Superintendent at DPS scammed out of paycheck
Phishing email gets by payroll officials; district hopes to recoup funds.
PREVIOUS IMAGE
NEXT IMAGE
IN-DEPTH
Dayton Public Schools Superintendent Elizabeth Lolli was scammed out of a paycheck this month after a phishing email apparently fooled school payroll officials into changing her direct deposit bank account information.
Lolli said the payroll office missed multiple “red flags” in the scammer’s email, including that the messages did not come from Loffi’s email address, that the home address listed was not current, the Social Security number was not hers and the canceled check they submitted was “clearly a fake.”
“Those red flags should have been noticed, and we should have done a more diligent job handling the situation,” Lolli said. “We have quite a few security measures. This was a matter of a (payroll) person not paying attention and maybe feeling a little intimidated because it (appeared to be) an email from the superintendent,” Lolli said, adding that employees need to be comfortable questioning issues like these.
Lolli said when she sat down to pay bills Feb. 10, she noticed her Feb. 8 paycheck from Dayton Public Schools had not appeared in her account. She said she informed Treasurer Hiwot Abraha, but Abraha said district records showed that Lolli had been paid. That led to an investigation that revealed the scam.
According to a Dayton Police report filed Thursday by DPS assistant treasurer Tito Reynolds, the payroll department had received an email from a person claiming to be Lolli, asking to change bank account information. But the email address was supt@tampabay.rr.com rather than Loffi’s.
Reynolds told police that the payroll office emailed the person the appropriate form, and the scammer sent it back with a new account number tied to a bank in Salt Lake City. The next paycheck went there, and Abraha said when the school district tried to reverse the $5,159 check, the money had already been removed from the scammer’s bank account.
Abraha said the employee in question was immediately disciplined. Neither Lolli nor Abraha would comment on the extent of the discipline, except to say that it followed the steps of DPS’ progressive discipline policy. Lolli said the district has since replaced the paycheck she missed.
Abraha said DPS is now receiving numerous similar scam emails but has not found any other payment errors. She said DPS is notifying all employees that any bank account changes will now need to be processed in person.
Lolli said shortly before this incident, there had been another attempted email scam at DPS. She said the IT department had sent a message to all staff warning them of scam emails.
Lolli and Abraha said numerous school districts have recently received these scam emails, including Fairborn schools, where Lolli’s husband, Gene, is superintendent. Elizabeth Lolli said in Fairborn, a payroll employee went to her husband to ask if the request to change bank accounts was legitimate, nipping the problem in the bud.
Callie Wells, spokeswoman for the Ohio Association of School Business Officials, said they’ve received reports of the same scam that hit Dayton, including the fake canceled check, from multiple districts in several areas of the state, usually targeting superintendents, who get the largest paychecks.
“The general rule of thumb is that you never ever put bank account and routing information across email,” said Ryan Pendleton, a member of OASBO’s board of directors. “That’s pretty well known. That would be the first suspect item. ... I think districts across Ohio will likely be strengthening their procedures as the digital age invades us.”
Pendleton, currently the treasurer for Akron schools, said Akron employees seeking to change bank information have to do it in person or via the district’s secure portal.
Abraha said representatives at the Automated Clearing House (ACH) payment service directed her to deal with the bank and police, since in this fraud, the school district itself had approved the change in payment. The district’s insurance deductible is $10,000, so DPS will not be reimbursed that way.
“I am hoping the bank can find this person and they can recoup the money,” Abraha said. “(The scammer) didn’t close the account, they just withdrew the money.... So I think this (person) can be found.”
Contact this reporter at 937-225-2278 or email Jeremy.Kelley@coxinc.com.
‘The general rule of thumb is that you never ever put bank account and routing information across email. That’s pretty well known. That would be the first suspect item. ... I think districts across Ohio will likely be strengthening their procedures as the digital age invades us.’
Ryan Pendleton
Member of Ohio Association of School Business Officials’ board of directors
Dayton Public Schools Superintendent Elizabeth Lolli was scammed out of a paycheck this month after a phishing email apparently fooled school payroll officials into changing her direct deposit bank account information.
Lolli said the payroll office missed multiple “red flags” in the scammer’s email, including that the messages did not come from Loffi’s email address, that the home address listed was not current, the Social Security number was not hers and the canceled check they submitted was “clearly a fake.”
“Those red flags should have been noticed, and we should have done a more diligent job handling the situation,” Lolli said. “We have quite a few security measures. This was a matter of a (payroll) person not paying attention and maybe feeling a little intimidated because it (appeared to be) an email from the superintendent,” Lolli said, adding that employees need to be comfortable questioning issues like these.
Lolli said when she sat down to pay bills Feb. 10, she noticed her Feb. 8 paycheck from Dayton Public Schools had not appeared in her account. She said she informed Treasurer Hiwot Abraha, but Abraha said district records showed that Lolli had been paid. That led to an investigation that revealed the scam.
According to a Dayton Police report filed Thursday by DPS assistant treasurer Tito Reynolds, the payroll department had received an email from a person claiming to be Lolli, asking to change bank account information. But the email address was supt@tampabay.rr.com rather than Loffi’s.
Reynolds told police that the payroll office emailed the person the appropriate form, and the scammer sent it back with a new account number tied to a bank in Salt Lake City. The next paycheck went there, and Abraha said when the school district tried to reverse the $5,159 check, the money had already been removed from the scammer’s bank account.
Abraha said the employee in question was immediately disciplined. Neither Lolli nor Abraha would comment on the extent of the discipline, except to say that it followed the steps of DPS’ progressive discipline policy. Lolli said the district has since replaced the paycheck she missed.
Abraha said DPS is now receiving numerous similar scam emails but has not found any other payment errors. She said DPS is notifying all employees that any bank account changes will now need to be processed in person.
Lolli said shortly before this incident, there had been another attempted email scam at DPS. She said the IT department had sent a message to all staff warning them of scam emails.
Lolli and Abraha said numerous school districts have recently received these scam emails, including Fairborn schools, where Lolli’s husband, Gene, is superintendent. Elizabeth Lolli said in Fairborn, a payroll employee went to her husband to ask if the request to change bank accounts was legitimate, nipping the problem in the bud.
Callie Wells, spokeswoman for the Ohio Association of School Business Officials, said they’ve received reports of the same scam that hit Dayton, including the fake canceled check, from multiple districts in several areas of the state, usually targeting superintendents, who get the largest paychecks.
“The general rule of thumb is that you never ever put bank account and routing information across email,” said Ryan Pendleton, a member of OASBO’s board of directors. “That’s pretty well known. That would be the first suspect item. ... I think districts across Ohio will likely be strengthening their procedures as the digital age invades us.”
Pendleton, currently the treasurer for Akron schools, said Akron employees seeking to change bank information have to do it in person or via the district’s secure portal.
Abraha said representatives at the Automated Clearing House (ACH) payment service directed her to deal with the bank and police, since in this fraud, the school district itself had approved the change in payment. The district’s insurance deductible is $10,000, so DPS will not be reimbursed that way.
“I am hoping the bank can find this person and they can recoup the money,” Abraha said. “(The scammer) didn’t close the account, they just withdrew the money.... So I think this (person) can be found.”
Contact this reporter at 937-225-2278 or email Jeremy.Kelley@coxinc.com.
‘The general rule of thumb is that you never ever put bank account and routing information across email. That’s pretty well known. That would be the first suspect item. ... I think districts across Ohio will likely be strengthening their procedures as the digital age invades us.’
Ryan Pendleton
Member of Ohio Association of School Business Officials’ board of directors