Article Read Time
Cyber Security Part One: The Criminals (How They Pick Lindon County)
They didn’t start with Lindon County because they hated it or thought its cyber security was weak. They started with Lindon County because it was there.
A county of 38,000 doesn’t look like a jackpot at first glance. It looks like a place with stoplights, ball fields, and a courthouse that smells like old paper. But the criminals weren’t looking for glamour. They were looking for a payment process.
They had a spreadsheet, nothing fancy, just columns and notes. Population. Budget. Departments. Public meetings. News coverage. And, most importantly, signs of strain.
Lindon County’s annual budget, $197 million, stood out. Not because it was huge compared to a big city, but because it was big compared to the staff. One full-time IT person, a part-time helper, and no cyber security department. A county that runs a courthouse, sheriff’s office, jail, clerk, PVA, county attorney, and everything a county must do, with 175 employees.
That meant the same people wore multiple hats. That meant approvals happened when they could, not always as the policy binder said they should. That meant there was a rhythm to the county’s day: deadlines, invoices, payroll, court dates, jail intake, dispatch calls, public complaints.
And it meant a phrase the criminals loved: “We have IT. We don’t need cyber security.”
They didn’t need to break down a firewall. They just needed one person to trust the wrong message at the wrong time.
They started where any stranger can start: the county website. Names. Titles. Phone numbers. Emails. A calendar for Fiscal Court meetings. Links to agendas and minutes. PDFs full of boring details until you look at them the way a thief looks at an unlocked door.
The criminals built a map of people.
Not home addresses. Not secrets. Just responsibilities.
Who posted meeting packets? Who handled purchasing? Who seemed to share press releases? Who appeared on the agenda as “Accounts Payable” or “Treasurer’s Office”? Who signed contracts? Who asked questions at public meetings?
They read local news too. Lindon County had been proud of “keeping things running” with limited resources. There were quotes about upgrading systems, modernizing the jail, improving public safety, and pushing through despite staffing shortages. The criminals didn’t smirk at those articles. They took notes.
They needed the county to be busy. They needed it to be tired.
Then they looked for a reason money would move.
That part was easy. Counties publish enough to be transparent, and transparency is a gift to anyone patient enough to read. There was a capital project that kept popping up: a courthouse renovation and records digitization project, something the public liked, something leadership talked about, something that required contractors, invoices, and scheduled payments.
It wasn’t just the project. It was the timing.
They watched agenda packets until they saw it: approvals for “progress payments.” The sort of payment that is too large to be casual, but too routine to be shocking. A payment that could be explained with one sentence: “This is the next draw for the renovation.”
They didn’t rush. They never rushed at the beginning.
They gathered what they could: vendor names, project managers, and the people in the county who had to keep the paperwork moving. They learned which department served as the hub for money movement: the finance office.
It wasn’t hard to imagine the scene inside that office. Invoices stacked. Phones ringing. A clerk who had worked there long enough to remember when everything was paper. A supervisor pulled into three meetings a day. IT is in the next building, trying to keep ancient systems alive and not focused on cyber security.
The criminals’ job wasn’t to be smarter than the county. It was to be calmer than the county.
They chose a week when things were loud. They could tell from the public calendar: budget discussions, project updates, and a sheriff’s office equipment purchase. Lots of moving parts. Lots of emails. Lots of legitimate reasons for people to be distracted.
Then came the message.
It did not look like a cartoonish cyber security scam. It did not say “Kindly do the needful.” It did not have spelling errors like a parody. It sounded like a person who had already been talking to you for weeks.
It referenced the renovation project by name. It included the contractor’s signature block copied from a public document and adjusted just enough. It mentioned a “bank change” and apologized for the inconvenience. It included an attached form that looked like every other vendor form Lindon County had ever seen.
The criminals didn’t bet everything on one email. They never did. They layered it.
A follow-up came the next day, polite but urgent. “We’re up against end-of-week posting. Please confirm you received this so we can avoid delay on your draw schedule.”
A third message came the morning after that. Shorter now. “Any update? We need to ensure the county doesn’t get flagged for late payment on this milestone.”
Busy people hate being the reason something gets “flagged.” Busy people hate being the reason a project slips. Busy people hate being the reason someone else is waiting.
And then they targeted the weak seam that wasn’t a seam at all; it was normal life.
They sent a separate message that appeared to come from inside the county. Something that sounded like IT, because leadership believed “IT” handled anything that smelled like technology. A routine notice. A reminder. A prompt to “verify” to avoid disruption.
It was the kind of thing people click when they’re trying to keep their day moving.
One person did.
The criminals didn’t celebrate. They didn’t clap. They didn’t shout. They just got quieter.
They watched. They waited. They read.
They didn’t need everyone’s inbox. They didn’t need the sheriff’s office. They didn’t need jail cameras. They didn’t need drama.
They needed the thread where money moved and approvals happened.
And when they found it, it was almost disappointing in how ordinary it looked: emails about invoices, attachments with scanned signatures, short notes saying “Approved” or “Please process,” a question here and there about the right code to use.
People imagine cyber crime as flashing screens and alarms. This looked like office work.
They timed the strike for a day already under stress. Payroll. A deadline. A meeting. A storm in the forecast. Anything that would make a clerk feel like, “If I can clear this off my list, I can breathe.”
The criminals sent the “final” vendor banking details again, this time from the exact conversation thread people trusted. Same tone. Same signatures. Same little bits of personal familiarity they’d picked up from weeks of watching: a “Thanks again,” a “Hope your week is going better than ours.”
A supervisor replied: “Got it.”
A clerk entered the updated payment info into the system.
An approval went through. The kind that happens when everyone believes the other person has already verified the important parts.
And then Lindon County sent $4.4 million to an account unrelated to the courthouse renovation.
The criminals didn’t immediately drain the money in one dramatic swipe. They moved it the way people move stolen goods when they know the owner will notice. They split it. They shifted it. They pushed it out of reach in increments. By the time anyone suspected something was wrong, the money was already a ghost.
That evening, one of them drove home through normal traffic, stopped for takeout, and listened to the radio.
The scariest part was not that they were geniuses.
The scariest part was that Lindon County had done exactly what it was designed to do: keep running.
Next week, part two in our three-part series A Cyber Security Parable: A Click That Triggered a Disaster, “Lindon County (How They Discovered It, and the First 72 Hours).
At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things. Contact us today or sign up for a free consultation.