those who perpetrated the crime were never caught.
The town of Erie, Colo., lost $1.01 million in a business email compromise scam in late 2019. Town spokeswoman Gabi Rae said the investigation continues and no insurance payment has been received. The fraud occurred after a town employee changed a vendorโs payment information based on a request that came in through the townโs website. The employee ended up resigning.
In Franklin, Mass., in late 2020, the town treasurer was suspended for a month and her compensation was reduced after a town payment of $522,000 was misdirected to a fraudster posing in an email as a vendor on a water treatment plant project. The town was able to recover $200,000 through insurance, or well less than half of the loss.
Town Administrator Jamie Hellen said that after this incident, the town has tried to get the word out about the need for diligence in acting on emailed requests.
โIf we really, truly donโt know something is coming to our inbox, an email, and we donโt know where itโs coming from, just delete it,โ he said. โIf the person wants to get in touch with you and you inadvertently delete something by mistake that was real but looks fake, theyโll get in touch with you.โ
Another step some municipalities have taken is to get more than one person to sign off on any changes for routing of payments.
What is notable about the fraud in Peterborough is that misdirected payments occurred more than once, said Lisa Thompson, an attorney who is chair of the New Hampshire Bar Association Intellectual Property Section.
One payment for the school district and two for the bridge contractor were misdirected.
โAny insurance company is going to try to find any way not to pay a claim,โ she said. โIf I have a fender bender, theyโre going to find a reason not to pay it, so you can bet that theyโre going to do the same thing here.
โThis is a very unique circumstance. I havenโt heard anything like this, particularly in New Hampshire, but also other states.
โMy first thought when I read about this was that this sounds like a training issue, that people arenโt getting adequate cyber-security training.โ