The City of White Rock is warning residents not to open an email sent to home accounts referring to a refund.
The email – purportedly from a city financial services account – is a ‘phishing’ scam, first revealed to the public in a post Wednesday on the city’s Facebook page, and on the city website. The city’s information technology staff were already at work to nullify impact of the false message as of Wednesday morning, the post noted.
‘Phishing’ is typically used to gather personal credentials of email users and can potentially be used by hackers to invade banking and other accounts.
Corporate administration director Tracey Arthur told Peace Arch News the fraudulent emails came to the city’s attention early Wednesday morning but no information on file with the city was compromised.
Responding to questions by email, city IT manager Chris Zota said that approximately 2,700 email messages had been sent out by the time the security breach was detected.
“We temporarily closed the affected user account, changed credentials, set up the user to use multi-factor authentication, investigated the breach (reviewed logs and settings), (and) reminded the user to employ proper cyber hygiene (using different passwords for different accounts),” Zota said.
He said, however, that no purpose would be served by attempting to assign blame for the breach, noting that “clever social engineering methods are employed to craft phishing campaigns designed to steal user credentials,” and that “this was a classic phishing campaign.”
“It’s important not to jump to any conclusions here to the effect that the user did something wrong,” he said. “We don’t know how these credentials were compromised.”
The best policy for the public is to “follow cyber best practices, awareness and education on the topic of cyber security,” Zota said.
“While employing the use of a good anti-malware software helps, I can’t stress enough the importance of education and awareness.”
He said a “simple yet effective overview of phishing” can be found online at phishing.org.
People can use also the site https://haveibeenpwned.com/ to see if their email accounts have been compromised, Zota suggested.