In November, Athens, Ohio, officials sent nearly $722,000 to a bank account they believed was set up by its contractor, Pepper Construction, to receive payment for its work on a fire station headquarters. The request was actually a sophisticated cyber attack that took advantage of a construction payment system that often does not allow clients processing invoices to directly know those behind the email addresses making the requests.
Simply transposing two letters in a commonly misspelled word can be the only difference between a legitimate request and a cyber attack, experts say.
In Athens' case, the letters "U" and "C" in the word "construction" were transposed in the email address requesting the money. City officials have now filed a civil lawsuit in Athens County court seeking to reclaim payment sent to a bank in Louisville, Ky., but because they still do not know who sent the cyber attack email request, their lawsuit was filed against defendants "John Doe and Jane Doe."
The cyber criminals began contacting Athens by email on Nov. 14, impersonating contractor Pepper Construction Co. of Ohio LLC, the city's complaint states. "The cyber criminals, purporting to be the contractor, filled out an electronic payment authorization form provided by [Athens] with fraudulent Automated Clearinghouse (ACH) network instructions, and requested funds be sent from [the city's] bank account," says the filing.
Adam Smith, an attorney with Cleveland law firm McDonald Hopkins filed the suit for Athens, seeking an injunction and freezing the bank account at Republic Bank in Louisville, as well as other relief.
"In reliance on the emails and fraudulent ACH instructions, [Athens] effectuated an ACH transfer of $721,976.26 to the Target Account with the intent to pay an invoice owed by [the city] to [Pepper Construction]" on Nov. 18," the lawsuit states.
Chicago-based Pepper Construction said in a statement it had no comment on the situation at this time.
Construction has become a target-rich environment for hackers and cyber criminals because of the complicated web of transactions with payment and procurement requests coming from parties who often do not personally know each other on projects, particularly those in the public sector.
Athens has a population of nearly 25,000 residents, which more than doubles when the student population of Ohio University is on campus. Experts say many similar small-to-medium-sized cities in the U.S. still rely on emails and electronic forms for construction payments.