Cyber Incident Victim: Town of Erie

In October 2019, the Town of Erie, Colorado, fell victim to a business email compromise (BEC) scam resulting in a loss exceeding $1 million. Attackers exploited an electronic form on the town’s municipal website to submit a fraudulent payment change request for a construction contract with SEMA Construction, awarded in October 2018 for the Erie Parkway Bridge project. The form requested altering the payment method from physical checks to electronic funds transfer (EFT). Town staff processed this request without verifying its authenticity directly with SEMA Construction, despite existing protocols requiring such verification. On October 25, 2019, approximately $1.01 million was wired to an attacker-controlled bank account under the belief it was a legitimate payment to SEMA. The fraud remained undetected until November 5, 2019, when the town’s bank alerted staff to suspicious activity. Subsequent confirmation from SEMA Construction revealed they had never submitted the payment change request.

The incident necessitated a second payment to SEMA Construction via physical checks on November 15, 2019, to fulfill the contract. Immediate response actions included removing the online contact form and temporarily discontinuing electronic payments. The town created new finance and accounting manager positions to enhance oversight and segregation of duties, citing increased operational complexity due to population growth. A risk manager was hired, with recruitment ongoing for the other roles. Investigations involving the Erie Police Department and the FBI aimed to recover the stolen funds, which had been wired internationally by the perpetrators. No public confirmation of fund recovery was provided in the source material. The town emphasized leveraging investigative findings to mitigate future risks but disclosed no technical details regarding attacker entry methods or digital forensic outcomes.