An Ohio school payroll officer recently found themselves at the center of a phishing scam, highlighting persistent vulnerabilities in local government cybersecurity. According to the Ohio Auditor of State's office, a Pleasant Local Schools employee in Marion County was issued a finding for recovery after changing an employee’s bank deposit information without proper verification, as reported by ohioauditor.gov. The officer fell for a phishing scheme and altered the direct deposit data based on a deceptive email, leading to a recovery amount of $1,291.64. This incident marks the first time the Auditor of State's office has required repayment for such a scam, despite previous alerts about these cyber threats.
Phishing scams are becoming increasingly common, with dozens of government offices across Ohio falling prey in the past two years. These fraudulent schemes often involve emails that appear to come from known vendors or employees requesting changes to banking details or addresses. The deceitful requests are processed by government workers who believe them to be legitimate, without taking steps to verify the veracity of the information independently. Auditor of State Keith Faber criticized the oversight, stating, "Scammers are not going to stop trying to trick public offices into sending them money," and stressed that public officials who fail to confirm such details will be held responsible for the financial loss.
The redirection of funds in these scams amplifies the difficulty of recovering lost public money. The issue persists despite a detailed advisory in March 2023 and a subsequent bulletin in April 2024 offering recommendations for recognizing and blocking these cyber fraud attempts. These advisories also included tips for preventing the unauthorized transfer of public funds. The ohioauditor.gov website has compiled free resources and training materials to help local governments improve their defenses against such scams.
In response to the recent scam, the Pleasant Local School District implemented a new verification policy for email requests. In a statement obtained by ohioauditor.gov, auditors found that "The payroll officer made no effort to further verify the requested change beyond the receipt of the email. The district had no formal policy that required this type of verification until after the loss occurred." Following this blow to their cybersecurity, the district adopted two-step verification protocols to mitigate the risk of future phishing incidents.
