Smithville, Tennessee Loses $425,000 to Email Spoofing Fraud
Summary: In December 2025, the City of Smithville, TN lost $425,000 when attackers spoofed a vendor's email and tricked city officials into wiring payment to a fraudulent account. Proper SPF and DMARC configuration would have blocked the attack.
What Happened
In December 2025, the City of Smithville, Tennessee lost $425,000 when attackers spoofed a vendor's email address and tricked city officials into wiring payment to a fraudulent bank account. By the time the fraud was discovered, the funds had been transferred and withdrawn.
How the Attack Worked
Step 1: Attackers identified that the city's domain lacked proper email authentication — no enforced SPF, no DKIM, and no DMARC policy.
Step 2: They crafted emails that appeared to come from a legitimate vendor the city regularly does business with.
Step 3: Without email authentication controls in place, the spoofed emails were delivered to city staff without any warning flags.
Step 4: City officials followed the payment instructions in the fraudulent emails and wired $425,000 to the attacker's account.
Result: $425,000 of taxpayer money was stolen in a completely preventable attack.
What Would Have Prevented This
- SPF with "-all": Would have told receiving mail servers to reject emails not sent from authorized servers — blocking the spoofed vendor emails
- DMARC with enforcement (p=reject): Would have instructed mail servers to reject any email failing authentication, preventing delivery of the fraudulent messages
- DKIM signing: Would have provided cryptographic proof that emails genuinely originated from the claimed domain
These controls are free to implement and take less than an hour to configure. The total annual cost to maintain them professionally is under $250/year.
The Taxpayer Cost
The $425,000 lost by Smithville came directly from the city budget — taxpayer dollars that were earmarked for public services, infrastructure, and community needs. When government agencies fail to implement basic, free security controls, it is the public that pays the price.
Lessons for Every Government Agency
Smithville's loss is not unique. Email spoofing attacks against government agencies are increasing because attackers know many local governments lack basic email authentication. If your agency hasn't configured SPF, DKIM, and DMARC, you are a target.