Email exchanges detail how the city of Athens fell victim to a $700,000 cyber scam

By:
Posted on:

< < Back to woub

ATHENS, Ohio (WOUB) — The morning of Nov. 14, an Athens city employee received an email from an accountant with the construction company building the new fire station.

He asked if the city’s next payment for work completed, more than $700,000, could be paid directly into the company’s bank account instead of by check.

“We have fully moved to a new payment method to streamline all our receivables and ensure those subcontractors get paid on time, as the payment is holding them back with their work,” he wrote.

The city employee said this could be done if the company set up an electronic payment arrangement.

But the person the employee was exchanging emails with was not an accountant with Pepper Construction. Instead, the imposter was part of a sophisticated cyber crime operation that bilked the city out of $721,976, and was in the process of extracting even more money from the city when the scam was discovered.

Investigations into the cyber crime are ongoing, but dozens of emails released by Athens Friday show how the scammers were able to insert themselves into an existing thread of legitimate email exchanges without notice and then start sending their own emails to redirect payments for work done on the fire station.

A screen shot of an email.
An email from Athens city employee Jessica Covert to another employee drawing attention to a suspicious email address.

It appears the scammers began laying the groundwork the third week of October as Patty Witmer, the grants administrator for Athens, was exchanging emails with Evan Grootenhuis, a senior project accountant at Pepper Construction’s office in Dublin.

The two were going over details that would determine the amount of the next payment. What they didn’t know is that scammers were watching.

An email Witmer sent to Grootenhuis on Oct. 21 went not just to Grootenhuis but got routed behind the scenes to another email address that is almost identical to Grootenhuis’ address.

Pepper uses the domain name pepperconstruction.com. The scammers created two email addresses for Grootenhuis with similar domains: One was pepperconstrcution.com, with the c and the u transposed, and the other was pepperconstructlon.com, with an l in place of the i.

These fake addresses are easily overlooked, especially if someone is simply hitting reply in response to an email.

The alternate domains were registered by someone with an address and phone number in Iceland.

It appears the scammers at first were just spying on email exchanges to gather information about the upcoming payment. Scammers will build a profile “based on the information that they’re gathering so that they become very knowledgeable about all of the information that you would need to know to be able to defraud somebody,” said Andrew Chiki, the city’s deputy service-safety director.

Shortly after one of the scammers, posing as Grootenhuis, reached out to the city about switching to electronic payments, someone from the city emailed the form to set this up. The scammers used one of the fake Grootenhuis email addresses on the form and a phone number with a Florida area code.

The next day, Friday, Nov. 15, the city processed the payment, depositing $721,976 into a checking account at Republic Bank & Trust.

The following Monday, a scammer posing as Grootenhuis emailed Jessica Covert, an account administrator with the city, saying the payment had not yet been deposited into the account.

“Could you please check on your side to see if there are any issues?” the scammer wrote.

Covert replied that it should hit the account that day or Tuesday at the latest. The payment hit the account on Monday.

Four days later, on Thursday, Nov. 21, a scammer posing as Grootenhuis emailed Covert: “Unfortunately, our mailbox was recently vandalized, resulting in missing checks and unauthorized transactions linked to our previous bank account.”

The scammer said they would provide the city with another bank account for the next payment: “Please let me know if I can share the updated information with you now.”

An email from Athens city employee Jessica Covert sharing her concerns the city might be the victim of a scam.
An email from Athens city employee Jessica Covert sharing her concerns the city might be the victim of a scam.

Covert was starting to get suspicious.

She sent an email to Witmer: “You might want to reach out to whoever you deal with at pepper and tell them that someone is trying to change the banking information in the system. Look at the email from this one. egrootenhuis@pepperconstructlon.com.”

She noted the other emails she received were from EGrootenhuis@pepperconstrcution.com.

It’s not clear if Covert believed that was the legitimate address for Grootenhuis.

“I don’t feel comfortable sending them direct deposits anymore,” Covert wrote. “I think we should change it back to check.”

Witmer forwarded Covert’s email to the real address for Grootenhuis and two other Pepper employees and flagged the message as of high importance.

“Please note the email below from our Auditor’s Office,” Witmer wrote. “The request is that we return to issuing checks and not direct deposit any payments.”

It’s not clear whether this email raised any red flags for the people at Pepper.

Four days later, on Monday, Nov. 25, a Grootenhuis imposter emailed Witmer saying they could not access the payment because their bank account had been jeopardized.

“Please have her send a check instead, as she’s not comfortable with ACH payments. We’re having issues with the subcontractors since they haven’t been paid yet. Please advise, as this is urgent.”

Witmer forwarded the email to Covert, who replied minutes later: “I can’t take back an ACH payment. They need to talk to their bank. I think this is a scam. Look at the email address.”

Witmer reached out to Grootenhuis: “Please review the emails below. The email addresses from Pepper Construction are suspicious. Are you originating these emails?”

Two hours later, Grootenhuis replied: “Yes this is NOT US and appears to be a scam!”

“Please confirm you did not send them information and wow these scammers are getting good,” he wrote.

An email by Evan Grootenhuis, an accountant with Pepper Construction, confirming the city has been scammed by imposters.
An email by Evan Grootenhuis, an accountant with Pepper Construction, confirming the city has been scammed by imposters.

The city filed a lawsuit against the unknown scammers in early December. In early January, Republic Bank disclosed in a legal filing that there was still $349,522 in the bank account used by the scammers, which has been frozen. The scammers used the same account in a scam against a national retailer developer.

The bank is asking the judge to decide how to divide up the money.

Meanwhile, investigations by the Athens Police Department, the FBI and the city’s insurer are still underway. 

Chiki said the insurance investigation is nearing completion and he’s hoping the city will find out in the next couple of weeks how much it will recover under its policy.

“When people talk about the city, the city’s made up of people that live here and it’s painful for everybody,” Chiki said. “The citizens, our community as a collective, are victims of highly organized crime … but at the end of the day, there’s a criminal that acted to take all of our money, the taxpayer money, and leave us holding the bag to try figure out how to clean it up.”