A scammer stole a little more than $500,000 from the City of Ocala, Florida as the result of a successful spear phishing attack.
According to Ocala.com, an Ocala employee fell for a spear-phishing attack, one of the most common variants of phishing campaigns, near the end of October. They opened an email that appeared to come from a construction company that’s currently working with the City. Upon seeing a payment request for services performed, the employee complied and electronically sent over $640,000 to the bank account provided in the email.
That bank account did not belong to the contractor, however.
It’s not clear from Ocala.com’s reporting how the City determined that the spear phishing email was a fraud. Any any event, officials made this determination at a time when $110,000 of the designated payment remained in the City’s account. They subsequently canceled the remaining payment, which means that those responsible for the attack made off with a little more than $500,000.
City spokeswoman Ashley Dobbs revealed that Ocala reported the attack to the local police department, where officers then notified the FBI. As quoted by Ocala.com:
While the City of Ocala recognizes governmental transparency, an active criminal investigation into bank fraud is underway and our ability to discuss this matter publicly is limited until the investigation has concluded.
The municipality also launched an investigation into what happened. Officials learned through this effort that the email had been a fake but that the invoice was legitimate. That being said, the City still needs to determine whether the scam began after the contractor made a legitimate request for payment.
Ocala’s investigation into the attack remains ongoing as of this writing.
The City said it would make changes to its security policies to prevent a similar attack from occurring in the future upon completing its analysis of what happened.