Perpetrators of a $2.3 million fraud against Peterborough taxpayers over the summer initiated the criminal enterprise by compromising the email of one town employee, according to a timeline prepared by local officials.

While simple human failure to follow established procedures allowed the scam to succeed, aspects of the theft do appear complex, including circumventing bank controls intended to prevent people from fraudulently setting up accounts.

“April – The email account belonging to a Town of Peterborough finance staff person was compromised by a Bad Actor utilizing IP addresses from outside the U.S.,” states the timeline prepared for the September 21 Select Board meeting.

“The staff person was likely targeted by a phishing email or a zero-day exploit of the Microsoft 365 platform which occurred last winter.”

The town has not identified the staff member who was targeted.

Finance Director Leo Smith, who took his long-planned retirement after the fraud was revealed, declined to comment, citing the ongoing investigation. Town accountant Shannon Kelley, who was in charge of accounts payable, resigned on Sept. 7. She could not be reached for comment.

The “zero-day exploit” refers to a systemwide breach of private information involving Microsoft and others. The town uses Microsoft 365, a suite of services that includes email. Microsoft provides the security for its own email servers.

Phishing is the sending of an email purporting to be from a reputable source with…

Read more…