In November, officials in Athens, Ohio, sent nearly $722,000 to a bank account they believed had been set up by their contractor, Pepper Construction, to receive payment for work at a fire station headquarters. In reality, the request was a sophisticated cyberattack that took advantage of a construction payment system that often doesn’t allow customers who process invoices to directly know who is behind the email addresses making the requests.
According to experts, a simple two-letter movement in a common word that can be easily missed is the only difference between a legitimate request and a cyber attack.
In the case of Athens, the letters “U” and “C” in the word “construction” were transposed into the email address requesting the money. City officials have now filed a civil lawsuit in Athens County court to claim the payment sent to a bank in Louisville, Kentucky, but because they don’t yet know who made the attack email request cyber, his suit was filed against the “John” defendants. Doe and Jane Doe.”
Cybercriminals started contact Athens by email on November 14, posing as the contractor Pepper Construction Co. of Ohio LLC. the city’s complaint states. “Cybercriminals, who pretend to be the contractor, has completed an electronic payment authorization form provided by [Athens] with fraudulent Automated Clearinghouse (ACH) network instructions and where requested funds are sent from [the city’s] bank account,” the filing says.
Adam Smith, an attorney with the McDonald Hopkins law firm in Cleveland, filed the lawsuit for Athens, seeking an injunction and freezing the bank account at Republic Bank in Louisville, as well as other relief.
“Based on fraudulent ACH emails and instructions, [Athens] made an ACH transfer of $721,976.26 to the target account with the intention of paying a invoice due for [the city] to {Pepper]”on November 18,” the suit states.
Chicago-based Pepper Construction said in a statement it would have no comment on the situation at this time.
Construction has become a target-rich environment for hackers and cybercriminals because of the complicated web of transactions with payment and procurement requests coming from parties that are often not personally known to the projects, especially of the public sector.
Athens has a population of nearly 25,000 inhabitants. the 2023 U.S. Census estimates more than doubles when Ohio University’s student population is in town, but experts say many similar small and mid-sized cities still rely on post offices electronic and electronic forms for construction payments. .
