How Email Spoofing Scams Works
In an email spoofing scam, the scammers send emails to the target organization that impersonate a legitimate contact, such as a vendor or business partner. The spoofed email incorporates domain names that closely resemble those of the organization being impersonated. The email message contains instructions for the recipient to send money via wire transfer to a new bank account. The email generally contains an attachment that lists the bank name, account number, and other transfer instructions.
Unlike less sophisticated email-based cyberattacks, the spoofed emails appear legitimate. The body of the email does not contain spelling or grammatical errors, and the perpetrators of the fraud generally use appropriate legal and financial terminology. Not surprisingly, they are frequently successful, particularly if members of the organization have not been trained to spot such attacks.
NJ Cyberattacks on Municipalities
According to the New Jersey League of Municipalities (NJSLOM), the scam targeting New Jersey municipalities uses email as a tool to commit fraudulent wire transfers. Through sophisticated email spoofing, the perpetrators send messages to municipal officials and financial institutions where municipalities have accounts. The fraudulent emails contain instructions to perform wire transfers and make it appear those instructions are coming from bona fide municipal managers or officials.
In the incidents reported to the NJSLOM, the bank manager and the municipal financial officer had procedures in place to deter the cyberattack. However, the scammers are likely to additional attacks in the hopes that other municipalities are not so prepared.
Steps to Avoid Falling Victim
Implementing comprehensive cybersecurity policies and procedures is the most effective ways of deterring an attack. Below are a few specific tips:
- Install filtering tools that alert users to email messages that may be spoofed.
- Educate all employees who are authorized to send wire transfers regarding the scam.
- Require validation of all wires using two-factor authentication, such as verifying the transaction via phone.
For more information about municipal cybersecurity, we encourage you to contact a member of Scarinci Hollenbeck’s Government Law Group.