During the work session of the Eagle Mountain City Council meeting held on September 20th, 2022 the City Released some additional details on the $1.13 million that was lost through a phishing and bank wire transfer scheme. During, the work session the city gave an update on some “City Administrator Information Items”.
The first thing the Mayor did was turn the time over to Paul Jerome, the Eagle Mountain City Administrator, who was attending the meeting via teleconference call and was at a conference out of town.
Paul read the press release and then elaborated with some additional information. They also had a member of the IT team, Keyon Blackhurst, that the city contracts with (Executech) to add comments as well.
Paul started with an apology to everyone, elected officials, and residents for the city’s failure in this regard to “staying ahead of these bad actors”. Paul stated that they have made changes and continue to make changes so that this will not happen again. Some of those changes include the following: the possibility of employing a risk manager; enhanced policy for ACH and other forms of electronic payment; enhanced capabilities for IT intrusion detection, phishing campaigns, and IP address alerts; mandatory training for employees, including city-initiated phishing campaigns.
Kenyon then discussed what services they currently provide, and how it protects the city. ExecuTech is still working with the FBI on the ongoing investigation. Kenyon mentioned that you can put all of the security you want at the front door, but that does not do any good if someone lets them in through the side door. “There is only so much you can do in the front if someone is letting them in the back. That is really where it comes down to educating the employees.” They implemented a new set of tools for Eagle Mountain for phishing, but they did not go into effect until August 1st. “It was not because of this those tools were put in place, we have actually been working with Aaron for a couple of months now.”
Executech noted that you should never do an ACH change over email. If an ACH request is made by email there should be a policy in place that requires a phone call to a known good phone number. “Hey, are you requesting us to change ACH information?” The phone call is free and it takes seconds. The new tool put in place is called TDP, which stands for Threat Detection and Prevention.
The ExcuTech website says this about the TDP product: “Executech’s Threat Detection and Prevention (TDP) brings together the essential tools, products, and hands-on support into one simple package to cover the basic cybersecurity needs of any organization. Included in the package are: Anti-Virus & Anti-Ransomware Protection; Network Monitoring; Alert Management; Quarterly Scans; Security Consultant support; And more!” Tyler Rassmussen, Executech VP of Cybersecurity, then explained the product.
Tyler also gave some additional information on what they know what happened that allowed the City to lose $1.13 million to a bad actor. “There is no indication of what we have seen that anyone has infiltrated your network. What happened, that we have seen, is that a scammer somehow intercepted the emails. Again there is no indication that it was on Eagle Mountain Cities’ side. They then started replying back to those emails with a different address. Not the vendor’s address, but slightly different, the top-level domain instead of being .net was .org.” Tyler continues, “Again there is no indication that we have seen that anyone was inside your network or your systems.” “We don’t know how they intercepted the email, that is still part of the investigation.”
Councilmember Curtis asked Tyler about passwords and the frequency of change. Tyler said that they have already implemented Multi-Factor Authentication (MFA) on key employees, but they plan on implementing it for all employees. “It was verified that everyone who was in communication with the attacker did have Multi-Factor AUthentication enabled.” Kenyon then stated that they do have a list of recommendations that they plan on going through with Paul and Aaron when they get back into town, and one of those recommendations is MFA.
Councilmember Wright talked about education and asked if it was key to stopping these type of loses in the future. Tyler stated, “Education of End-Users is absolutely critical, and updating that education.” Councilmember Wright then stated that he wants to advocate that this training happens during the onboarding process of new employees. ExecuTech said that their training is recorded so it could be made available to new employees during onboarding.
Paul concluded this part of the work session by stating, “I do want to address the fact that the FBI has so far said that there is no indication of any involvement of any employee of our organization or the organization that the funds were intended for.” He continues, “there was no indication that this was what would be referred to as an inside job.” Paul did state that it is “very unlikely that we will get these funds back.” The FBI said that the chances of getting the funds back are basically zero.
Mike Kieffer is an IT geek by hobby and trade, with a BS in Information Systems & Technology. He is a proud father of 10, a grandpa, an author, a journalist, and internet publisher. His motto is to “Elevate, Inspire and Inform”, and he is politically conservative and a Christian. Mike has a passion for technology, writing, and helping others. With a wealth of experience, he is committed to sharing his knowledge with others to help them reach their full potential. He is known for his jackassery or his form of self-expression that encourages boldness, creativity, and risk-taking. It can be a way to push the boundaries and challenge traditional norms, leading to creative solutions and positive change.