Cybercrime Alert
In a common version of the Business Email Compromise scheme, a cybercriminal creates an email account that appears to be from one of the government’s actual suppliers. Using this email, the cybercriminal instructs the government to change payment instructions, steering the funds to a fraudulent bank account.
This page provides resources you can use to increase awareness, report a scam, and strengthen your government against cybercrime.
If you have been a victim of a cybersecurity incident, use this form to report it in compliance with ORC § 9.64 Section 9.64 took effect Sept. 30, 2025
Fill out this Cybersecurity Reporting Form and submit via email to Cyber@ohioauditor.gov
Reporting Form Context and requirements for the law are provided in this Bulletin 2025-007: Adoption of Cybersecurity Program.pdf
Implementation guidance can be found on the Cybersecurity Program page
Steps to take if you become a victim of cybercrime
- Report to the Ohio Department of Public Safety — Ohio Cyber Integration Center within seven days.
- Report to the Auditor of State within 30 days by filling out this Cybersecurity Reporting Form.pdf
Additional steps to consider
- Report banking/payment thefts to your financial institution.
- Report to FBI Internet Crime Complaint Center (IC3).
- Report to Adjutant General Cybersecurity.
- Review insurance policies to determine if there is coverage for such losses and consider claim depending on the size of the loss and your deductible.
- Review/revise internal policies and controls and train or re-train employees to prevent future occurrences.
Sample Policies & Best Practices
Cybersecurity & Infrastructure Security Agency (CISA) — is a federal agency within the Department of Homeland Security that leads the effort to protect the nation’s critical infrastructure from cyber and physical threats. CISA provides best practices, guidance, and sample policies to help organizations strengthen their cybersecurity.
NIST Cybersecurity Framework Policy Template Guide.pdf — This guide from MS-ISAC offers customizable cybersecurity policy templates aligned with the NIST Cybersecurity Framework to help organizations improve their cybersecurity practices.
Ohio DAS Incident Response & Cybersecurity Policies — Official incident response and governance policies from the Ohio Department of Administrative Services.
Free Cybersecurity Training for Managers & IT Professionals
CISA Learning on NICCS — Self-paced online modules, virtual instructor-led sessions, and classroom training on ethical hacking, cloud security, risk management, and malware analysis. Free for government personnel, military, and veterans. See the Accessing CISA Learning section for more details.
Note: CISA Learning is the new cybersecurity training platform that combines content from FedVTE, CCMS, and RRBT.
CISA Cybersecurity Training & Exercises — Free online and instructor-led technical training from the U.S. Department of Homeland Security.
Free Employee Awareness Trainings
ESET Free Cybersecurity Awareness Training — A 90-minute interactive course on email protection, web security, social engineering, and password policies. A completion certificate will be emailed to the address you provide during registration. Registration is required to access the course. Register Now
National Cybersecurity Alliance Security Awareness Episodes — Eight engaging videos to educate employees on cybersecurity best practices. Available for viewing, downloading, and sharing.
NEVER change the contact or banking information of a vendor or employee without independent verification. In-person communication is always the best practice for verifying identity and contact information. Never use email to verify change requests.
• Require in-person verification whenever possible for requests to change payment information. It is a best practice to also use a second-person verification when the vendor is not personally known by the paying agent, by having the person or department that deals with the vendor personally also verify the identity and confirm the change request.
• If distance prevents in-person verification, use only an independently verified contact person and telephone number. Do not use contact information from the change request; instead, find a phone number from a validated source, such as a prior invoice or a regularly updated employee or vendor contact information listing. Another source for a valid telephone number is the company’s known website.
• When using a telephone call to validate the vendor contact or identity of an employee, always ask the employee or vendor a question related to past experiences or conversations that only they would know the answer to.
• Require secondary, internal approval for all payment requests, payment instruction changes, and changes to employee or vendor contact information. The payment change initiation and payment approval functions should be done separately.
Regular backups: Back up the data on your system regularly. If your system becomes infected, you can restore it and avoid paying any fee to release your computer or its data. You should also secure your backup either with an external drive or with a cloud backup provider.
Strong passwords: A strong password is long and uses symbols, numbers and a combination of upper and lowercase letters. Consider an easy-to-remember phrase such as ILikeMondaysInJuly! for your password. Never write them down on a sticky note and attach it to your computer or screen.
Anti-virus software: Anti-virus programs, anti-malware, and pop-up blockers can help deter cybercriminals. Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
Up-to-date patches: Make sure application patches for your operating system, software, and firmware are up to date.
Email safety: Do not place personal email addresses on your website. If you need an email address listed, set up a catch-all account such as contact@agency.com.
Trust and verify: Only download software, especially no-charge software, from sites you know and trust. When possible, verify the integrity of the software through a digital signature downloading.
Unsolicited emails: Scrutinize links contained in emails and do not open attachments included in unsolicited emails. Hover over links to verify the destination matches the link. When in doubt, go to the website itself rather than clicking the link (e.g., go to the official UPS site and type in the tracking number rather than clicking the link in an email.)
No phishing: Use a phishing filter with your web browsers. Many web browsers have them built in or offer them as plug-ins. If your web browser doesn’t do this for you, do it yourself.
Macro scripts: Disable macro scripts from files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
"User Privileged": Avoid using an account with Admin privileges. Always use an account with “User Privileged” access. This helps prevent some (but not all) malware from installing.
Remember: Most companies, banks, agencies, etc., do not request personal information via email.
Helpful terms to know
Below are some definitions of cybercrimes and the recommendations for communities on how to avoid them.
Ransomware: Considered the biggest threat in the information security industry today. Ransomware is malware that is installed on your computer when you click on a link in an email. Ransomware holds your computer hostage by locking your screen or encrypting your files until you pay a specified amount of money for a key that will unlock your system. It is usually infected via macros in Microsoft Office documents delivered via email. From December 2015 to May 2016, half of all ransomware attacks were in the United States, according to Microsoft.
Phishing: The practice of luring unsuspecting Internet users to a fake website by using authentic-looking email with the real organization's logo. The emails are loaded with viruses that launch when opened and typically include methods to trick you into providing your passwords or other financial or personal information. These usually look like emails from a bank, and once you “log in” they have your account information and can then gain access to your account to transfer money. Usually these types of emails are sent out by the thousands.
Spear-phishing: A more targeted form of phishing. Emails are designed to appear to come from someone the recipient knows and trusts, usually a colleague, and can include a subject line or content that is specifically tailored to the victim’s work. For high-dollar victims, attackers may study their social networking accounts to gain intelligence and then choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust. (Don’t "friend" people you do not know personally on Facebook, LinkedIn, etc.)
Whaling: Spear-phishing targeted to high-profile targets such as executive officers or elected officials within a business or government organization.
