Arab, Alabama Loses $430,000+ to Phishing Attack Despite Prior Warnings
Summary: The City of Arab, AL lost over $430,000 to a business email compromise attack in 2026. YesGov had warned the city about its critical email security failures in both December 2024 and January 2025. The city took no action and maintained an F security rating.
What Happened
In early 2026, the City of Arab, Alabama lost over $430,000 to a business email compromise (BEC) and phishing attack. Attackers impersonated a vendor through email, convincing city officials to redirect payments to a fraudulent bank account. By the time the fraud was discovered, the funds had been withdrawn.
YesGov Warned Arab — Twice
YesGov identified critical email security failures on Arab's primary domain and sent formal warnings in December 2024 and January 2025. Both warnings specifically noted:
- No DMARC enforcement — Anyone could send email appearing to come from the city's domain
- No DKIM signing — No cryptographic verification of outgoing city email
- Weak SPF configuration — Insufficient protection against sender spoofing
- No MTA-STS — Email could be intercepted in transit without detection
The city took no corrective action after either warning. At the time of the breach, Arab's domain still carried an F rating on YesGov's 17-point security assessment.
How the Attack Worked
Step 1: Attackers identified that Arab's domain had no DMARC enforcement and no DKIM signing.
Step 2: They crafted emails that appeared to originate from a known vendor's address — or from a city official — using the city's domain.
Step 3: Because Arab had no email authentication controls, the spoofed emails were delivered without any warnings or flags.
Step 4: City staff followed the instructions in the fraudulent emails and redirected payments.
Result: Over $430,000 of taxpayer money was stolen.
Insurance May Not Cover the Loss
Cyber insurance policies increasingly require agencies to demonstrate that basic security controls — SPF, DKIM, DMARC, HTTPS, DNSSEC — were in place at the time of a breach. When an agency has been formally warned about specific vulnerabilities and fails to act, insurers can classify the resulting loss as negligence and deny coverage.
Arab's situation is particularly concerning: two documented warnings, zero remediation, and a continued F rating at the time of loss. Any insurer reviewing this claim will see a pattern of willful inaction.
Taxpayers Are on the Hook
The $430,000 stolen from Arab came from the city budget — money that was supposed to fund roads, public safety, utilities, and services for the community. When that money is gone and insurance doesn't cover it, taxpayers bear the cost through reduced services, deferred projects, or increased taxes and fees.
Every government official has a fiduciary responsibility to protect public funds. Basic email security costs under $250/year to implement. The choice between a $250 annual cost and a $430,000 loss should not be difficult.
What Would Have Prevented This
- DMARC with enforcement (p=reject or p=quarantine): Would have told receiving mail servers to block or flag any email that failed authentication — preventing the spoofed emails from reaching staff
- DKIM signing: Would have cryptographically verified that outgoing email actually originated from the city's authorized servers
- Properly configured SPF: Would have restricted which servers can send email on behalf of the city's domain
- MTA-STS: Would have required encryption for email in transit, preventing interception
- Staff training: Combined with technical controls, would have helped staff recognize social engineering attempts
Check Your Agency
If your government agency hasn't verified its email security configuration, you may be in the same position Arab was. Use YesGov's free compliance checker to see where you stand.