Small cities targeted as cyber thief easy marks
A year ago, Clarendon Mayor Jim Stinson woke up one morning to the news that an anonymous criminal had swindled more than $92,000 from his city and did so from an out-of-state bank hundreds of miles away.
Clarendon has a population of about 1,450 people, so the theft left a gaping hole in its $5 million budget. Every one of the city’s departments felt the effects of it, Stinson said, and the U.S. Secret Service was called in
to investigate.
“It’s like someone slapped me in the face,” the mayor said. “It really knocked the wind out of me. … I wondered how were we going to recover from this.”
Federal investigators assigned to such cases are keeping busy because the cases keep piling up. Clarendon was one of 114 Arkansas municipalities targeted by cyberattacks during the past couple of years, according to the Arkansas Municipal League.
Recently, cyberattacks have affected city governments, large and small, all over the country, but criminals have begun narrowing their scope to municipalities with fewer resources and reinforcements, and cities that have a greater temptation to pay off the perpetrators, said Stephen Addison, the dean of science and math at the University of Central Arkansas and an expert on cybersecurity.
Addison said most of the criminals nationwide use ransomware, in which a government employee will click a seemingly innocuous link. Once it’s clicked, it exposes the user’s computer and whatever network it is linked with to a malware virus.
“Someone will get a message, a pop-up [window],” he said. “That means their system is hijacked.”
The hackers tell the victims that in order for them to regain access to their machines and network, they must deposit money to the hackers in the form of bitcoin, an untraceable cybercurrency. One bitcoin translates to nearly $9,800 in cash.
“What these [criminals] have learned is that small towns tend to have outdated systems,” Addison said. The cities “have hired people who learned on the job. They tend to have old equipment.”
One of the highest-profile cyberattacks on a major city was in March 2018. Hackers demanded $51,000 worth of bitcoin from Atlanta for the release of encrypted data. The city’s information management director asked the city the next year for $9.5 million to help pay for recovery costs from the attack, according to an article by Reuters.
Addison pointed out that bigger cities can absorb the exorbitant recovery costs, but smaller cities can’t. That’s why there are cases across the country in which the ransom is actually paid.
Ransomware attacks are the most common across the country, but another common method used by cyber scammers is check fraud. Criminals prey upon smaller cities by obtaining checking information online, often by seizing an electronic check. That is what happened to Clarendon. Once a check or money order is obtained, even if it is an electronic copy, it can easily be counterfeited.
“It is certainly a problem,” said Allen Bryant, the special agent in charge of the U.S. Secret Service office in Little Rock. “There are constant cyberattacks happening like that all across the country.”
Bryant said he couldn’t comment specifically on any open cases. Stinson said the check fraud investigation into his city was launched a year ago, and it is still being worked, as far as he knows.
“I have not heard anything yet about the investigation,” the mayor said.
Since early 2018, an additional 16 local-level government agencies in Arkansas also were targeted, raising the total number of municipal victims to 130. All but one got their money back because they were fully insured and they filed claims in a timely manner, according to the Arkansas Municipal League.
The one city that didn’t recoup what was lost was Clarendon. Stinson said that was because of lazy bookkeeping. The finances weren’t reviewed for November 2018 until three months later. Insurance protection lasts for only 30 days, so the clock had run out by the time city officials discovered the thefts, he said.
An unidentified woman routinely entered a bank in Alabama to cash three checks during the course of the day, Stinson said. The woman told the bank she was “doing processing” for Clarendon, which she said was located in Alabama.
There is no Clarendon in Alabama, but no one at the bank asked any questions, Stinson said.
To Stinson’s dismay, the woman waited five days for the checks to clear and returned to the same bank and cash more checks, he said. She continued the ruse for weeks.
The checks passed the eye test. They looked authentic. They even had the vice mayor’s signature, Stinson said.
A similar scam occurred in Glenwood, a city of 2,100 residents. That city lost about $18,000. Mayor B.T. Smith said signatures from his predecessor, who is now deceased, were found on the phony checks. They had been cashed at a credit union in Texas.
Like Clarendon, officials at Glenwood now make a point to look at every pending check every morning before the bank moves it through. Smith called it a “morning look” system.
“It’s very time consuming, but it is way cheaper than losing thousands of dollars,” he said.
Cindy Frizzell, director of finance for the Arkansas Municipal League, said she had never seen such widespread check fraud like what she has during the past two years.
She said her organization, which represents all 499 cities and towns in the state, also reported its findings to federal authorities.
“When we talked to our bank about it, they told us this was a common practice,” she said. “We just hadn’t seen it happen to so many municipalities. Now it’s happening all over the United States.”
Addison said the number of cybercrime attacks against municipalities increased by 60% in 2019 compared with the previous year.
“And that’s just the ones that were discovered,” he said.
Smith said the ramifications are more extensive than the loss of money, adding that it isn’t just the cities that are affected.
“When people are hit like that it trickles down,” Smith said. “They hurt our bank. Our bank is made up of good folks. It’s a dirty trick. It always costs somebody in the end.”
A similar scam occurred in Glenwood, a city of 2,100 residents. That city lost about $18,000.