Cybercrime: A Hard Lesson
We often hear about the threats posed by cyber criminals and even read about instances where local governments become victims of cybercrime. Cyber criminals have used the COVID-19 pandemic to their advantage, and it is important to be cognizant of these threats and how to avoid them. This blog looks at precautions a local government can take to counter a specific type of scam perpetrated by cyber criminals: vendor fraud.
A Cautionary Tale
Recently, a local government, Agency A, fell victim to cyber criminals and sent $200,000 to an overseas bank account. How did it happen?
A few months before the fraud took place, hackers were able to access two administrative employee email accounts for Agency A. The cyber criminals monitored these email accounts and became aware that a large payment was coming due. By hacking into Agency A’s cloud-based email system, the hackers pretended to be administrative staff and sent emails to the accounts payable staff, asking them to update the vendor’s banking information to a new account and claiming the vendor had recently switched banks. The hackers were also able to keep the administrators from discovering these fraudulent emails had been sent. As a result, accounts payable staff entered the new fraudulent banking information and sent the money to the new (overseas) account.
Suggested Precautions to Help Identify Fraudulent Activity
There were several precautions that could have been taken to avoid the scam perpetrated by the hackers including assessing organizational strength, creating new internal procedures, and training staff to look for specific signs of fraud.
Assess your organization’s cyber-security
One easy and cheap way to tighten an organization’s security is to have a two-step authentication process for access to email accounts. Because Office 365 is in the cloud, it is easier for cyber criminals to attempt to gain access to organizational email. Implementing a two-step authentication process makes cloud-based email accounts harder to hack. In this instance, Agency A was using Office 365 but did not have two-step authentication enabled.
Since cyber criminals frequently operate out of foreign countries, another good defense is to install cyber-security software that can detect foreign IP addresses and alert IT staff when these are detected. Agency A did not have this type of software and it likely would have identified the suspicious activity.
Watch for incorrect domain names
Typically, emails sent as a phishing scam can be easily identified through the incorrect domain name. For example, instead of email@example.com, the email address would read something like, firstname.lastname@example.org. Unfortunately for Agency A, the hackers had access to high-level employee accounts and it appeared as if emails were coming from administrative staff. Still, there are other ways to identify phishing scams, some of which are discussed below, and staff can be trained to look for these warning signs.
Scrutinize the writing in the email for grammatical/spelling errors
Many phishing emails contain misspellings and grammatical errors. In Agency A’s case the emails did not have glaring errors, but there were instances where “I” was lowercase and the few grammatical errors present were those that the administrator would not normally make. Additionally, the fraudulent emails were written in a different voice than what would have been expected from the administrator. If a staffmember has a difficult time matching the “voice” of the email to the sender, then they should be trained to follow up directly (by phone or in person) with the sender.
Be wary of last-minute requests and a heightened sense of urgency
Many phishing scams will include language that says something has ‘unexpectedly come up’ or ‘needs to be done immediately,’ which pressures the email recipient into thinking they must respond quickly.
On the date of the incident, Agency A accounts payable staff were finishing up their check run and vendor payment was due. Staff had received the fraudulent email stating the vendor had changed banks and the routing information needed to be updated. A red flag should have gone up when staff saw that payments to this vendor had normally been via check, not electronic funds transfer (ETF). However, because this seemed to be an urgent request from the administrator, the staff went ahead and sent the payment via EFT.
Call to verify banking or address changes
What should have the accounts payable staff at Agency A done instead of issuing the EFT?
When a vendor is requesting a change in bank accounts or updating an address, staff should know to verify changes over the phone or via a video conferencing platform such as Teams or Zoom (and not through email, since the hacker may have access to this). If verifying by phone, a staffmember should use the phone number on record, not one sent in an email.
Agency A staff did not call the number they had on file for the vendor, nor did they reach out via phone or video chat to the administrator requesting the account change. Either action may have led staff to discover the emails were fraudulent.
Implement procedures and training to prevent fraud
As technology changes so do the methods cyber criminals use to perpetrate phishing scams. Organizations should be on the lookout for new phishing techniques being used by cyber criminals, and IT administrators should implement ongoing security awareness training and utilize simulated phishing with staff. Practices such as these keep security in the forefront of employees’ minds. At a minimum, organizations should require cybersecurity training on an annual basis.
Organizations should also ensure thier operational procedures address cybersecurity concerns. For example, the processes that accounts payable and payroll staff use for updating information, such as addresses or banking accounts, should be clearly defined and can incorporate the precautions described above.
Cybercrime has made many criminals very rich, and it is not going away. Organizations must remain diligent in their endeavors to prevent cybercrime by implementing strong internal controls and frequently evaluating their cyber-security preparedness. Our Cybersecurity Resources for Local Governments topic page offers a list (and links to) information security resources available as well as sample cybersecurity plans from local and out-of-state cities, counties, and special purpose districts.
MRSC is a private nonprofit organization serving local governments in Washington State. Eligible government agencies in Washington State may use our free, one-on-one Ask MRSC service to get answers to legal, policy, or financial questions.