How Ohio Local Governments Are Handling Online Threats

(TNS) — In this day and age it's a given that email scammers, online fraudsters, and hackers are going to target businesses and governments as well as individuals.

Knowing that, Oregon City Administrator  Michael Beazley  said combating these types of attacks — which often occur as "phishing" attempts — depends on luck as much as it does proper awareness and education.

"The challenge is that perpetrators are frequently a step ahead and moving on to the next best opportunity to scamming,"  Mr. Beazley  said. "The problem that's going to get us is going to be the next problem that we didn't anticipate."

An employee in the Lucas County Auditor's Office fell victim recently to an email scam which resulted in more than $600,000 of public funds being sent to what the employee thought was a construction contractor. Earlier this year Toledo Public Schools was the victim of a data breach and ransomware attack that interrupted online learning in September and after which student and staff information was published online.

But victims can be found even at the national level. U.S. officials reported in December that hackers suspected of acting on behalf of a Russian intelligence agency broke into a number of federal systems, including the U.S. departments of State, Treasury, and Defense, among other organizations.

"It can happen to anybody,"  Mr. Beazley  said.

Locally agencies and organizations use specialized software to curb these kinds of attacks. But multiple officials acknowledged that employee training and vigilance are major parts of preventing any schemes from being carried out.

Advertisement

"The biggest thing we do is that we're very aware," said  Allyson Murray , Rossford's city administrator.

Rossford city staff also work closely with the police department, she said, and when police hear of any new types of scams being reported, officers alert the city departments. It's more difficult now, though,  Ms. Murray  said, with the pandemic prompting many to work remotely.

"A lot more people are taking their laptop home with them, so they are connecting through a VPN so the information is out there and not protected," she said.

Colin Pregibon , the Toledo schools' director of information technology infrastructure systems, said email-blocking software can prevent a good amount of spam, malicious content, and encrypted zip files from getting through, but no program is infallible.

"These kinds of attacks are almost impossible to stop," he said.

Different forms of antivirus protections can help, he said, as well as two-factor authentication. Often, he said, perpetrators will try to impersonate someone else or send corrupt links disguised as programs the organization is already using.

"The one that we're seeing now is a DocuSign hoax,"  Mr. Pregibon  said.

DocuSign is a program that allows people to manage agreements electronically. Employees who use DocuSign as part of their normal business practice might be lured more easily into clicking on a malware link set up to resemble the same program.

Mr. Pregibon  would not comment on the ransomware attack against Toledo except to say that the investigation is ongoing.

He did note that hundreds of fraudulent emails are sent every day, often targeting businesses and organizations. Every agency gets hit with them to some extent.

"The idea is try to limit your exposure," he said.

Lucas County Auditor  Anita Lopez  said working remotely means so much more information is put online through emailing documents and conducting meetings through Zoom. It's imperative, especially now, she said, that people be on the lookout for possible scams.

"You start to get more confident and relaxed," she said about people getting used to working online.

She would not comment on the investigation, which is still ongoing, into the recent email scam carried out against the auditor's office. Nor would she comment on exactly how protocols could change as a result of the attack.

Ms. Lopez  did say she believes that the department's current policy should have caught the scam before any money was lost.

"Anything that comes in email, regardless of what it is, you have to verify it," she said. "That's the bottom line."

(c)2021 The Blade (Toledo, Ohio). Distributed by Tribune Content Agency, LLC.