Post-pandemic fraud prevention lessons for local governments

Although fraud prevention and mitigation is a concern for all organizations, local governments have extra reasons to be vigilant about fraud threats as we emerge from the pandemic.

Tags: BEC, Scams, Security, Cybersecurity, Government
Published: August 03, 2021

One of the many challenges that local governments face with COVID-19 recovery is the escalation of fraud.

Over that past year, we’ve seen an increase in government funds being disbursed and therefore put at risk. Combine that with the additional security concerns created by the reliance on remote work that became popular during the pandemic. The result? Local governments now face a new normal that requires devoting even more attention to fraud prevention and mitigation.

Fraudsters took advantage of that new dynamic during the pandemic and will continue to target it whenever possible, especially with the long-term adoption of hybrid work environments. Fortunately, though, some of the most effective ways to protect against these newly developed security threats are to utilize best practices that have been successful against similar threats in the past.

 

New security threats are part of the new normal

“We've seen a very large uptick in fraud attempts and I think it’s a serious concern for most municipalities,” says Bob Jones, senior vice president and municipal segment leader for U.S. Bank Global Corporate Trust. “Some of it is the result of people working from home and the normal patterns being broken up, including the use of personal email addresses for traditional business purposes.”

Business email compromise (BEC) scams have been around almost as long as email itself – and they aren’t just limited to business. Anybody that uses email to communicate can be tricked into giving up important information to a fake emailer, but entities that make large electronic payments have the most at risk. Worse yet, scam types expanded during the pandemic.

“It used to be that a fraudster would impersonate a government entity and direct the bank to release millions of dollars,” says Jones. “Now the government entity is thinking they are working with their vendor or whomever, and they get new wire instructions, and they don't realize their vendor has been hacked.”

“People are able to spoof the e-mails to get the governments to change things like bank account numbers and payment schedules,” says Lee Strom, senior vice president and government banking division manager for U.S. Bank Corporate and Commercial Banking. “Money is being sent to fraudulent accounts rather than their vendors, employees or constituents.”

 

Fraud prevention begins with preparation

Although the BEC scams continue to expand, it’s important to remember that they all have similarities to previous types of phishing attacks. An imposter is using familiar, trusted communication channels to either obtain valuable data or deliver fraudulent instructions. As such, time-tested best practices remain effective when receiving instructions via email.

“If a municipal employee is getting any new directions from a vendor that they’ve been working with for years, they should at least do a follow-up call,” says Jones. “If your client is suddenly changing instructions on where to be paid, it would be important to validate that some other way and not just blindly accept it via email.”

To protect against the threat of fraudulent email attacks, government agencies should adopt and train staff on these foundational fraud prevention strategies:

  1. Email policies and training: Educate employees about common red flags for phishing emails like misspelled words or odd variations of domain names. Establish formal reporting and investigation procedures for when an employee receives a suspicious or unusual email request from an internal or external contact.
  2. Vendor account management: Record the individuals who will act as the primary contacts for each vendor and will be responsible for verifying any changes to account information. Regularly confirm the accuracy of this contact information.
  3. Dual approval for vendor payments: Use a second set of eyes on payments and supporting documentation to allow for further scrutiny of the authenticity of the instructions.
  4. Vendor payment notification for large payments: Identify criteria for high-value or high-risk payments. Include a follow-up with your primary vendor contact to make sure they received the funds. Review your current policies and controls for email use, vendor management, and accounts payable.
     

“It used to be that a fraudster would impersonate a government entity and direct the bank to release millions of dollars,” says Jones. “Now the government entity is thinking they are working with their vendor or whomever, and they get new wire instructions, and they don't realize their vendor has been hacked.”


Next level of security

The fight against fraud is never ending and requires even more vigilance to deal with our new normal. As security threats continue to evolve, sophisticated measures of fraud prevention are being developed to keep pace. These new banking tools give account holders more controls and ability to create an increased level of security: 

  • Blocks and filters for ACH: Gives account holders an extra layer of approval by blocking any transaction outside the filtered account numbers and dollar limits. Although available for ACH credits or debits, this is most often used to control debits.
  • Payee positive pay: Helps prevent fraud by creating an additional level of authentication for checks. The bank receives the name, account number and dollar amount for all checks that leave an account and only pay if all three items match. If they don’t, the bank checks with the account holder to determine if the payment is legitimate.
  • Universal payment identification code (UPIC): Allows an account to receive ACH credit payments without revealing the actual bank information. The code can be emailed to vendors and even posted to a website to receive the money directly while maintaining account security.

 

Still, the emerging tools are a complement for the established best practices. Trust but verify, use strong authentication, utilize dual control and always trust your instincts. “Never feel badly about making that extra phone call to verify a request from an email,” Jones says. “You could be stopping a big problem.” 

Most importantly, remember that time can make a big difference in dealing with BEC attacks. If you believe your organization is a victim of BEC, contact your bank representative immediately to attempt to recover the funds.

 

For more insights on security for public sector entities, watch our webinar on fraud prevention and mitigation for government agencies. To learn more about our services for the public sector, contact us or visit our website.