A well-heeled Seattle suburb town with a median household income of $203,393 fell prey to blatantly obvious phishing scam.
According to a report from the Seattle Times, Yarrow Point’s now-former fiscal coordinator (who had a personal driver) did not question emails from someone claiming to be the mayor asking him to wire thousands of dollars to a New York bank account.
Last August, Yarrow Point’s fiscal coordinator, John Joplin, reportedly received an email from “Mayor Richard Cahill,” using the email account firstname.lastname@example.org, asking if Joplin was at the office.
In a brief exchange, the scammer posing as the mayor asked Joplin to wire him $14,624 to a New York-based Bank of America account belonging to someone named Adebayo Mabel, the Seattle Times reports. Joplin followed the orders, even though he received two messages from Yarrow Point’s bank, Banner Bank, alerting him of a “forgot password attempt,” as well as an alert about “a wire transfer” being created, suggesting it could be due to “fraudulent activity,” documents show.
Joplin did not question the request, even though—as the real mayor, Richard Cahill, later told the Seattle Times—the town had never performed a wire transfer before.
A few days later, on the day of the total solar eclipse, Joplin received another email from the “mayor,” asking if Joplin was in the office that day.
“I am working at home today as my driver wanted to stay home for the eclipse,” Joplin responded, according to an email exchange obtained by the Seattle Times.
“I need you to handle a wire transfer for me today,” the “mayor” replied. “Can I send you the details now?”
The scammer posing as a mayor then asked Joplin to wire him $14,624 again. But this time the wiring instructions requested a different amount—$34,624. Joplin responded asking which was the correct amount, then later wired the higher payment.
The next day the emboldened scammer asked for $64,624, but by then Joplin had wised up to the scam.
But that wasn’t the end of the town’s cybersecurity problems. On October 18th, town employees lost access to certain files and systems when the city was targeted in a ransomware attack. The town paid the hackers $9,170 in bitcoin.
Yarrow Point then hired three cybersecurity agencies to help with the issue, collectively costing the town $46,972.21, according to the Seattle Times. The ransomeware payment was covered by the town’s insurance, but the $49,248 lost in the phishing scam was not.
The town finally alerted its residence on October 26th of a “cyber incident that made certain files and systems inaccessible.”
Months earlier, Yarrow Point clerk and treasurer Anastasiya Warhol had been sent similar phishing emails but was able to determine that the messages were illegitimate and shared them with the town’s IT company and Mayor Cahill.
The Yarrow Point municipality did not respond to a Gizmodo request for comment on the scams. Cahill told the Seattle Times he recently attended a security workshop and the town’s administrative office took a refresher course on best security practices. After working for the town for 12 years, Joplin is no longer employed by Yarrow Point.