That the email was sent by "Richard" was the first clue somebody was up to no good.
Mayor Richard "Dicker" Cahill of Yarrow Point, Wash., usually goes by his nickname in messages. But that escaped the notice of the town's financial coordinator when he wired $49,284 to an unidentified con artist as part of an email scam in August.
Cybercriminals weren't finished with the affluent town of 1,000 residents across Lake Washington from Seattle. In mid-October, Yarrow Point fell victim to a ransomware attack, which locked down some of the town's computer systems, denied employees access to files and resulted in a nearly $10,000 bitcoin payment to attackers.
Yarrow Point isn't alone. Municipalities and governments, which are usually loath to act until problems occur, are often easy targets with aging systems and employees who have little training around best practices for spotting cybercrime.
And the loss can be more than just money. Security experts say organized criminals also can find ways to access city records and potentially disrupt critical services, such as emergency communications and infrastructure.
It could have been worse for Yarrow Point. The town was sent phishing emails in June and July. Town Clerk/Treasurer Anastasiya Warhol saw them as illegitimate and brought the email to the attention of Cahill and the IT company the town contracted with at the time. Word went out to the town's staff to beware.
With a budget of about $2?million, Yarrow Point will recover from the loss, city officials said, but it never should have happened.
"It is an unacceptable activity," Cahill said. "(But) it is not by any means going to cripple the town."
City Hall has taken measures to protect itself against further incidents by no longer allowing wire transfers and switching and updating equipment and systems like email.
"Typically those campaigns are very broad and will hit many, many local governments," said Brian Calkin, vice president of operations for the Center for Internet Security.