A fourth Florida municipality since June has acknowledged it has been cyber-scammed but, unlike the three other cases, this time the theft did not include a date breach, “ransomware” or Bitcoin.
Officials in Naples, a city of about 22,000 in Collier County, say they lost $700,000 in a “sophisticated” scam involving a “spear-phishing” email that submitted an invoice that was subsequently paid, the Naples Daily News reported Monday.
The money was paid to a fake bank account that the “phisher” provided while posing as a representative from the Wright Construction Group, which was doing infrastructure work on Eighth Street South in downtown Naples, according to a news release.
"The city’s data systems are safe and secure," City Manager Charles Chapman said in a statement. "This attack was not malware or ransomware [and] no data breach occurred. The city has and will continue to make improvements to our information technology systems.”
The city did not say exactly when the scam occurred, noting the incident is still under investigation. It has since paid Wright Construction and filed a claim with its insurance carriers and banking institutions, the news release said.
“We take cyber security very seriously,” Chapman said. “We actively train our employees to identify cyber security threats. In today’s business environment, it is not a matter of if you are going to be attacked, it’s a matter of when are you going to be attacked. Despite our best preventative measures, the City of Naples is now a victim of a cyber-crime."
City Spokesman David Fralick told the Naples Daily News that the city plans to hold a press conference with more details about the attack within a week, possibly by Tuesday.
Naples is not the only Collier County government to fall for a spear-phishing scam.
The Collier Mosquito Control District was also the victim of an insurance scam last summer that resulted in the loss of almost $100,000, according to the Naples Daily News.
The phishing tactic was similar in that the district’s director of administration received an email that claimed it was short $12,000 for its June health insurance bill. The email instructed the administrator to send the money to a different bank account than usual.
After consulting others, the district sent the payment and then sent an $85,000 check in July to the same account, only to learn from its actual insurers that it had not received its July payment.
Phishing is an email targeted at a specific individual or department within an organization, business or government agency that appears to be from a trusted address. Spear-phishing differs in being more targeted to a specific person within an organization and more personalized.
The Naples spear-phishing scam is at least the fourth cyber-attack against a Florida municipal government since June.
The three others, however, involved the opening of an email that then spread a virus that encrypts software and locks it away from its owners unless they pay a “ransom” for a key to release the hold.
Lake City, a city of about 13,000 residents 65 miles west of Jacksonville; Riviera Beach, a city of 35,000 in Palm Beach County; and the village of Key Biscayne, an affluent community of 13,000 east of Miami, have all reported being victimized by malware/ransomware attacks.
The Lake City City Council agreed to pay 42 Bitcoin – about $460,000 to $480,000 – to end a cyber-attack that began June 10 and disabled the city’s email, online utility payment programs and even its phone system.
On June 5, the Riviera Beach City Council paid 65 Bitcoins – approximately $600,000 – to regain access to its computer systems, which in May were encrypted, forcing city police and fire departments to hand-write on paper hundreds of daily 911 calls.
The village of Key Biscayne confirmed to the Miami Herald that it had suffered a cyberattack on June 23, but has not divulged many details since.
Insurance provided through the Florida League of Cities will cover the bulk of the ransom paid by Lake City and Riviera Beach. Lake City paid a $10,000 deductible and Riviera Beach directly paid $25,000 in its deductible.
According to the FBI, there were 1,493 ransomware attacks reported in 2018 with victims – including individuals – paying $3.6 million to hackers.
A study by cybersecurity firm Recorded Future found at least 170 county, city or state government systems have been attacked since 2013, including at least 45 police and sheriff's offices.
But those numbers – as the amounts of the ransoms – are increasing dramatically this year, the FBI reports, including more than 200 ransomware attacks against Atlanta and Newark, N.J., which have shelled out more than $6 million in payments and incurred $30 million in damage to computer systems.