In recent years, Ohio's local governments, school districts, and other public entities have increasingly been targeted by cybercriminals employing payment redirect and other business email compromise (BEC) schemes. These scams, often involving spear phishing, have led to significant losses of taxpayer dollars. Drawing on recent cases involving various public entities, it's essential for government officials to understand these attacks and the principles of cybersecurity to mitigate risk. Understanding the Threat In payment re-direct and other BEC scams, cybercriminals impersonate trusted vendors, employees, or business partners to deceive organizations into transferring money to fraudulent accounts. They do this by manipulating email correspondence, often using subtle changes to email addresses that can easily go unnoticed. For instance, an email might change from "vendor@example.com" to "vend0r@example.com." These schemes are often sophisticated and tailored, with criminals mimicking legitimate communications. Earlier this year, a recreation district in Central Ohio fell victim to a spear phishing attack involving fraudulent payment instructions from an email account that looked almost identical (only a single letter was changed) to that of a trusted contractor who was working on a large project. The vendor's account information was changed, which resulted in $713,000 going to the scammer's account. It was only after the vendor contacted the recreation district about the missing payment that the crime was discovered. Similarly, a school district in Clermont County and a school district in Cuyahoga County lost $1.7 million and nearly $620,000 respectively because they didn't properly verify payment information change requests from fake email addresses that appeared to be from legitimate contractors. Preventing Scams While we recognize there is no perfect system to prevent 100% of scams, taking proactive steps can dramatically reduce the chance of a loss. Here are some key principles and recommended actions to reduce the risk: 1. Verify and Validate Requests Never make changes to a vendor or employee's banking information without in-person verification. Don't rely on information in the change request email. Always use contact information from validated sources, such as previous invoices or official directories. In 2023, a village in Huron County suffered financial losses when the fiscal officer made payments totaling $269,000 in response to fraudulent invoices. This incident could have been avoided by using an independently verified contact method to confirm the legitimacy of the change. 2. Require In-Person (or Independent) Confirmation Verify change requests in person. If this is not possible, use only independently verified contact information and ask specific questions that only the legitimate requester could answer. Employees should develop a heightened sense of scrutiny, especially when a request for a change in payment information arrives unexpectedly or is accompanied by a sense of urgency. In the case of a township in Ottawa County, a spoof email requesting a change to an employee's direct deposit information led to five payments totaling $3,500 being transferred to a fraudulent account. Likewise, a school district in Seneca County lost nearly $2,000 after processing a fraudulent request to change an employee's direct deposit information. Had there been a policy requiring in-person verification or secondary approval, these attacks could have been prevented. 3. Separate Duties and Use Dual Authorization Separate the functions of payment change initiation and payment approval. Implement internal, secondary approvals for all requests involving changes to payment instructions or contact details. This ensures that no single individual can unilaterally change critical payment information without oversight. An agency in Stark County experienced losses of nearly $29,000 because six deposits were redirected to an unauthorized account following changes made without proper independent verification. Requiring dual authorization could have provided a safeguard against this fraud. 4. Employee Training and Awareness Providing continual training and education to employees about policies, procedures, and recent phishing threats is critical. Employees are often the first line of defense against fraud schemes, and consistent awareness training helps them recognize potential threats. 5. Use Technology to Assist Use layers of authentication, such as financial institution tools like ACH positive pay or debit block programs. These tools can help prevent unauthorized transactions from occurring by flagging discrepancies before money leaves the account. 6. Develop a Proactive Security Culture Public entities should create an organization-wide culture of security. Employees should feel comfortable questioning suspicious emails or requests, and there should be clear policies for dealing with any anomalies. A township in Belmont County avoided falling victim to a spear phishing attack because of the strong internal controls they had in place. When the township received a suspicious email requesting changes to payment information, they identified inconsistencies and flagged the request as fraudulent, preventing any financial loss. This is a great example of how proper verification and adherence to policies can safeguard against cyber threats. Conclusion The financial losses resulting from spear phishing and BEC scams can be devastating for public entities, affecting services and eroding public trust. However, with proper training, verification procedures, and a security-conscious culture, many of these incidents are preventable. Here's what do if you suspect your organization has been compromised by a cybercrime: first report the payment thefts to your financial institution to try to stop the transfer. Then notify local law enforcement. Next, contact the Ohio Auditor of State<https://ohioauditor.gov/fraud/default.html#ReportFraud> and report it to federal agencies including the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3). By following these guidelines, including requiring in-person verification, watching out for red flags in email correspondence, implementing dual authorization, and consistently training employees, your organization can protect itself from falling victim to these sophisticated scams. [Keith Faber] How to Protect Your Organization from Spear Phishing and Payment Redirect Scams Keith Faber Ohio Auditor of State For the full article go to: https://ohioauditor.my.canva.site/ohio-auditor-payment-redirect-scams Also see the attached Payments Security Checklist. James Hale, ARM-P, ARM-E Risk Control Consultant County Risk Sharing Authority 209 East State Street Columbus, OH 43215 614.246.1630 FAX 614.220.0209 " The leader in providing Ohio Counties with exceptional value, service, and protection of assets."
