Electronic Vendor Fraud: How to Protect your Agency from the Latest Cybercrimes

Ransomware, phishing schemes, and plain old hacking are just a few of the cybersecurity issues that local governments must contend with now. One of the key components in keeping your government’s system and data safe is staff training, but even with vigilant and well-trained staff, cybercriminals find enough success to keep them in business and they continue to develop new attacks.

The City of Ellensburg was recently targeted via email by a scammer who claimed to be a vendor’s accountant. The scammer requested electronic payment, rather than their usual payment by physical check. The documentation seemed authentic, with the vendor’s logo and other information correct, so payment was sent. It wasn’t until the ‘accountant’ made further contact with the city that the scam was discovered.

In July, King County reported it had been targeted by a similar scheme, but in that case, the vendor’s email account was hacked, and the scammer sent a request for the county’s banking information via the vendor’s email system. This tactic made detection more difficult because King County staff are trained to verify that emails are coming from a legitimate domain, which it was. The county, like Ellensburg, had insurance to cover most of the loss, but not all. The scam cost the county $25,000.

What Was Different about these Attacks

In King County, staff were trained to scrutinize email addresses and domains for validity, but in this case the hacker managed to co-opt the vendor’s legitimate email address, which made the email seem authentic. While King County notes there were spelling errors in the email that could have acted as a red flag, the seemingly valid domain and sender addresses did pass muster.

With the Ellensburg crime, the attackers used publicly available information to research which firms the city had contracts with. They found one of the city’s current contractors with invoices out for payment and replicated company correspondence using the publicly available information. By all appearances the scammer’s communications looked authentic. The city has since added steps to its procedure for processing changes to account information or payment methods when receiving requests to make them, and it is actively spreading the word to alert local governments of the scam.

What Can your Government Do?

The use of internal controls continues to be one of the most important tools that local governments have to protect public funds. However, these tools must be regularly reviewed and revised to keep up with the latest threats—like vendor impersonation—as they arise. The Association of Certified Fraud Examiners reports that the top three internal control weaknesses in 2016 were:

1. A lack of internal controls (29%)
2. Overriding existing internal controls (20%)
3. A lack of management review (19%)

If we think of these recent cybercrimes as attempted theft or fraud (which they are), we can then focus on implementing specific new internal controls to help reduce the possibility of falling prey to the new threat of vendor fraud scams. Implementing and closely adhering to appropriate internal controls in all areas of local government, along with monitoring and updating will go a long way to minimizing the threat of a loss due to fraud in any form.

Practical Protections Against this Type of Fraud

GFOA published an electronic vendor fraud advisory in 2017 with steps to protect your local government. The four steps listed below are simple to implement, and even if a scammer gains a foothold into your systems, you will have some procedures in place that can protect against fraud and theft:

1. Don’t make changes to vendor information—especially payment addresses or bank account information—without reviewing and corroborating the information through other sources:
   • Do not allow email confirmation changes to this information—hackers may have control of a vendor’s legitimate account, and the appearance of a legitimate email address is not a guarantee of a contact from your legitimate vendor.
   • Use the contact information you have in your existing records to call the vendor and verify any changes.
   • Have another staff member review and verify any vendor changes (even small entities can do this).
2. Don’t give out vendor information over the phone.
   • Create a script for staff to use and always ask vendors to identify both old and new account information. Your vendor should be able to provide this information without assistance.
3. Don’t call a new phone number to verify changes: this may be the fraudster’s phone!
4. Follow up with vendors in your check run who have made address changes to verify the account or address changes verbally before releasing payments. Include this step in your pre-check run process.

Staff Training Plays a Key Role

Staff training and tools are an organization’s best defense against fraud. In addition to supporting and training finance staff about electronic vendor fraud and related cybercrime, it’s not just the finance department that may be at risk. It is also important to connect with staff throughout the agency who may also be subject to this latest form of fraud and need training to spot and deter these threats. Reiterate the importance of verifying vendor accounts and any changes made to these accounts, teach non-finance staff how to set up these procedures within their departments, or require that all account changes and verifications be made through the finance department.

If new procedures are created regarding electronic vendor fraud, put out a brief memo to all staff about these new procedures. Include any scripts or verification methods for them to use so they are prepared and feel ready to incorporate into new vendor requests for updated address or payment information.

You may decide that these additional internal controls are enough for the volume of transactions your organization processes and your staff size. Or, your agency may decide to take additional steps, such as issuing only paper checks for payment and discontinuing electronic payments. That’s what the city of El Paso, Texas announced in fall of 2018 after discovering a fraud that misdirected $3.2 million.