Hackers stole approximately $498,000 from the city of Tallahassee, Florida, by diverting city employees’ paychecks, according to USA Today. The attackers hacked a third-party vendor that provides the city’s payroll services, and then redirected direct deposit payments to attacker-controlled accounts.
Tallahassee officials only learned of the attack after they were contacted by the city’s bank. The incident is still under investigation, but city spokeswoman Alison Faris said the attack is suspected to have originated outside of the US.
City officials said attackers try to compromise the city’s defenses every day, and last month a malicious Dropbox link was sent out from the email account of the city manager. Officials don’t believe this attack was related to the payroll theft, although IT experts noted that this type of phishing attack is often a precursor to more advanced attacks.
“Usually the way they get in is through email," Blake Dowling, CEO of Aegis Business Technologies, told USA Today. “Those happen all the time. If you’re not trained to be on the lookout for something, about how that may look or feel or the implications, it can bring your city to a crawl.”
Even secure networks are vulnerable to employees making a simple mistake and accidentally opening the door to an attacker. Supply-chain attacks like this one can have far-reaching impacts that can cripple a vendor’s reputation. New-school security awareness training can help your employees defend themselves against phishing attacks.