State Auditor Dave Yost warned local governments about cybercrimes in a press conference Thursday at the Statehouse in Columbus.
“The internet is the tool of choice for criminals, and we need to make it as difficult as possible for thieves to access community treasure chests,” Yost said. “We’re seeing a disturbing increase in cybercrime.”
The press conference was prompted by several attempted frauds on local governments, he said.
The only reason authorities know about the attacks is that some have asked the auditor’s office for help, Yost said. By law, nobody is required to report these types of crime.
Recently an employee in the Big Walnut School District treasurer’s office transferred $38,520 on a request she thought came from her boss.
The email she received was a realistic counterfeit of the district’s email, Yost said. She took steps to verify the email before transferring the money asking that a vendor be promptly paid.
The email had all of the markings of a district email, including the appropriate email address and letterhead. The employee and an individual who appeared to be her boss exchanged several emails to answer questions before the transfer of $38,520 was made.
Yost said his office spends a lot of time training staff to prevent cyber-attacks. Before the press conference, a test was sent to his staff in the form of an email with an attachment.
“How stupid do you have to be in 2016 to go opening attachments in your email?” Yost asked. “We sent out an email to 100 folks in the auditor’s office. Within two hours, 19 of them had opened the email.”
Yost called the press conference because several local governments in Ohio have fallen prey to cybercrimes, costing thousands of taxpayers’ dollars. The crimes have occurred in Delaware, Madison, Morrow, Clinton and Warren counties.
However, Yost said he was not aware of the recent forged check in Delaware County’s Liberty Township, which officials believe may have been done online.
Recently a $134,000 forged check was discovered by Nancy Denutte, fiscal officer for Liberty Township. Denutte has said she believed the fraud took place online.
Denutte found the check while reconciling the township’s bank statement. The check was made out to a used-car dealership in Sidcup, England, and drawn on the township’s account at Delaware County Bank.
“I haven’t been made personally aware yet,” Yost said. “I have never heard of anyone taking funds and buying a car in England.”
The auditor’s office says it stresses at least using basic measures for the prevention and recovery of a cyber-attack by keeping anti-virus software up to date.
“A lot of these governments are very small,” Yost said. “They should be making sure their anti-virus is up to date. Do nightly backup of data.”
Yost said he is not aware of any attacks on state computer systems. “I’m not aware at this point of anything that has had phishing attacks,” he said.
“If you get one of these phishing attacks, call the cops,” he said.
Liberty Township contacted the Delaware County Sheriff’s Office regarding its forged check. The sheriff’s office says it plans to turn the case over to the U.S. Department of Justice.
Yost shared one of his favorite quotes from Ronald Reagan. “Trust but verify,” he said. “Always cut the cards and don’t be afraid to see what you see.”
Trouble can start with the simple things. “It’s as simple as opening an attachment,” he said.
Making the quote fit today’s email frauds and cybercrime, Yost suggested flipping it. “I think in this case we need to kind of turn that upside down,” he said. “When it comes to email, verify — then trust.”
If you have an email from a trusted source asking for a large amount of money to be transferred, pick up the phone to call and verify. “Did you just send me an email for a $60,000 transfer?” Yost said. “That will go a long way.”
“This is about paying attention,” Yost said. “Much of the illicit fraud we see with funds does occur online.”
D. Anthony Botkin may be reached at 740-413-0902 or on Twitter @dabotkin.