Hack sends scam messages from Indiana agencies

Driving the news: An email delivery vendor the state previously contracted with has been hacked, sending fraudulent email and text messages from roughly a dozen state agencies.

• Many of the messages have "TxTag Account" in the subject and prompt recipients to click a link to pay outstanding toll balances.
• "Failure to pay may result in penalties or vehicle registration holds," one of the emails reads.

What they're saying: "The State does not send unpaid toll notifications via text or email messages," the Indiana Office of Technology said in a notice.

• "These messages are scams, and users should not click on any of the links."
• A spokesperson for the Office of Technology confirmed to Axios that emails about "unusual activity in your PayPal account" with a link to log in and verify information are part of the same problem.

Context: The office said the state's contract with the hacked company ended last year, but the company didn't remove the state's account.

• The office is not aware of any current state systems being compromised, the notice said.

Threat level: "If we're not thinking about cybersecurity, it will bring itself to the forefront," said Isak Asare, co-director of Indiana University's cybersecurity and global policy program and executive director at the IU Cybersecurity Clinic.

• Asare said the phishing scheme took advantage of the inherent trust people place in government email addresses, which exist to convey trust in the first place.
• "This is showing the soft underbelly of our digital infrastructure," he said. "In a world where you can't do anything outside of using computers ... it's quite shocking that cybersecurity is such an afterthought to so many of us as individuals and as local and state government agencies."

Editor's note: This story has been updated to include comments from a cybersecurity expert at IU.