ATHENS, Ohio — The City of Athens’ 2024 financial audit from the Ohio Auditor of State required the city take corrective action to guard against future cyber scams –– but Athens wasn’t penalized for losing $722,000 to scammers that year, despite previous warnings from the state auditor’s office.
The city fell for the cyber scam in November 2024, when a message from a spoofed email address requested payment for contract construction work on the city’s new Richland Avenue fire station. Claiming to be the company actually contracted to do the work, the email requested that the city pay by direct deposit, instead of by check, the method previously used.
Published Dec. 9, 2025, the city’s 2024 audit found that, “The City made the payment to the third-party without taking the necessary steps to verify this change per sound cyber security controls outlined in Auditor of State Bulletin 2024-003.”
That bulletin warned that municipal employees who fail to follow its recommendations to guard against cyber crime could be held personally responsible for any loss of funds resulting from the scams they fall for.
Athens employees failed to identify red flags that the bulletin warned about, namely “subtle changes to names to make you think you are communicating with a legitimate or known person/vendor.”
However, the state auditors office ultimately did not hold anyone in the city personally responsible for repaying the funds lost in its 2024 audit. That might not be the final word on the matter, though.
“The FBI has been investigating this situation, and the Auditor of State’s Office will be considering the outcome of the federal court case in the Southern District of Iowa during the next financial audit of the City of Athens,” David Roorbach, press secretary with the Ohio Auditor of State, told the Independent in an email. Roorbach did not specify a particular federal court case and did not immediately reply to the Independent’s request for additional information.
The 2024 audit included the city’s views on the state’s findings related to the cyber crime.
“Once concerns were identified, the City took immediate steps to assess the situation and evaluate internal controls to prevent similar incidents from occurring in the future,” the city wrote, in part. “We respectfully request that the circumstances surrounding this incident, including the City’s status as an unknowing victim of misconduct, be taken into account as part of the overall evaluation of this finding.”
City Auditor Kathy Hecht shared a similar sentiment when asked about the audit finding.
“We responded in a timely manner to the incident, notified everyone that we should have, worked with law enforcement, our insurance carrier, attorney and the state auditor’s to do everything we could to remediate the situation under the circumstances,” Hecht told the Independent in an email.
Corrective action
The state audit recommended that moving forward, the city “enhance its internal controls over verification of vendor payment information changes as well as implementation of training around these types of attacks.”
By the time the audit was released last month, the audit’s recommended actions related to the cyber crime were marked as completed.
“The City of Athens hosted cyber security training and implemented a new process for verifying the legitimacy of ACH/EFT change requests from vendors,” the audit says.
Hecht shared more detail with the Independent in an email.
“The training by the FBI included a lot of information regarding types of fraud situations, what to look for and ways to prevent being scammed,” Hecht said. “The city provided updated testing, has implemented multi-factor authentication, training and security awareness modules, entered into an outside security contract, and eliminated online accounts not needed by employees.”
Hecht also pointed to the city’s new cyber security policy, which Athens City Council approved last fall and which went into effect Jan. 1, as well as a new verification process for changes to financial information.
“The Auditors office has added a process for in-person verification of changes to financial institution information for Payroll. The Accounts Payable administrator calls the vendor to verify the request and information,” Hecht added.
Other scam victims had findings for recovery
While Athens employees were not held personally responsible for falling for the cyber crime in the city’s 2024 audit, other municipalities across the state were not as fortunate.
The state auditor issued several findings for recovery resulting from similar scams that took place in 2024 and impacted Shawnee Hills in Delaware County, Highland County, the Village of Holland in Lucas County, and Pleasant Local Schools in Marion County.
In contrast, the Cleveland Public Library transferred nearly $400,000 to a fraudulent account in June 2024, but did not face a finding for recovery. In that instance, the library was able to recoup the entire lost amount on its own, largely through an insurance payment.
Athens also has insurance for cyber crime. The city’s insurance paid out $200,000, and the city’s policy has a $10,000 deductible, Hecht told the Independent.
Additionally, the city has been working to recoup some of the funds it lost as part of a legal dispute with Regency Centers, which lost funds to the same scammers. Both the city and Regency claim they are entitled to funds that Republic Bank & Trust recovered from the scammers.
The case is currently in mediation, with the parties aiming for a resolution by Feb. 19.
Note: This story was updated since initial publication to include comment from the Ohio Auditor of State’s office. Also, on Jan. 30, the headline and first sentence of the story were adjusted to make clear that it was the 2024 audit that declined to penalize Athens employees. The audit was not the final word on the matter, according to the Ohio Auditor of State’s office.
Let us know what's happening in your neck of the woods!
Get in touch and share a story!
