You know it’s a rough day when someone wires $722,000 to a scammer... and nobody realizes until weeks later. Add in some convincing fake emails, a little digital sleight of hand, and boom — a city is left scrambling.
In this publication, we're uncovering a scam that didn’t just hit someone's inbox — it emptied a public account. And the worst part? It could’ve happened to any organization. Let’s get into it.
Scammers impersonated a real construction company, hijacked ongoing email threads, and tricked city officials into authorizing a $722,000 payment. All it took were two misspelled email addresses and a convincing story.
How It Works:
This wasn’t your average phishing attempt. It was a Business Email Compromise (BEC) attack — a cybercrime tactic where scammers insert themselves into legitimate conversations.
Here’s how it played out:
- The Setup – Scammers posed as employees of Pepper Construction, the company working on a city fire station project.
- Email Infiltration – They hijacked real conversations using email addresses with small domain misspellings (e.g., pepperconstructIon.com instead of pepperconstruction.com).
- The Switch – On Nov. 14, they asked the city to switch from check payments back to Electronic Funds Transfer (EFT) — a process they'd used earlier in the project, making the request seem legit.
- The Payoff – $722,000 was sent to a fraudulent account. A week later, the scammers tried to switch banking details again, raising suspicions.
- The Reveal – It wasn’t until Nov. 25, 11 days after the transfer, that someone finally flagged the emails as suspicious and contacted the real Pepper Construction staff.
Who’s Targeted:
This scam hit government employees — specifically those handling finance and grants administration. But the lesson applies to every workplace, especially those dealing with large invoices and vendor payments.
Real-Life Example:
The City of Athens, Ohio, lost nearly three-quarters of a million dollars in this attack. In the fallout, the city's Deputy Service-Safety Director admitted that the scam revealed “multiple weak points” in the system — not just one failure.
Cybersecurity expert Rishabh Das called the attackers “sophisticated,” pointing out that both city employees and vendors lacked the training and tools to detect the fraud.
Why You Should Care:
This could’ve been your business. Your city. Your client.
BEC scams are low-tech but high-impact — and they're increasingly common. With just a slight domain typo and a bit of timing, scammers bypassed firewalls, antivirus software, and employee instincts. If a city can fall for this, anyone can.
Even worse? Experts say recovering the funds is unlikely. Once scammers move the money through multiple accounts, it becomes nearly impossible to trace.
Actionable Steps:
Want to avoid being the next headline? Here’s how:
- Verify ANY change in payment details via a phone call to a known number — not one listed in the email.
- Check domain names closely. A single swapped letter can be all it takes to fool you.
- Train staff regularly on email security and BEC awareness — especially finance and admin teams.
- Implement dual approval systems for large financial transactions.
- Use email filters and BEC detection tools that flag domain mismatches and suspicious communication patterns.
Quick Tips & Updates
Quick Tip #1: Did you know? Business Email Compromise scams cost U.S. organizations over $2.9 billion in 2023 alone — more than any other type of cybercrime.
Pro Tip: Set up domain monitoring tools to get alerts if someone registers a domain that closely mimics yours — a common BEC tactic.
Stay safe, stay informed.
Keywords & Definitions
- Business Email Compromise (BEC): A type of cybercrime where attackers spoof or hack email accounts to trick businesses into sending money or sensitive information.
- EFT (Electronic Funds Transfer): A digital payment method used for direct bank-to-bank transfers.
- Spoofing: Faking the identity or contact details in emails to impersonate a legitimate party.
- Domain Squatting: Registering similar-looking domain names to impersonate businesses.
- ACH (Automated Clearing House): A network used for processing direct deposits and bill payments electronically.
To read more, kindly find source article here