COLUMBUS — The Cleveland Public Library transferred nearly $400,000 to a fictitious vendor after not adopting proper internal controls to detect payment redirect schemes.

The June 2024 incident was noted in a management letter as part of an audit of the library’s finances from Jan. 1, 2024, through Dec. 31, 2024. The full audit report is available online at ohioauditor.gov/auditsearch/search.aspx.

Auditors noted that the library changed bank payment information after receiving a request from someone pretending to be a legitimate vendor.

“The library did not have a proper internal control process in place to detect fictitious vendors,” auditors wrote. “… We did note that the library immediately implemented multiple vendor verification measures to prevent future business email compromise schemes.”

The library was able to recoup the entire lost amount, via a $350,000 payment from its insurance company and $46,405.14 that was forgiven by the legitimate vendor. Additionally, $133,840.50 was recovered from the fraudulent bank account and subsequently repaid to the insurance company.

The Auditor of State’s Office issued a bulletin in 2024 setting clear standards and expectations for public offices in handling payment redirect requests. The bulletin is available online at ohioauditor.gov/publications/bulletins/2024/2024-003.pdf.

