MARBLEHEAD Forty-three people received a scam phishing email with the subject line “Town of Marblehead” on June 16. The hacker’s goal was apparently to capture email addresses and passwords from the unsuspecting recipients.
The message appeared to be sent from a town employee’s email, and it read the following:
“We are pleased to inform you that your firm has been selected as one of four invited to submit a proposal in response to our Request for Proposal (RFP) for the Town of Marblehead.”
The email then directed respondents to “access the RFP documents” via a link embedded in the email. The link queued a prompt for respondents to enter their Microsoft email address and password.
The email then stated, “We kindly ask that you review the materials and confirm your interest in participating. Should you have any questions or wish to discuss your approach, we would be happy to schedule a call or meeting at your convenience.”
The email read that in order to be considered, people must respond by the end of the day, Friday, June 27.
The email concluded by stating, “Should you need any additional information or assistance, don’t hesitate to reach out. Thank you for your time and consideration. We look forward to hearing from you.”
Four staff members at the Marblehead Weekly News received the email, which appeared to be a very high quality attempt at fooling recipients. The name and email address of the sender looked authentic as did the details in her signature line, so it appears likely that the hacker gained access to the sender’s email account rather than simply trying to imitate the sender.
The Marblehead town employee who is suspected of having been hacked is in the office responsible for town purchasing. About three hours after the scam email was sent, the town employee whose account was apparently compromised sent a follow up email that advised people not to open any links from the previous email:
“Please be aware that starting at approximately 1:27 PM ET today, some users may have received an unexpected email with the subject line “Town of Marblehead.”
“These emails were not sent by the expected sender and should be deleted immediately if received.”
The email read, “Please do not open any attachments or click any links contained within the message.”
The email, which contained the email addresses of the 43 people believed to have received the original message, stated that the situation is currently under review but provided no additional information. Calls to the town administrator for comment have not been returned at press time. In what may be coincidental, the town’s website address recently shifted from www.marblehead.org to www.marbleheadma.gov.
According to Microsoft Support, phishing is an “attack that attempts to steal your money, or your identity, by getting you to reveal personal information — such as credit card numbers, bank information, or passwords — on websites that pretend to be legitimate. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.”
Microsoft also stated that if a successful phishing scam has taken place, meaning you opened a link from a phishing email and/or entered personal information, “write down as many details of the attack as you can recall. In particular, try to note any information such as usernames, account numbers, or passwords you may have shared, and where the attack happened.”
It also recommended to “Immediately change the passwords on all affected accounts, and anywhere else that you might use the same password. While you’re changing passwords, you should create unique passwords for each account.”
Microsoft also stated that if a phishing attack affects work or school accounts, “you should notify the IT support folks at your work or school of the possible attack.
“If you shared information about your credit cards or bank accounts, you may want to contact those companies as well to alert them to possible fraud. If you’ve lost money or been the victim of identity theft, don’t hesitate, report it to local law enforcement,” Microsoft support stated.
