News

The City of Athens races to get over $700,000 back from a sophisticated cyber attack

By:
Posted on:

< < Back to

ATHENS, Ohio (WOUB) – It’s a race against time for the city of Athens as it tries to recover over $700,000 it lost in a phishing scam.

The city filed a civil lawsuit against two anonymous scammers on Dec. 4 saying it was the subject of a cyber attack.

According to court documents, scammers faked a bank transfer agreement that looked like it was coming from Pepper Construction, the company that built the city’s new fire station and is remodeling the Armory building.

This change meant when the city paid an invoice last month for $721,976.26, the scammers were paid, not Pepper Construction.

A sign for Pepper Construction hangs from a temporary fence outside the Athens Armory.
Pepper Construction is the contractor for the remodeling of the Armory in Athens. The city was recently the victim of a cyber crime by scammers pretending to be a representative of the contractor. [David Forster | WOUB]
An employee in the city auditor’s office caught the error a few days after the payment was made. The city notified the Athens Police Department, which reached out to the FBI for assistance.

Law enforcement and cyber security experts say scams like this are more common than people think and they are becoming more frequent.

The Anti-Phishing Working Group (APWG) is a nonprofit international coalition of counter-cybercrime responders. Peter Cassidy, secretary general of the APWG, said today “everything’s being scanned for opportunities.”

“The city of Athens should not feel like they were a deer in the headlights,” he said. “They were subject to an extremely sophisticated, extremely well thought out attack that could have been years in the making.”

The state Auditor’s Office said 23 governmental offices, including cities, villages, townships and school districts, were affected by payment redirect attacks in 2023. An FBI report says Ohio’s losses to cybersecurity theft last year totaled more than $197 million. 

To combat the growing number of scams targeting taxpayer dollars, the Auditor’s Office earlier this year set guidelines for changes to financial accounts. And it warned that an employee who clears a fraudulent account change could be held liable for the loss.

Cassidy said smaller communities like Athens are prime targets for phishing schemes like this.

“Athens … is a fantastic gold mine waiting to be exploited,” he said.

He said the timing of this scam also plays a key role in how a person falls for it.

“The bad guys are expert behavioral psychologists. … They’re experts at spotting and exploiting trends such as holiday rush,” he said. “They plan their attacks by the calendar as well as the opportunities that are in the newspaper every day.”

City bids and contracts are all public record, and often must be published as public notices.

Cassidy said scammers “exploit our free and open” society against us.

“It’s simple. Anybody can do it,” he said. “All they need to do is see the opportunity to build the story, their investment, a little imagination.”

In this case, the scammers simply completed a form changing how Pepper Construction was to be paid. The form directed the city to deposit payments into an account at Republic Bank and Trust.

Fake authorization agreement sent to by scammers to the City of Athens [WOUB]
Fake authorization agreement sent to by scammers to the City of Athens [WOUB]
The contact name on the form was an employee in the accounts department at Pepper Construction’s Dublin office. However, the email address for this employee had a misspelling in the domain name.

Instead of pepperconstruction.com, it was spelled pepperconstrcution.com, with the c and the u transposed. Minor changes like this are often how scammers trick people.

Liina Pylkkanen, the director of New York University’s neurolinguistics laboratory, said research shows our brains will often “autocorrect” misspelled words, making it difficult to catch these traps.

Once the change is made, any invoices paid by the city will go to the fraudulent account.

Officials say once that money is gone, it’s hard to get it back.

Athens Police Chief Nick Magruder said once the invoice is paid, “they move it.”

Magruder said with each transfer, the court must issue a warrant to gain access to the bank account and see who owned the account and where they transferred the money next.

“It’s a leapfrog … you’re waiting for the next one, you’re waiting for the next one,” he said. “It’s just seeing, it’s bank after bank after bank after bank. It almost gets tiresome, just wears you out.”

He said this process can slow law enforcement as they work to try and not only regain the stolen funds but also catch the scammers.

“We’re playing a far-behind game,” he said. “That’s why the FBI gets involved because they can do things a lot quicker and have agreements with certain people that they can work that out.”

But even if the legal process were to move quicker, Cassidy said these scammers work faster.

Recovering stolen funds, he said, is “always going to be less than 50% because professionals that are looking at taking three-quarters of a million dollars have planned their exits very carefully. At that point, you’re calling banks that are offshore or two or three hands away, or you’re trying to trace it through the cryptocurrency organizations.”

Republic Bank said its policy is once an account has been flagged as fraudulent, it is frozen.

Republic said it has been contacted by the city’s bank and is working with them.

A criminal and civil investigation into the scam is ongoing. It is unclear if or how much money the city could end up recovering.

Athens Deputy Service-Safety Director Andrew Chiki said the city has cyber insurance and may be able to get some money to help cover the loss. But it depends.

“​​How much of a loss is covered, if there is a loss, will depend on the results of the investigation and assignment of liability,” he said in an email.

Guidelines from the State Auditor’s Office say government employees must carefully look at and verify any information on a new bank transfer request. And municipalities need routine training and cybersecurity policies to properly vet information.

The auditor will conduct an investigation and if its guidance was not followed, the employee who cleared the account change may be considered liable “as a result of negligence or performing duties without reasonable care.”

WOUB reached out to the Auditor’s Office to find out whether any government employee has been held liable for a phishing scam under these guidelines.

“To date, AOS has not issued a Finding for Recovery (FFR) for a cybersecurity incident according to the guidance,” a spokesperson said. “However, adherence to the bulletin’s guidance is being evaluated in regular client audits going forward.”

Cassidy said these reviews are important as these scams become more common.

“No one who works in a back office should ever assume they’re not being watched because they are,” he said. “Everyone in the back office is a target and has been increasingly the target of phishers.”

He said training and awareness education for clerical workers “should be part of everyday calendared events.”

“It should be part of normal life for back offices, clerical staff, to be reminded that they’re subject to … specific kinds of commercial phishing,” he said.

The city of Athens does perform annual fraud training required by the state.

Chiki said the city’s IT department also sends out fake phishing and email link tests on city employees to evaluate staff awareness. The city also applied for a grant before this incident for cyber training for staff.

Even with the high level of importance surrounding this training, Cassidy said the constant fear that each new email could be a scam is a scary thought.

“As heart-aching as it is to think that you’re being monitored like that, you have to understand it’s part of the risks that you have to manage on behalf of your employer,” he said. “Even if it’s a small city.”