BILLINGS — City officials in Billings are reviewing cybersecurity practices after the email accounts of the city’s police and fire chiefs were compromised this week, resulting in phishing emails being sent to city staff and members of the public.
Billings Police Chief Rich St. John and Fire Chief Matt Hoppel both had their email accounts compromised, allowing scammers to send messages that appeared to come directly from the officials. Several days later, City Council members also received emails from an account impersonating Mayor Mike Nelson.
Watch the story below:
The incidents raised concerns about the city’s cybersecurity safeguards, though officials say no sensitive information was accessed.
Local real estate broker Jamie Lee Rindahl was among those who received a phishing email that appeared to come from St. John. The email included an attachment, which she said immediately raised red flags.
“It did look real, and it did come from his email address," Rindahl said.
Rather than opening the document, Rindahl contacted the police chief’s office directly and learned that some staff there were unaware of the email. She then sent a screenshot of the message through the department’s Facebook page, where she received confirmation that it was fraudulent.
About 15 minutes later, the Billings Police Department issued a public warning on social media.
Rindahl said she regularly encounters phishing attempts in her work, but was still troubled by how convincing the message appeared.
“They're getting really good at masking where those are coming from. They’ll change one letter in the email," said Rindahl. “You click one thing and all your information, all your private stuff is out there, your social security card, your bank information, everything.”
City officials said the same phishing email was sent to multiple city employees before Fire Chief Matt Hoppel’s account was also compromised. In those cases, recipients were sent links that prompted them to enter login credentials.
"That is kind of concerning that they were able to get into our government officials' emails like that,” said Rindahl. “I feel like the government should have stronger firewalls for this not to happen.”
Several days later, City Council members received emails from an account impersonating Mayor Mike Nelson. Andrew Lindley, newly elected Ward 4 council member, said that the incident involved email spoofing rather than an actual compromise of the mayor’s account.
"Honestly, it's pretty standard for that to happen, unfortunately, in this day and age,” said Lindley.
Lindley, who has an extensive background in information technology, said similar phishing attempts affected municipal officials in other Montana cities. He said municipalities are often targeted because officials frequently exchange contact information across jurisdictions.
"In this case, municipalities were a key target because the person in Bozeman compromised had email addresses from other officials across the state," said Lindley.
Lindley said the city’s IT department responded quickly and limited the impact of the incident. No sensitive data was obtained, and there is no current threat to city systems. Still, he said the incidents highlight the need for stronger oversight and long-term planning.
“Any caution that people can have is really worth it," he said.
In response, Lindley plans to propose the creation of a City Technology Advisory Commission. The commission would consist of technology professionals appointed by the mayor and approved by the City Council. Its role would be to review city technology systems, cybersecurity policies, and governance practices and provide recommendations to city leaders.
Lindley said the idea was influenced in part by concerns raised after the city transitioned to new water billing software in 2024, a change that generated controversy among residents.
"It would be good for everyone, provide a little bit more transparency about how technology is functioning in the city, and give the city staff some great feedback from experts that are here local,” said Lindley. "Improving technology platforms is a great thing for the city, but making sure that we're doing it in a way with the right decision-making and governance will make issues like the water billing issue less likely to happen, I'm sure.”
While the plan is still in its early stages, both Lindley and Rindahl encouraged residents to use strong, unique passwords, enable password managers, and think carefully before clicking links or opening attachments.
"Use the password managers that exist on your phones to create unique passwords for all of your things, especially your bank accounts, your credit card accounts, anything that has to do with your finances," said Lindley.
"Be aware, and if you do get something strange, even if you know the person, make that phone call, follow up," added Rindahl. "Make sure that that person on the other line is sending you that information or that link or that document because it is so easy to fall victim to this."
