Several Ohio school districts have been victims of an email scam sometimes referred to as “CEO Fraud” over the last few weeks, according to the Auditor of State’s Office.
This targeted spear phishing attack uses familiarity to trick individuals into taking an action, officials said in a press release.
Each of the instances reported to the Auditor of State’s Office involves a cybercriminal impersonating the superintendent or a principal of a school district, officials said.
In each case, an email was sent to a payroll department employee asking that a change be made to the bank account linked to the superintendent’s or principal’s direct deposit.
The payroll deposit then is directed to the criminal, officials said.
The scam is identified only after the impersonated employee realizes he or she did not get paid. These scams are especially effective because the staff member involved believes he or she is dealing directly with a district or school official who has the authority to make such a request.
The Auditor of State’s Office encourages districts to educate their staffs on this type of scam and be on the lookout for any such activity. The state auditor also encourages districts to:
- Examine the procedures in place for making changes to an employee’s payroll bank account; and
- Consider taking verification steps outside of the email system before making such a change.
Report all scams to the local police department and the FBI. If a district or school loses cash or assets because of such a scam, officials also should contact Ohio’s Fraud Hotline at (866) FRAUD-OH.