​Ocala city loses over $500,000 due to spear-phishing attack

• Scammer pretended to be a construction contractor working with the city and sent an email.
• While the email was phony, the underlying invoice was legitimate

The city of Ocala has become the latest victim of a ‘spear-phishing attack’. The officials have revealed that the city has lost a little over $500,000 after sending a payment to a fraudulent bank account.

What happened?

• According to Ocala.com, the incident occurred when a scammer sent a phishing email to a city department.
• The scammer pretended to be a construction contractor working with the city and sent an email, requesting payment for services via electronic transfer.
• While the email was phony, the underlying invoice was legitimate - which was enough to trick an employee.
• The employee mistook the email to be legitimate and inadvertently transferred $640,000 to a fraudulent bank account set up by the scammer.

The red flag

Ocala Mayor Kent Guinn revealed that the email address used in the attack included an extra letter that is not part of the legitimate contractor’s email.

How did the Ocala city respond?

• Once the city learned of the payment to the fake account, it reported the issue to law enforcement agencies.
• Guinn said that about $110,000 was still in the account when the city learned of the fraud. So, the scammer collected a little more than $500,000.
• Ocala spokesperson Ashley Dobbs confirmed that no information systems were compromised in the incident. Furthermore, Dobbs also added that the incident has been isolated and customers’ data is safe.

"While we can’t change this outcome, we will continue to update and refine our cybersecurity systems and training to minimize future impacts," Dobbs explained.

In light of the incident, the city has planned to conduct an internal investigation to know the methods and scope of a phishing attack. Later, it will make changes in policy to avoid such attacks in the future.