Seven Phishing Attacks that Targeted State and Local Governments

city hall sign on building

I recently wrote about how bad actors have stepped up their use of email to target U.S. schools and colleges. Unfortunately, education isn’t the only sector that’s recently seen a surge in email-based attacks. Small governments have also encountered their fair share of incidents. Indeed, National Association of State Chief Information Officers (NASCIO) Executive Director Doug Robinson told CRN how state and local governments have experienced a “fivefold increase in phishing attacks in the last three years.” These campaigns have employed various lures and techniques to steal sensitive data or funding from these government entities.

Phishing attacks targeting state and local governments have been particularly prolific in the first three quarters of 2019. Here are seven incidents that made headlines during that time.

1. Ottawa, Ontario, Canada

In April 2019, KnowBe4 reported on an incident in which Marian Simulik, the treasurer for the City of Ottawa in Ontario, Canada, received an email from someone posing as the city manager back in July 2018. The fraudster instructed Simulik to wire money to a supplier in the United States. At the time, the City’s website was undergoing an overhaul, so the treasurer figured that the request was related to this ongoing project. After researching the supplier and conversing with someone whom she thought was the city manager via email, she sent over $128,000 to a bank account in the United States. It wasn’t long thereafter that Simulik received another money request from the scammer. This time, she asked the city manager in person; they said they knew nothing of either money request. The treasurer then realized she had fallen for a scam.

2. Chicago, Illinois

CBS Local reported that the City of Chicago’s Department of Aviation received what appeared to be an email from Skyline Management, a City-approved vendor, back in January 2019. According to City documents, Chicago had paid this company $284,628,921.17 as of April 2019 for custodial services performed at Midway International Airport and O’Hare International Airport since 2008. It therefore wasn’t surprising for the Department of Aviation to hear from what they thought was Skyline. In the email, the fraudsters instructed City officials to change the receiving bank account from one at U.S. Bank to Wells Fargo Bank. The Department complied and sent over $1,150,759.82 for Skyline’s services. But several weeks later, Skyline contacted the Department and reported that it had not received payment for its services. That’s when the Department knew it had fallen for a scam. Fortunately, it was able to recover the funds and pay Skyline after Wells Fargo Bank put a hold on the scammer’s account.

3. Burlington, Ontario, Canada

In a press release issued by the City of Burlington, officials explained that City staff members had received a “complex phishing email” purporting to come from an established city vendor. The email leveraged falsified documents that had a “level of sophistication not typically seen” to trick recipients into believing that the vendor needed to change its banking information. As reported by CBC, City personnel ultimately transferred $503,000 to the falsified bank account on 16 May. City officials realized their mistake a week later, at which point they notified their bank and Halton Regional Police. They also implemented additional security measures to help protect against similar attacks in the future.

4. Riviera Beach, Florida

On 29 May, digital criminals infected the computer systems of Riviera Beach, Florida with ransomware after someone in the Police Department opened a malicious email. The City of 35,000 responded by taking all of its operations offline while its IT team worked to investigate the attack. This decision prevented 911 dispatchers from entering calls into emergency computer systems, and it also forced officials to pay City employees using handwritten checks. Ultimately, Riviera Beach listened to the advice of external security consultants and decided to meet the attackers’ demands of 65 Bitcoin (then worth more than $600,000), reported Naked Security.

5. Arlington County, Virginia

The Government of Arlington County disclosed a security incident in which fraudsters targeted its employees with phishing emails. Per the reporting of, bad actors used those phishing emails to infiltrate the Government’s payroll system. Arlington County officials revealed that the incident neither lasted long nor affected too many employees. They also clarified that the security event had not compromised any resident data. Even so, the Government identify all affected individuals, notified them and provided recommendations on how they could secure their personal data. It took the additional step of implementing security measures designed to safeguard its email and other critical computing systems against phishing attacks and other digital threats.

6. Collier County, Florida

In mid-August, news emerged about how fraudsters had targeted Collier County in Florida with a business email compromise (BEC) scam back in December 2018. Fraudsters crafted an email to make it look like it originated from Quality Enterprises USA, Inc., a contractor which had performed work for the County in the past. This email instructed Collier County to transfer funds to a new bank account supposedly maintained by Quality Enterprises. County officials responded by wiring $184,000 over to the bank account. Naple News reported that it didn’t take the County long to figure out what had happened; fortunately, the County was able to recover those funds with the help of its insurance carriers, and it was able to pay Quality Enterprises for its work.

7. City and Borough of Juneau, Alaska

Collier County wasn’t the only small government entity targeted by BEC scammers in December 2018. At that time, an individual reached out to the government for the City and Borough of Juneau (CBJ), Alaska. They said that they were associated with SECON Construction, an approved CBJ contractor. Several months later, the individual sent over a voided check and updated W-9 form so that CBJ could update the bank account number assigned to SECON Construction. CBJ validated the account by successfully sending over a zero-dollar transaction test; in the meantime, SECON Construction continued to perform construction services. In April 2019, CBJ sent $329,630.21 over to SECON Construction as payment for its work, but in May, SECON Construction reached out and said it had never received compensation for its services. That’s when CBJ contacted the Juneau Police Department, the FBI and its bank. CBJ received $250,000 in reimbursement from its insurer while the FBI continued with its investigation.

How Small Governments Can Protect Themselves

The security incidents discussed above highlight how fraudsters are more than willing to go after small government entities. In response, these government bodies need to make sure they have robust measures in place that can help secure their email. One of the easiest ways they can do this is by investing in a solution that analyzes incoming email for malicious campaign patterns, suspicious URLs, known malware signatures, behavior indicative of zero-day threats and other tell-tale indicators. This solution should operate in real-time so that it can block potentially malicious email while allowing legitimate messages to get through.

Learn how ZixProtect can help your small government stay safe from phishers.