Linkedin Instagram Facebook
Get Started
Get Started

Fake Contractor Email Cost a City More Than $700,000

in Best Practices, Cybersecurity
Nieto Technology Partners Fake Contractor Email scam

One Fake Email, A $700K Mistake

In Athens, Ohio, city staff were working on payments related to construction of a new fire station. According to WOUB Public Media, someone posing as an accountant from the construction company emailed the city and asked for the next payment to be sent by electronic transfer instead of by check.

The request sounded reasonable. It fit the project, the timing, and the kind of payment the city was already expecting to make. But the email did not come from the real contractor.

Investigators later found that scammers had created lookalike email addresses and inserted themselves into an existing email conversation. The city sent $721,976 to a bank account controlled by the scammers before the fraud was fully discovered.

What probably happened, in simple terms

This appears to be a payment redirection scam.

The criminals likely watched a real email conversation long enough to understand:

  • who was involved
  • what project was being discussed
  • when a payment was due
  • what wording would sound believable

Then they used fake email addresses that looked almost identical to the real ones. That let them ask for updated payment details without immediately raising alarm.

How the victim was fooled

The scam worked because the fake emails looked close enough to the real thing to pass a quick glance.

According to the report, the criminals used internet addresses that were only slightly different from the contractor’s real domain. One changed the order of two letters. Another swapped one letter for a similar-looking one.

That kind of change is easy to miss when employees are busy and simply hit reply.

The request also matched normal business activity. There really was a construction project. There really was a payment coming. And the message explained the change in a way that sounded practical and routine.

That combination is what makes these scams dangerous. The attacker is not relying on a wild story. They are relying on a believable one.

 

How much they lost

WOUB reported that the city sent $721,976 to the fraudulent account.

At the time of the report, some money in the account had been frozen, but it was still unclear how much the city would ultimately recover.

The real lesson for business owners

If your business ever changes payment instructions by email alone, you are exposed.

A fake email can look convincing enough to fool good employees, especially when it fits an ongoing project or vendor relationship. The safest lesson is simple: when bank details change, slow down and verify the change another way.

What Businesses Should Do Differently

  1. Never trust banking changes sent only by email
    1. Always confirm them by phone using a number you already know is real.
  2. Train staff to check the full sender address
    1. The display name is not enough. Small spelling changes matter.
  3. Treat payment changes as high risk
    1. Even if the request sounds routine, require extra review before money moves.
  4. Use a second approval for large payments
    1. A second set of eyes can catch details one person misses.
  5. Be cautious inside existing email threads
    1. Just because an email appears in an ongoing conversation does not mean every sender in that thread is legitimate.

Don’t Wait. Act Now.

Most businesses do not lose money because staff are careless. They lose money because the scam looks close enough to normal business that nobody stops to question it in time.

Nieto Technology helps businesses reduce that risk with stronger email protection, employee awareness training, and safer payment verification practices.

For more information on how to avoid scams like these

Visit https://nieto.com/cybersecurity, give us a call at 713-893-5667 or email us at info@nieto.com.

 

Source Notes
WOUB Public Media, “Email exchanges detail how the city of Athens fell victim to a $700,000 cyber scam” Source Link