Riverhead warns public after phishing scam targets town permit applicants

Riverhead Town officials are warning the public to not engage with circulating phishing emails impersonating the town’s planning department or zoning board requesting wire transfers of money.

A short blurb has been posted on the town’s website since January alerting residents to phishing and spoofing activity originating from the email domain “[email protected],” requesting application review and approvals fees.

Senior planner Matt Charters said Thursday during a Town Board work session there has been an increase of phishing emails using this address over the last month. However, this week the fraudulent activity reached a peak when town officials were alerted to fake response letters and invoices falsely signed as Riverhead Zoning Board of Appeals chairman Otto Wittmeier.

“They’re actually generating an entire response letter from the zoning board chair, signing his name on it and asking for a wire transfer of $4,000,” Mr. Charters said.

He alerted Riverhead Police Chief Ed Frost that a police report may be filed, as at least one person is believed to have wired $4,000 thinking the invoice was legitimate.

Scammers used the Riverhead Town official seal on the fake documents attached to the email. Posing as Mr. Wittmeier, the email recipient was told their application had been reviewed and recommended for processing by the Zoning Board of Appeals, and had further review pending by the Riverhead Planning Board.

“In order to proceed with the formal review, scheduling, and approval process, settlement of the attached invoice is required,” the email read. The attached invoice gave the phishing victim an itemized breakdown of the $4,000 application approval fee.

“Remittance information” was also provided for the wire transfer to go to Lead Bank in Kansas City, Mo.

Mr. Charters said he suspected the phishers were using AI technology to pull information off of ZBA applications on the town’s website. He stressed that the Riverhead Planning Department never accepts wire transfers, only checks and money orders.

“We just need to be hyper aware,” the senior planner said.

What to look out for and how to report phishing: All town emails have the domain @townofriverheadny.gov. The town does not accept wire transfers of money. Anyone who receives suspicious emails can report them to the Riverhead Town Police Department at 631-727-4500. The Planning Department can be reached at  631-727-3200 ext. 240 and the IT Department is ext. 348.

Chief Frost said anyone who receives a fraudulent email can file a police report to the Riverhead Police Department.

“The police department would start conducting an investigation to try to get subpoenas into the domain,” he said. “A lot of them are out of state, [these] vendors and businesses do not need to answer New York subpoenas, so sometimes we do get stopped at that point.”

Chip Kreymborg, head of the town’s Information and Technology Department, said there have been at least two of these emails detected in the past two months. He confirmed the email did not originate from the town’s email system.

“[We’re asking the public to] just be vigilant about looking at email addresses, where they’re coming from, of course, using common sense about, well, ‘Why am I getting a wire transfer request from the zoning board?'” Mr. Kreymborg said. “At first glance, a person might see the ‘planning.townofriverhead,’ and just move on — they didn’t really inspect the email address, which was not even shrouded or aliased, it was clear it wasn’t Riverhead’s domain name.”

The incident is the latest in a series of cyber threats running rampant in the North Fork region recently. The Southold Town Police Department’s main phone number was used by an outside party this week to make spoofed calls to residents. Southold Town spent more than two weeks recovering from a ransomware attack that struck the day before Thanksgiving, and North Ferry Company was hit by a separate ransomware attack this month that froze its online payment system.

The Federal Bureau of Investigations defines phishing schemes as spoofing techniques “to lure” people in and trick them “into giving information to criminals that they shouldn’t have access to.”

Emails may appear to be a legitimate business and ask a person to update or verify personal information by replying to the email or visiting a website. Phishers make the emails look convincing enough to get a person to follow through on the requested action.