In an increasingly digital world, Ohio municipalities are finding themselves in the crosshairs of sophisticated cybercriminals. From major metropolitan areas to small towns, these attacks are not only growing in frequency but also in complexity, leaving local governments scrambling to protect their digital infrastructure and taxpayer dollars.
The Rising Threat Across Ohio
The statistics paint a concerning picture for Ohio’s local governments. According to the state auditor’s office, at least 23 local government offices in Ohio were victims of cyber-crimes between April 2023 and April 2024, resulting in the loss of hundreds of thousands of dollars in public funds. These attacks have targeted cities of all sizes, from major metropolitan areas to small towns.
Columbus, Ohio’s capital and largest city, experienced a severe ransomware attack in July 2024 that compromised the personal information of approximately 500,000 residents according to notifications filed with authorities Cybersecurity Dive. The attack was attributed to a foreign ransomware group known as Rhysida, which reportedly stole 6.5 terabytes of data and attempted to auction it on the dark web according to cyber security reports Schneider Downs.
Cleveland, another major Ohio city, also suffered a ransomware attack that shut down city hall operations for days according to cybersecurity incident reports. These high-profile attacks demonstrate that even larger cities with more resources are vulnerable.
Small Towns, Big Targets
While major cities make headlines when attacked, smaller Ohio municipalities have proven particularly vulnerable to cyber scams. In November 2024, the city of Athens fell victim to a sophisticated phishing scam that cost the city over $700,000 intended for construction work on a new fire station.
The Granville Recreation District lost $713,000 to a phishing scam in 2023, while West Clermont Local Schools was hit with a cyber-attack that cost them $1.7 million according to reporting by multiple Ohio news outlets. These smaller entities often lack the robust cybersecurity infrastructure and expertise of larger organizations, making them attractive targets for cybercriminals.
How the Scammers Operate
The Athens case provides a sobering example of how these scams work. Cybercriminals used public records to learn about a contract between the city and Pepper Construction, which was building the city’s new fire station. The scammers then created fake email addresses nearly identical to legitimate ones from the construction company – in one case, replacing a letter “I” with a letter “L” to make the difference almost imperceptible.
Posing as the construction company, the scammers convinced city officials to switch from paper checks to direct deposit payments and then provided fraudulent bank account information. By the time the city discovered the fraud, the scammers had already transferred most of the money through multiple accounts, often ending in offshore locations that are difficult for law enforcement to trace.
The Financial and Operational Impact
The financial consequences of these attacks are staggering. Beyond the direct monetary losses, cities face substantial costs for recovery, investigation, and implementing stronger security measures. The Columbus ransomware attack disrupted numerous city services, forcing officials to disconnect internet connectivity and restore systems according to media reports.
For smaller municipalities, these losses can represent significant portions of their annual budgets. In Athens, city officials filed a lawsuit against the anonymous scammers and are working with their insurance company, hoping to recover at least some of the stolen funds as reported by Ohio media outlets WYSO.
The Transparency Challenge
The aftermath of these attacks also raises questions about transparency and public disclosure. In Columbus, controversy erupted when cybersecurity researcher Connor Goodwolf (legal name David Leroy Ross) discovered that the city’s data breach was more extensive than officials had publicly acknowledged according to reports from CNBC.
When Goodwolf warned residents through local media about the severity of the breach, the city filed a lawsuit against him – a move that cybersecurity experts criticized as potentially having a chilling effect on future security disclosures as reported by CNBC.
How Cities Are Responding
In response to the growing threat, Ohio municipalities are strengthening their cybersecurity defenses. The Athens case prompted the state Auditor’s Office to establish new guidelines for changes to financial accounts. Many cities are now implementing multi-factor authentication, enhanced email filtering, and more rigorous verification processes for financial transactions.
Cyber insurance has also become increasingly important, though it doesn’t eliminate the need for robust security practices. Athens had such insurance coverage, which may help offset some of their losses.
Lessons for All Ohio Municipalities
These incidents highlight several critical lessons:
- Verify, then trust: Always verify requests for payment changes through multiple channels, especially when they involve large sums of money.
- Train employees: Regular cybersecurity awareness training is essential for all staff, particularly those handling financial transactions.
- Implement robust email security: Tools that can detect suspicious email domains and phishing attempts are critical.
- Establish clear protocols: Create detailed procedures for verifying and approving financial transfers, particularly when changes to payment methods are requested.
- Invest in cybersecurity resources: Even for small municipalities with limited budgets, the cost of prevention is far less than the cost of recovery.
As Peter Cassidy, secretary general of the Anti-Phishing Working Group, noted regarding the Athens incident, small communities shouldn’t feel singled out – they were subjected to “an extremely sophisticated, extremely well thought out attack that could have been years in the making” according to WOUB reporting WOUB Public Media.
For Ohio’s cities and towns, the threat of cyber scams is not a question of if, but when. By learning from these incidents and implementing stronger security measures, municipalities can better protect themselves and the public funds entrusted to them.
Discover more from Northeast Ohio News
Subscribe to get the latest posts sent to your email.