ATHENS, Ohio — The Ohio Auditor of State’s office issued a bulletin this past spring with guidance on detecting and avoiding payment redirect scams — and warned that public employees who failed to follow that guidance could be held accountable.
That could have ramifications for whoever in Athens city government is determined to be responsible for the loss of nearly $722,000 in an email scam last month.
Auditor of State Bulletin 2024–003 went to all public offices, community schools and independent public accounts in the state on April 12. The auditor’s office had also issued an advisory on increased cybercrime in March 2023.
Advisories function as a kind of heads-up about “emerging issues or concerns,” a spokesperson for the state auditor’s office told the Independent by email. Bulletins, on the other hand, “are formal communications that provide detailed instructions or guidance on specific topics,” the spokesperson wrote.
The April 12 bulletin states, “Failure to follow the guidance in this Bulletin may result in an AOS finding when a loss occurs, and the employee is considered liable as a result of negligence or performing duties without reasonable care.”
According to the state auditor’s website, “When a finding for recovery is issued in an audit report, the legal counsel for the public office is authorized to collect the public money due within 120 days after receiving the audit report.”
Employee liability means that the person who authorized the payment could be held personally responsible for the money. By law, municipal officials in Ohio are required to be bonded “for the faithful performance of their duties” at an amount set by the municipality. A finding could require the responsible party to forfeit their bond.
“The Auditor of State has a responsibility to protect taxpayer funds and hold public officials accountable. Bonds serve as a critical financial safeguard, guaranteeing that individuals entrusted with managing taxpayer dollars perform their duties with integrity, diligence, and competence,” the auditor’s spokesperson wrote. “When a bond is forfeited due to negligence or carelessness, it is a clear indication that an official has failed to meet this standard of responsibility.”
Athens City Code sets the bond for city treasurer at $200,000 and at $150,000 for the auditor. Those positions are held by Josh Thomas and Kathy Hecht, respectively.
The city has insurance for cyber crime, according to Chiki, but whether the policy would cover the loss “will depend on the results of the investigation and assignment of liability.”
According to Chiki, the city has trained employees on phishing scams and email links and applied for a grant for further training.
Missed red flags
Under the terms of the city’s contract with Pepper Construction for the Stimson Avenue fire house, the contractor submits requests for payment every month. According to Chiki, the project coordinator then creates a payment voucher that is sent to the city auditor’s office.
Each payment voucher from June 2023 to August 2024 has the word “CHECK” at the top. On the voucher for September 2024 — for a payment request submitted on Nov. 11 — that word is crossed out, and the letters “DD?” are written next to it.
The amount requested was $721,976.22.
According to the city’s civil suit filed in Athens County Common Pleas Court on Dec. 4, the city received an email purportedly from Pepper Construction asking to set up a direct deposit for the payment. The electronic transfer request that was submitted gives an email address at “pepperconstrcution.com,” with the “c” and “u” transposed.
“Subtle changes to names” are the first red flag that the state auditor warned of in the April 2024 bulletin.
The timing of the scammer’s email and the misspelling in the email address are classic indicators of a phishing scheme, said Rishabh Das, an associate professor in the McClure School of Emerging Communication Technologies at OU.
In such schemes, “the attacker really studies their target — in this case, the city — and spends a lot of time and resources really understanding what the city is doing,” Das said.
Das said it’s likely that the city’s computer system was compromised somehow, giving the attackers access to crucial information — such as the receipt of an invoice for $722,000. The criminals are often based outside the United States and specifically target smaller cities like Athens that “don’t have the resources to look through some of the cybersecurity measures that need to be taken to counter these,” he said.
The city’s systems are undergoing an independent audit that will yield “recommendations to implement best practices,” Chiki said.
It’s unknown if the emails exchanged with the perpetrators met other criteria from the bulletin.
The city denied the Independent’s public records request for the emails and other correspondence, claiming they are exempt because they are “confidential law enforcement investigatory records.”
The Independent appealed that decision; on Monday, Chiki said he forwarded the objections to law enforcement and the city’s law department. The city had not responded with further information as of publication.
Details emerge
The city reported the theft to the Athens Police Department around 11:30 a.m. on Nov. 26, eight days after the fraudulent transfer.
The police report, which the Independent obtained through a public records request, revealed a secondary victim of the theft. The fraudulent bank account that received the city’s transfer was created using the identity of Harry Gibson, president of Gibson Electrical and General Contractors in New Jersey.
“He’s another unsuspecting, unknown victim,” said APD Lt. Adam Claar, who took the city’s report. “He had no clue, no active participation.”
APD notified their law enforcement counterparts in Sicklerville, New Jersey, where the company is headquartered, Claar said.
Discovering that Gibson’s identity had been stolen is just one layer in what is likely to be a complicated trail, Claar said.
In these types of scams, “You have to get several layers deep before it starts going back to anybody,” Claar said. “Most of the time it goes out of the country.”
The FBI’s Internet Crime Complaint Center received nearly 21,500 reports of business email compromise incidents in 2022, according to the center’s 2023 annual report. Of those, 565 were in Ohio, totaling over $59 million in losses.
Ohio ranked fifth among by number of complaints filed with the FBI in 2022, and 17th in total losses.
Let us know what's happening in your neck of the woods!
Get in touch and share a story!
