ATHENS, Ohio — The email scam that convinced the City of Athens to send nearly $722,000 to a fraudulent bank account is an example of an all-too-frequent crime, according to an Ohio University professor who specializes in cybersecurity.
Rishabh Das is an associate professor in the McClure School of Emerging Communication Technologies at OU. The Independent spoke with him on Tuesday morning about online theft in general and Athens’ loss in particular.
The interview has been edited for clarity and brevity.
ACI: Is this type of scam unusual?
RD: It’s not. This is one of the most common type of crimes when it comes to cyber security scenarios. This is considered something called phishing or spoofing, which means that the attacker really studies their target — in this case, the city — and spends a lot of time and resources really understanding what the city is doing.
The attacker did a great job understanding the overall scenario … and they crafted a very, very targeted scenario where the employees were unable to detect that they were interacting with the attacker, rather than the actual company or the contractor [that] was handling the job.
The Verizon [data breach investigations report] looks at specific metrics on what type of crime is crime and breaches are more common. About 68% of the cybersecurity crimes target the human element, which is, unfortunately, the weakest chain in cybersecurity. And this was one of those attacks that falls under that 68%.
The FBI Internet Crime Complaint Center does a yearly report. They do a very good job highlighting how each state, and how each entity within the state is getting compromised or reporting these crimes. Ohio is one of the top states as a target. This can be a good or bad thing in terms of cybersecurity. The good part is, Ohio is well trained to report these crimes, which is great that you are reporting — you’re maintaining a history and paper trail of all the incidents going on. But it also unfortunately shows, on the darker side, that we are a target in our state.
Ohio’s loss was about $190.7 million just in 2023, so it is substantial. If you look at cybercrimes that were reported fairly quickly after the department realized they were a part of that incident, the recovery rates are very promising. But similar to a kidnapping incident, when you take a lot of time and maybe wait weeks or months before reporting some of these incidents, the attacker usually gets a lot of time to siphon the money out to accounts or change it into cryptocurrency which is much harder to detect and recover.
The FBI has a specific department called the Recovery Asset Team, or RAT, that is specifically designed to handle these kinds of frauds, be it individual or municipalities or cities like us. They have a very promising success rate — in 2023 it was 71%. They were involved in about 3,008 incidents, and they were able to freeze about $538 million. But $219 million was still lost to the attackers.
ACI: The invoice appears to have matched invoices coming from Pepper Construction, which leads people to speculate that it was an inside job or that the city’s systems were compromised and the thieves were able to get in there and look at this stuff.
RD: This is one of the strategies that the attackers usually follow to make their email or spoof document really, really credible. They study their target really closely. And in this case, the only giveaway was, instead of pepperconstruction.com, they had pepperconstrcuction.com — the C and U in the attacker’s domain was transposed. So there was a minor, minor change in the URL that the employee was unfortunately clicking on. If you consider the human element, we often mistype and our brain kind of automatically corrects that because we are not reading that misspelled word correctly. The whole scenario is a typical example of phishing.
These are not usually insider jobs. Most of the statistics and research usually points to some external entity that might be based out of the U.S. — international countries, sometimes even nation states who are targeting these several smaller cities, because a lot of smaller cities don’t have the resources to look through some of the cybersecurity measures that need to be taken to counter these.
A big city, which has a substantial budget … would have more layers of security, which means that the attacker has to get through those layers and spend more resources to get to the crown jewels. For smaller cities, that’s really not the case. They have a limited number of employees. They do a limited number of construction projects. And unfortunately, with the internet these days, everyone’s life is socially available online. [Attackers] can … gain insights into employees, and then craft that specific scenario which can compromise a department, or an individual within the department, to gain more access. It’s all about that intrusion cost and layers of security.
ACI: Were the city’s anti-phishing measures sufficient?
RD: Cybersecurity is built in layers. We call it defense in depth. … Each item that the state or municipality usually deploys makes it harder for the attacker to actually compromise its target. Training is just one of those layers. If you train your employees, your employees become the final line of defense — who can look at an email and say, “Hey, maybe we need to give this a second thought,” or “Maybe we need to check who the sender is in that email.”
They were doing specific fraud trainings, which is great, and they are also doing independent audits, which is very, very important, because you get a different perspective from an auditor who is really experienced in that field and who can give specific guidance. These are all great measures to drive the cost of intrusion higher, which means that you’re adding layers of security so that the attacker now has to spend more resources to get to the crown jewel or the target. So, [the city of Athens is] absolutely on the right track.
With more resources, they can consider cyber insurance, so that even when things get compromised, they have a fallback where they can work with companies and insurance companies to get back some of that money right away, rather than going through the whole incident response cycle. And they can also add advanced technologies … [such as] sender policy framework, or SPF, and domain key identified mail, or DKIM. These are more on the technical side, but they are advanced technologies that can be installed within the offices so that whenever an email is coming into the mailbox, it gets prescreened … so that the employee who is in the office is getting a cleaner version of that email.
ACI: The city filed a police report about the theft eight days after the transfer occurred. Is that a good window, a bad window, a medium window?
RD: I would say it’s somewhere in the medium time frame. Normally, in the case of phishing, it is harder for the victim to realize that they have been phished because the whole scenario is built around winning public trust, right? The victims think that they are interacting with a legitimate entity, but unfortunately, they are not. So reaction time in phishing is usually longer than other scenarios like ransomware or malware, where your computer just stops working and you’re given a prompt that, “Hey, pay us this money or we are not going to give back the data.”
The recovery will definitely be challenging. The attacker was very, very sophisticated, because he was able to get certain documents and crafted [the scam] in a way which was believable by people who were seeing and auditing these documents. So I’m quite sure they would plan a great strategy to move the funds around in a way which would be harder for the FBI to detect. But still, because it was pretty quick, there is a chance that the city might get back at least partial amounts of funds.
ACI: One of the things the police report revealed was that the account the money was sent to had been set up using the stolen identity of a contractor from New Jersey. The police department was talking about how these types of scams have layers, and you have to dig through those layers to get anywhere. Is that pretty typical as well?
RD: Absolutely. And similar to the defense layers, the attacker’s layers make it harder for the police … to detect them. Oftentimes they use a stolen identity — which is, by the way, very easy to get. If you pay $7 or $10 to one of these databases, they will give you millions of stolen identities, and attackers can use that to craft a scenario just like the one that happened to Athens. They will use IP addresses from different foreign countries and the FBI or the police … have to go through these chains of events, talk to different agencies and collaborate to get to the origin of the attack, which takes a lot of time, effort [and] resources, and slows down the investigation overall. So similar to the defensive layers, these layers are built by the attackers to make it hard for the investigation to proceed in a smooth way.
ACI: Given the eight-day time frame and what the city has done so far, that we’re aware of, what is the likelihood that they’re going to get any of this money back?
RD: A recovery of [a] partial amount is promising, but the recovery of [the] whole amount is challenging, because the attacker — the moment they get the funds, they would start siphoning out money into cryptocurrencies or accounts that might not be accessible nationally. They might move the money out of the country altogether.
Let us know what's happening in your neck of the woods!
Get in touch and share a story!
