Full Report
Glasgow City Council is alerting residents to a parking scam which could be linked to a recent cyber-incident
Analysis Summary
# Incident Report: Glasgow City Council Parking Fine Phishing Campaign
## Executive Summary
Glasgow City Council (GCC) issued an alert regarding a widespread smishing (SMS phishing) campaign targeting residents with fake parking fine notices. This campaign appears to be opportunistic, exploiting a recent, separate cyber-incident that temporarily disrupted GCC's online services, including parking fine payments. While the scam itself compromised no council data, the disruption created an environment ripe for social engineering. GCC, in partnership with law enforcement and national cyber agencies, confirmed that they do not use text messages to pursue fines and advised residents on proper payment methods.
## Incident Details
- **Discovery Date:** June 28, 2025 (Date of public warning)
- **Incident Date:** Began shortly after the discovery of the underlying cyber-incident (discovered June 19, 2025).
- **Affected Organization:** Glasgow City Council
- **Sector:** Local Government / Municipal Services
- **Geography:** Glasgow, Scotland, UK
## Timeline of Events
### Initial Access
- *Note: The primary incident affecting GCC's services was discovered previously, but the phishing scam's timing exploited this context.*
- **Date/Time:** Phishing campaign initiated shortly after the confirmation of the underlying cyber-incident (pre-June 28, 2025).
- **Vector:** Smishing (SMS Text Messages).
- **Details:** Text messages impersonating Glasgow City Council were spammed to residents regarding unpaid parking fines.
### Lateral Movement
- Not applicable to the phishing campaign; this was a direct social engineering attack against the public, not an internal network compromise by the scammers exploiting the initial service disruption. (The underlying June 19th incident involved malicious activity on a supplier's servers, but details on its scope are not provided here).
### Data Exfiltration/Impact
- **Smishing Campaign Impact:** Potential financial loss and data theft from victims who interact with the malicious links/requests.
- **Council Impact:** Reputational damage and increased public confusion/support calls, occurring while online services were already suspended due to an unrelated cyber-incident.
### Detection & Response
- **How it was discovered:** Glasgow City Council issued a public alert/warning to residents on Friday, June 28, 2025.
- **Response actions taken:**
1. Council issued a public alert warning about the scam.
2. Shared information regarding the spam messages with Police Scotland.
3. Engaged investigators from the Scottish Cyber Coordination Centre (SC3).
4. Engaged investigators from the National Cyber Security Centre (NCSC).
5. The council reiterated that it never requests banking details via call, email, or text for parking penalties.
## Attack Methodology
Based purely on the reported scam:
- **Initial Access:** Social Engineering (Smishing via SMS).
- **Persistence:** Not applicable (one-off messaging attack).
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Attempting to exploit public confusion and trust built around official communication channels disrupted by the ongoing underlying cyber-incident.
- **Credential Access:** Likely attempts to direct victims to a fraudulent payment portal to harvest financial data.
- **Discovery:** Public reporting/council vigilance.
- **Lateral Movement:** Not applicable.
- **Collection:** Likely harvesting payment card details or personal information from responding victims.
- **Exfiltration:** Not applicable from the council's perspective.
- **Impact:** Financial loss/identity theft for individuals.
## Impact Assessment
- **Financial:** Potential financial loss for victims providing payment details. No specific cost estimate for the council's response is available.
- **Data Breach:** The Council stated they are "confident" the scam does **not** involve stolen council data, suggesting the phishing technique is opportunistic rather than data-driven.
- **Operational:** Increased burden on council communication channels due to the need to debunk the scam, overlapping with the ongoing operational issues from the initial cyber-incident that suspended online services.
- **Reputational:** Minor negative impact due to residents being targeted by scams leveraging the current service disruption.
## Indicators of Compromise
*Note: No specific *technical* IoCs (URLs/IPs) for the scam were provided in the text.*
- **Network indicators:** None provided/defanged.
- **File indicators:** None provided.
- **Behavioral indicators:** Receiving unsolicited text messages claiming to be Glasgow City Council regarding an unpaid parking fine that demands immediate action or payment details via a link/call.
## Response Actions
- **Containment measures:** Public advisory issued to prevent further victim engagement.
- **Eradication steps:** Coordination with law enforcement and cyber agencies (SC3, NCSC).
- **Recovery actions:** Reassurance to the public regarding official communication policies (e.g., confirming payment is accepted via the number displayed on the physical PCN).
## Lessons Learned
- **Key takeaways:** Scammers actively exploit known service disruptions to launch targeted social engineering attacks, even if the scam method is simplistic (opportunistic targeting).
- **What could have been done better:** Timely and multi-channel communication (beyond initial alerts) to specifically address the scam, leveraging partnerships with NCSC/SC3 immediately upon recognizing the pattern.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately issue explicit public service announcements debunking any new scam activity that coincides with service outages or operational changes.
2. Proactively share scam intelligence with SC3 and Police Scotland when discovered to coordinate rapid takedown of malicious infrastructure (if any links were used).
3. Continuously reinforce official communication channels for payment and sensitive information (e.g., "We will NEVER ask for banking details via text").