Arlington, Massachusetts, recently revealed it had lost nearly $446,000 in a business email compromise (BEC) scam over several months. The cybercriminals compromised employee email accounts, monitored inboxes, and impersonated a vendor to redirect payments. The fraudulent activity remained undetected until the vendor reported nonpayment in February, leading to an investigation that uncovered multiple fraud attempts.
The town took immediate action by disconnecting from the network, changing passwords, and enabling multifactor authentication for key personnel. Arlington also engaged a third-party auditor to tighten internal controls and reconfigured its email security settings to counter rising phishing attempts. The town is seeking state funds for mandatory cybersecurity training and plans to deploy multifactor authentication across all staff accounts.
Arlington’s financial institution managed to recover only about $3,000 of the stolen funds. However, the town’s insurance coverage is still pending, and the financial loss is manageable within the budget of the high school rebuilding project the vendor was involved in. No sensitive town or resident data was compromised during the attack, ensuring the safety of personal information.
To bolster its defenses, Arlington will collaborate with the state on penetration testing and introduce an endpoint detection and response platform. These measures aim to prevent future cyberattacks and safeguard the town’s financial and operational integrity. The incident underscores the critical need for robust cybersecurity practices and continuous vigilance against sophisticated cyber threats.
