The phishing attack that rocked the fictious county of Countyville: A cautionary tale
Author
Rita Reynolds
Upcoming Events
Related News
Key Takeaways
In keeping with the theme from last week, I used a generative AI tool to craft the following fictious story of what can happen if an employee clicks on a phishing email.
In the quiet, rural heartland of Countyville, local government had been running smoothly for years. The county’s administrative building, nestled in the town square, had withstood the test of time—both in terms of its stately brick architecture and the hard-working county employees inside. But beneath the peaceful exterior, a storm was brewing, one that would expose the county's vulnerability to cyber threats.
Do more
Conduct phishing tests on a monthly basis and provide on-going education, for all staff
It all started on a crisp autumn morning when Jessica, the county’s treasurer, opened her inbox. She sifted through the usual stack of emails about budget updates, meeting reminders, and requests for reports. One email stood out: "URGENT: Account Information Verification Required."
The email appeared to be from the county’s trusted bank, with a logo that looked identical to what she had seen countless times before. The message was polite but firm, stating that the county’s accounts needed immediate verification due to "suspicious activity." There was a link provided, which led to what appeared to be the bank’s website. Under pressure to resolve the issue quickly before her busy day, Jessica clicked the link, logged in, and followed the instructions.
What she didn’t know was that the email was a cleverly disguised phishing attempt. The website she logged into was a fake, created by cybercriminals to capture her login credentials. Within minutes, hackers had full access to the county’s financial systems.
The next few days unfolded in slow horror. Countyville’s IT team first noticed unusual login activity, with someone accessing the system late at night from an unfamiliar location. Then, the real damage became apparent: funds were being siphoned from various county accounts. What started as small, unnoticeable withdrawals soon turned into large sums disappearing, primarily from accounts earmarked for critical services like road maintenance, public safety, and social services.
Panic set in when the county’s payroll system failed just days before the next payday. County employees were at risk of not receiving their wages. The county commissioners called an emergency meeting to assess the damage, but by then, it was clear that Countyville had fallen victim to a full-scale cyberattack.
The hackers had locked down several systems with ransomware, demanding a hefty payment in Bitcoin for the decryption keys. Without proper backups in place, the county was left paralyzed. Emergency services struggled as dispatch systems went offline, and the public works department couldn’t access essential records to continue road repairs. To make matters worse, the media quickly picked up on the story, and Countyville’s small-town reputation took a massive hit.
Days turned into weeks, as recovery and forensic teams worked to resolve the situation. Due to insufficient backups, the county was forced to pay a significant portion of the ransom just to regain access to essential services.
In the aftermath, the county’s lack of robust cybersecurity policies, inadequate employee training on recognizing phishing attempts, and weak systems for monitoring suspicious activity had made them an easy target. It was a wake-up call for every level of the county government.
In response, the county launched an aggressive cyber-awareness campaign. They invested in updated security systems, encrypted sensitive data, and created strong backup protocols. Every employee, from department heads to administrative assistants, was required to undergo mandatory cybersecurity training, learning how to identify phishing emails, use multi-factor authentication, and practice good password hygiene.
While this is a fictious story, it serves as a powerful lesson for local government, showing that no one is immune to cyber threats and that preparedness is the only real defense against modern-day digital attacks.
To learn more and find valuable resources that your county IT can avail themselves of, visit Free Cybersecurity Services & Tools | CISA. CISA provides a wide range of security services, including cyber hygiene services of Vulnerability Scanning and Web Application Scanning
Disclaimer: The fictious story was created by ChatGPT 4.0 and modified by Rita Reynolds
*ChatGPT, response to “Write a story on how a county succumbed to a phishing attack,” OpenAI, Oct 11, 2024. Image provided by DALLl-E
Related News
County Countdown – December 16, 2024
Every other week, NACo's County Countdown reviews top federal policy advocacy items with an eye towards counties and the intergovernmental partnership.
NACo Publishes 2025 AI Policy Priorities Primer
On December 4, NACo published its Key AI Policy Priorities for Counties for the 119th Congress, building on the policy platform proposals voted on and passed at NACo’s 2024 Annual Conference.
NACo Legal Advocacy: McLaughlin Chiropractic Associates, Inc. V. McKesson Corporation
McLaughlin Chiropractic Associates, Inc. V. McKesson Corporation could make it more difficult for counties to challenge FCC orders, many of which have taken steps to preempt and curtail local authority by limiting counties’ abilities to manage their own right of way and assess fair market value permitting and impact fees on providers seeking to construct, modify or extend telecommunications infrastructure in their communities.
County News
How to recognize, avoid and protect your county against phishing attacks
Phishing attacks are an easy way for bad actors to gain access to your accounts, and often rely on lapses in vigilance when reading emails.