Cyber Incident Victim: Utah County

In July 2022, Eagle Mountain City in Utah County fell victim to a cyberattack involving a fraudulent payment scheme. Attackers executed a phishing campaign by impersonating a trusted vendor with whom the city had an established financial relationship. The city’s finance department received what appeared to be legitimate correspondence instructing them to update the vendor’s banking information for future transactions. Believing the request to be authentic, city staff altered the vendor’s payment details in their financial systems. This manipulation led to the subsequent transfer of $1,007,368.50 in city funds to an account controlled by the attackers instead of the intended vendor. The transaction represented a single electronic payment processed through standard municipal financial channels. No initial irregularities were detected during the payment authorization process, as the request aligned with standard operating procedures for vendor payment updates.

The fraud was discovered only after the legitimate vendor notified Eagle Mountain City about non-payment for services rendered. Upon confirming the misdirected funds, city officials immediately engaged law enforcement agencies including the FBI and local police. The municipality also retained a cybersecurity firm to investigate the breach and attempt fund recovery. Financial audits confirmed the transaction flowed to an offshore account, complicating recovery efforts. The city’s cybersecurity insurance policy covered $500,000 of the loss, resulting in a net financial impact of approximately $507,368.50 to municipal funds. No evidence suggested additional system compromises beyond the fraudulent payment diversion. The incident did not disrupt city services or operations beyond the financial department’s internal investigation. Public disclosure occurred through official statements confirming the unauthorized transaction and recovery efforts.