Cyber fraudsters managed to gain access to Angus Council’s email system before contacting locals in a bid to steal bank details.
The phishing attempt has seen hundreds contacted from the official @angus.gov.uk email address.
Titled ‘BACS Payments’, it directs the recipients to a site set-up to obtain log-in details from users.
Angus Council has urged anyone who has received the email to delete it.
John Phillip, who was one of those to open it, says he’s worried vulnerable or elderly people will be scammed.
He said: “Users outwith Angus Council and carers and disabled people send receipts and bank statements in as per their direct payment agreement.
“Some of them will not be knowledgeable enough about IT to be aware of the risk.
“Others will click the attachment believing it’s something affecting their direct payments or a demand for repayment and submit email address and password for their accounts – thus giving the bad actor access to more accounts and personal information.”
Organisations are required by law to protect personal data and ensure adequate anti-virus systems are in place.
It comes just a year after Dundee & Angus College was shut down for days after a cyber attack on its IT systems.
Mr Phillip added: “I called the Accessline and they were unaware the email had been sent outwith the council.
“Whoever it was clearly had access to an Angus Council email account.
“I would have hoped that someone working in the payments division would have been more security conscious given their role and the data they handle.”
Council ‘very confident’ it wasn’t compromised
An Angus Council spokesperson said “A phishing attempt was made to steal credentials and to send out other emails to internal and external contacts from an Angus Council user account.
“Our IT department blocked the access to the phishing site that was trying to gather credentials and as an additional counter measure have disabled accounts and reset passwords on all internal users that opened the email.
“We are very confident no systems have been compromised or data lost and this phishing attempt has had no operational effect.
“Any external users that received an email from Angus Council entitled BACS PAYMENT required should delete the email.
“We are no different to any other large organisation with a high number of users, in that we are a potential target for phishing scams.
“We have robust security policies, procedures and training in place to prevent these.”