search
Donate

News

Ohio’s auditor says cybercrime steals more from local governments than employee fraud

By:
Posted on:

< < Back to

COLUMBUS, Ohio (Statehouse News Bureau) — Three quarters of the global leaders interviewed for a survey for the World Economic Forum in Davos say in the last year, cybercrime has hit them, their companies or someone they know. Ohio’s state auditor says it’s also become a big and costly problem for some local governments.

A person types on a laptop while a digital display in front of them shows a digital lock.
[Shutterstock]
“I’ll be blunt; I think we lose more money to cyber fraud in Ohio than we do to employee theft and dishonesty, which is a big statement,” said Auditor Keith Faber in an interview. “Every week we find out more and more local governments, more and more entities are being hit by ransomware, by vendor redirects. And the numbers that come across my desk aren’t small. They’re in the tens of thousands to hundreds of thousands of dollars.”

Over the last three years, Faber’s office logged more than 150 cybercrime incidents hitting local governments, including counties, municipalities, townships, school districts, villages and other entities. Some scams were caught before any money was lost. But when there were losses, they ranged from a few thousand dollars to $1.9 million.

Faber’s office has twice alerted local governments to business mail compromise schemes that redirect vendor payments to scammers. It’s a type of spear-phishing, which is a targeted cyberattack designed to go after specific people or organizations. Faber said scammers have a little information about a vendor who’s owed for a project, and they reach out with what they claim is an updated account or location to send the payment. It can happen over email or in a phone call.

“The simple answer is never, ever, ever, ever, never, ever, ever accept redirect requests over the phone or over electronic means. Require people to come in in person,” Faber said. “Is it more onerous? Absolutely. Will it stop most if not all of that fraud? Absolutely.”

Governments are legally required to report cybersecurity incidents to the Ohio Department of Homeland Security within a week and to the auditor’s office within a month.