fb-pixelLawrence Public Schools taken for $2.7 million in phishing scheme Skip to main content

Lawrence schools trying to recover $2.7 million ‘frozen’ by online phishing scheme, officials say

The entrance to Lawrence High School. School officials in Lawrence are trying to recover $2.7 million frozen by phishing scammers.Lawrence Public Schools/Handout

The Lawrence Public Schools are working to recover $2.7 million in funds that were recently “frozen” when a staffer responded to a phishing email sent by scammers posing as a vendor for the school district, city officials said.

Mayor Brian A. DePeña’s office held an emergency meeting Thursday with informational technology specialists to discuss the security breach, according to DePeña’s spokesperson, Nestor Castillo.

“It’s not that the money has been lost,” although the system cannot currently access the money, Castillo said Friday.

Local and federal law enforcement authorities have been notified and city officials plan to alert the public once they receive additional information, Castillo said.


The FBI said it “does not comment on specific incidents because victims should feel confident that when reporting a crime to the FBI their status as a ‘victim’ will not be disclosed.”

In a statement, the bureau said it would “like to take this opportunity to remind your readers that the FBI encourages all victims of cyber-related crime to report it to the FBI’s Internet Crime Complaint center.”

A state police spokesperson said Friday that the agency is not involved in the case.

Juan Rodriguez, the school system’s interim superintendent, could not be reached for comment Friday.

In a statement, DePeña said that cybercriminals pose as contractors and vendors with various illegal schemes to defraud government entities and private corporations around the world in the hope of intercepting payments.”

“These criminals are cunning and continually look for ways to fool institutions,” he said.

He said the investigation into the breach, which was first reported by The Eagle-Tribune, looks “very promising,” although he didn’t say when or if the school district would be able to recover the funds.

DePeña said he had directed “both IT and Finance to implement systematic safeguards and tighten verification processes that will alert us to fraudulent cyber attempts.”


Cyber criminals have targeted other municipalities, including Lowell. On April 25, officials reported that a cybersecurity breach had forced the shutdown of computer servers and telephones in multiple city agencies. On May 5, officials said phone service had been restored to multiple city offices. Emergency 911 service was never affected.

A cybercrime organization called “Play,” believed to be based in Russia, claimed credit for the attack.

Play operates on the “dark web,” a part of the Internet that’s inaccessible to standard browsers and search services. The Play site lists Lowell among the organization’s victims, which apparently include about 75 organizations around the world, ranging from BMW’s operations in France to the sheriff’s department in Palo Alto County, Iowa.

Play says it has compromised “private and personal confidential data, passports, IDs, finance, payroll, department documents, budget, etc.” It encrypts the data stored in the victim’s computer systems, making it inaccessible until they pay a ransom to get the decryption key.

No criminal actors have claimed responsibility for the Lawrence attack, and no arrests have been made.

In May, Rodriguez submitted a proposed budget for the school district of $260.1 million for Fiscal Year 2024, which began in July, according to city documents.

That proposal represents an increase of 11 percent, or $27.3 million, from the previous year.

Travis Andersen can be reached at travis.andersen@globe.com.