Cyber scammers took the town of Peterborough for $2.3 million earlier this year and drove its financial director Leo Smith into retirement.
Around the same time, the city of Nashua was scammed out of $41,000 in payments to a vendor it sent to criminals instead.
Call it hacking, phishing, or just plain fraud and theft — cybercrime cost Americans an estimated $4 billion last year according to the FBI. Here in New Hampshire, it cost $2,456 per victim, and the average business loss is more than $23,000. In total, according to the FBI, New Hampshire individuals and businesses lost $4.9 million in 2020.
The national surge of cybercrime — up an estimated 800 percent over the past decade and often targeting small businesses — was the topic of a roundtable Thursday hosted by InsideSources and the group United to Safeguard America from Illegal Trade (USA-IT). Its spokesman, Matt Albence, said cybercriminals are part of networks connected to drug cartels, human trafficking rings, and terror cells all over the world.
“A lot of this money is going to support these transnational criminal organizations,” Albence said. “It’s not a victimless crime.”
Albence is the former acting director of U.S. Immigration and Customs Enforcement (ICE). He points out the black-market trade in goods and online scams is often linked to international crime and terror.
Peterborough lost millions over the summer to scammers who reportedly took months to spoof legitimate email addresses in order to steal money earmarked for the construction firm rebuilding the Main Street bridge, and more than $1 million in payments for the ConVal School District. Leo Smith, the town’s long-time finance director, resigned in the wake of the thefts.
Bill Schenkelberg, with Red Sky Alliance, said municipal employees and others who are handling large, automatic payments, as was the case in Peterborough, need to take a harder look at their procedures and ask better questions when something seems off.
“You need to scrutinize every single payment,” Schenkelberg said. “There is no harm in getting on the phone and talking to people.”
Albence was more direct, saying employees not knowing what they are doing and not taking basic precautions, are a big part of the problem.
“People click on things coming in that they don’t know what it is,” he said. “It’s laziness. You have to teach employees to be vigilant.”
In the case of Nashua, a criminal managed to spoof an actual email address for an actual vendor. Nashua reached a settlement to get its money back, though Peterborough is out $1.8 million, after recovering about $500,000.
One area of concern that has been raised is town elections. While having each town run its own elections makes it harder to pull off the sort of “Stop The Steal” scheme former President Donald Trump continues to insist (without evidence) made Joe Biden president, it makes it easier for hackers to hit individual computer systems with relatively little protection, particularly in smaller municipalities with fewer resources. Nobody is suggesting voting machines are vulnerable, but an attack on voting records on the eve of an election, for example, could create chaos.
FBI reporting indicates the vast number of cybercrime victims never come forward, and the scale of the crimes could be far greater. Jason Golden, a partner at Manchester cybersecurity firm Mainstay Technologies, told the Concord Monitor ransomware that while attacks on businesses occur daily in New Hampshire, but most companies do not report them.
A variety of crimes are conducted online, from selling counterfeit goods to using websites to phish for credit card numbers, Social Security numbers, and other forms of identification that can be stolen and used.
Albence said the criminals are adept at using the news to find new victims. During the early days of the COVID-19 pandemic, cyber scammers sold counterfeit personal protective equipment to first responders and hospitals. That left front-line workers using less than effective gear.
“They don’t care about you or me,” Albence said of the criminals.
Criminals will also use the websites where they sell fake goods to steal identities.
“People are victimized twice,” he said.
Bringing in consultants who understand the risks, working with insurance companies, and working with law enforcement before there is a problem are all ways to reduce risk and reduce potential losses, Albence said.