COLUMBUS — A finding for recovery of $1,291.64 was issued against a payroll officer for Pleasant Local Schools in Marion County, who changed an employee’s automatic deposit information without verifying the legitimacy of the request.

The finding, which was repaid under audit, marked the first time the Auditor of State’s Office called for repayment of public funds lost as a result of a phishing scam, despite warnings and official guidance to prevent such incidents.

“Scammers are not going to stop trying to trick public offices into sending them money,” Auditor of State Keith Faber said. “There is no valid reason for public officials to be changing bank deposit or vendor address information based solely on email messages they receive. Those who fail to verify these transactions beforehand will be held accountable when public funds are lost.”

Dozens of government offices have been targeted by payment re-direct attacks over the past two years, causing millions of dollars in losses of public funds.

The re-direct schemes, or “business email compromises,” often involve seemingly innocent messages to government offices from individuals impersonating vendors or other employees and seeking to have payments sent to different bank accounts or addresses.

Unsuspecting Ohio government offices, thinking they are dealing with a known vendor or employee, process the requests and change banking information without independently verifying the legitimacy of the requests or identifying the identities of the requestors.

Once the funds are transferred, they’re often difficult to recoup.

Auditor Faber initially warned local governments of the scams in an advisory in March 2023 (ohioauditor.gov/publications/advisory-memos.html), then issued a formal bulletin in April 2024 (ohioauditor.gov/publications/bulletins/2024.html) that included tips for identifying the schemes and recommendations for preventing the transfer of public funds to cyber crooks.

The Auditor of State’s Office also has assembled information on free training and other resources to assist government offices in avoiding the phishing scams (ohioauditor.gov/fraud/cybersecurity.html).

Despite the guidance, a payroll officer for the Pleasant Local School District in November 2024 changed an employee’s bank routing information after receiving an email request.

Auditors determined, “The payroll officer made no effort to further verify the requested change beyond the receipt of the email. The district had no formal policy that required this type of verification until after the loss occurred.”

In late November 2024, in response to the loss, the district implemented two-step verification for emails.

###

The Auditor of State’s Office, one of five independently elected statewide offices in Ohio, is responsible for auditing more than 5,900 state and local government agencies. Under the direction of Auditor Keith Faber, the office also provides financial services to local governments, investigates and prevents fraud in public agencies, and promotes transparency in government.

Public Affairs
Contact: Marc Kovac
press@ohioauditor.gov