The attack was identified and shut down quickly by Corvallis’ Information Technology Department, but some are worried about lasting impacts to their own information’s security after interacting with the scam.
A fraudulent email from Corvallis city Councilor Paul Shaffer's hacked email account instructed recipients to open a link to shared files.
The scammers accessed the official city account of Paul Shaffer, who has served as Ward 7’s city councilor since 2019. The email, sent out to 3,408 addresses, indicated Shaffer had sent the recipients files and included a link to open them.
According to Corvallis’ IT Director Michael Livingston, those who clicked the link were ultimately asked to input their username and password, which could log that information in the scammers’ system to sell it to other groups.
Shaffer found out what had happened when he arrived at City Hall at about 2 p.m. Wednesday, Jan. 8, around an hour after the attack launched, he said.
“I walked from the law building to City Hall, and it was sunny and felt warm. I’m thinking, ‘What a great day it is.’ And I walked in and the front desk said, ‘Do you know about your email?’” he said.
“It went downhill from there.”
According to Livingston, the scam went to every email address to which Shaffer had ever sent correspondence or from which he ever received correspondence. That's how it was able to reach such a large number of accounts.
Shaffer said that people as far away as Illinois, Ohio, Texas and beyond received the scammers' phishing attempt.
Corvallis Ward 7 Councilor Paul Shaffer smiles through the swearing-in ceremony for the 2025-26 term. He was reelected Nov. 5.
“It was a huge intrusion in my life and my privacy,” he said, and it made a mess he’s spent many hours since Wednesday afternoon cleaning up.
Fortunately, IT got his email address back up and running within a few hours, Shaffer said. And he learned an important lesson — to use different passwords for different email accounts, and not to use those passwords anywhere else.
Matt Cates is a Corvallis community member and one of many who received the email pretending to be Shaffer.
“I was kind of like, ‘Why is a City Council member sending me a file?’” he said.
But because it came from a city email address, and included a signature block that looked official, he clicked the link in the email, which took him to a PDF with a subsequent link that said “View Document.” That opened a separate website, which is when he became suspicious.
“Excuse my language here, but it says, ‘Jack off, jack off, lilly, kill, XLP;’ it’s just a bunch of gibberish,” he said about the website’s hyperlink. “But the fact that it started with ‘jack off,’ I said, ‘OK, this is not official anymore.’”
He went back to the previous page and noticed it said that his login information would be needed, and grew even more wary. He returned to the original email and called the phone number in the signature block in an attempt to reach Shaffer.
But that phone number was a couple of digits off from Shaffer’s actual city number and instead took him to Pacific Inside Electrical JATC, an electrical apprenticeship program in North Bend.
Cates said the woman who answered the phone told him that the program had been receiving calls looking for Shaffer and that Cates had likely been spammed.
Even though he didn’t provide the scammer with his email and password, Cates is worried that he has been exposed to malware simply by interacting with the PDF. He said he’s already seen subsequent suspicious activity, including a detailed spam call on Friday and a notice that someone had tried to open a money-sending app account in his name. He’d also been logged off of a website repeatedly.
In February, Corvallis School District was also the target of a phishing attack, with more than 4,000 emails sent to student and staff accounts seeking personal information. Residents shouldn’t have to keep dealing with these attacks, Cates said, and in last week’s instance, he’d like to see some accountability and follow-up from the city.
Small instances of impersonation from city officials are pretty common, Livingston said, but he’s only seen two attacks of this nature, in which a scammer gained access to a city account. In both instances, it was a councilor’s.
This is good — relatively speaking — as councilors don’t have login rights to the city of Corvallis network, so it wasn’t compromised in any way, he said.
But last week’s attack involving Shaffer reached a larger number of people than the previous instance, he said. Livingston sent an email to the recipients to explain the situation, advising them to update their passwords and monitor their accounts.
But that’s the extent of the communication that those affected will be receiving from the city, he said.
He emphasized that Shaffer was not at fault, and that bad actors were responsible for the situation.
“They’re basically preying on the fact that humans are human,” he said.
It’s important to note, however, that “you shouldn’t use the same password for multiple things,” Livingston said. “Because when they sell them, they’re useless if people use a different password for everything.
“Otherwise, it’s like losing your wallet, right?” he continued. “Like, if you use the same password for everything, you have to then go change everything. It’s a whole lot of work.”
©2025 Corvallis Gazette-Times, Distributed by Tribune Content Agency, LLC.
