Post-pandemic fraud prevention lessons for local governments

May 10, 2022

Although fraud prevention and mitigation is a concern for all organizations, local governments have extra reasons to be vigilant about fraud threats as we emerge from the pandemic.

One of the many challenges that governments face is the escalation of cyber fraud over the past few years. The rise in remote work that became popular during the COVID-19 pandemic created additional security concerns at a time that saw an increase in government funds being disbursed and therefore put at risk. As if that wasn’t enough, additional security threats continue to emerge as fraudsters capitalize on geopolitical events like Russia’s invasion of Ukraine to target new phishing attacks.

As a result, local governments now face a new normal that requires devoting even more attention to fraud prevention and mitigation. Fortunately, though, some of the most effective ways to protect against these newly developed security threats are to utilize best practices that have been successful against similar threats in the past.

 

New security threats are part of the new normal

“We've seen a very large uptick in fraud attempts and I think it’s a serious concern for most municipalities,” says Kevin Weeks, sales head for U.S. Bank Global Corporate Trust and Custody. “Some of it is the result of people working from home and the normal patterns being broken up, including the use of personal email addresses for traditional business purposes.”

Business email compromise (BEC) scams have been around almost as long as email itself – and they aren’t just limited to business. Most anybody that uses email to communicate can be tricked into giving up important information to a fake emailer, but entities that make large electronic payments have the most at risk. Worse yet, scam types expanded during the pandemic. For example, the FBI recently warned state and local government officials about invoice-themed phishing emails that could be used to harvest officials’ login credentials.

“It used to be that a fraudster would impersonate a government entity and direct the bank to release millions of dollars,” says Weeks. “Now the government entity is thinking they are working with their vendor or whomever, and they get new wire or ACH instructions, and they don't realize their vendor has been hacked.”

“People are able to spoof the e-mails to get the governments to change things like bank account numbers and payment schedules,” says Lee Strom, senior vice president and government banking division manager for U.S. Bank Corporate and Commercial Banking. “Money is being sent to fraudulent accounts rather than their vendors, employees or constituents.”

 

Thread hijacking, cyber extortion and the rise of hacktivism

In addition to the existing email threats, governments should be aware of another batch of fraud attacks that escalated during the pandemic. Thread hijacking, cyber extortion and hacktivism all target the most common vulnerability in computer systems – the people using them.

“Attackers are capitalizing on people being distracted, hurried, not paying attention,” says Jacqueline Sullivan, vice president for security operations coordination, information security services, at U.S. Bank. “Government organizations are extremely vulnerable because their networks host a great deal of sensitive information.”

Thread hijacking is a type of BEC attack that takes-over an old email thread. Attackers compromise an account involved in the thread through a phishing expedition and then insert themselves in the conversation.

“They look for threads that haven’t been active recently, and then spoof that email,” Sullivan says. “They study the language of the thread and insert directions to send money with details that seem to fit into the thread.”

Cyber extortion involves the use of malicious software such as ransomware. Cyber-criminals infiltrate the computer system, lock and/or remove files, and demand payment. Bitcoin is the payment instrument of choice, because it’s difficult to trace.

“It seems that as the value of Bitcoin goes up, ransomware goes up. When Bitcoin goes down, hackers turn back to BEC,” Sullivan explains. “They can’t change payment instructions to be paid in Bitcoin. That would raise red flags.” In the public sector, colleges and universities have been increasingly targeted for cyber extortion.

Hacktivism involves the use of hacking and other attacks as a form of civil disobedience to promote a political agenda or social change. “It is not financially motivated,” she says. “Instead, the attackers are motivated to bring down governments and cause chaos and mayhem.”   

 

Fraud prevention begins with preparation

Although the BEC scams continue to expand, it’s important to remember that they all have similarities to previous types of phishing attacks. An imposter is using familiar, trusted communication channels to either obtain valuable data or deliver fraudulent instructions. As such, time-tested best practices remain effective when receiving instructions via email.

“If a government employee is getting any new directions from a vendor that they’ve been working with for years, they should at least do a follow-up call,” says Weeks. “If your client is suddenly changing instructions on where to be paid, it would be important to validate that some other way and not just blindly accept it via email.”

To protect against the threat of fraudulent email attacks, government agencies should adopt and train staff on these foundational fraud prevention strategies:x

  1. Email policies and training: Educate employees about common red flags for phishing emails like misspelled words or odd variations of domain names. Establish formal reporting and investigation procedures for when an employee receives a suspicious or unusual email request from an internal or external contact.

  2. Vendor account management: Record the individuals who will act as the primary contacts for each vendor and will be responsible for verifying any changes to account information. Regularly confirm the accuracy of this contact information.

  3. Dual approval for vendor payments: Use a second set of eyes on payments and supporting documentation to allow for further scrutiny of the authenticity of the instructions.

  4. Vendor payment notification for large payments: Identify criteria for high-value or high-risk payments. Include a follow-up with your primary vendor contact to make sure they received the funds. Review your current policies and controls for email use, vendor management, and accounts payable.

“People are able to spoof the e-mails to get the governments to change things like bank account numbers and payment schedules,”

Next level of security

The fight against fraud is never ending and requires even more vigilance to deal with our new normal. As security threats continue to evolve, sophisticated measures of fraud prevention are being developed to keep pace. These new banking tools give account holders more controls and ability to create an increased level of security: 

  • Blocks and filters for ACH: Gives account holders an extra layer of approval by blocking any transaction outside the filtered account numbers and dollar limits. Although available for ACH credits or debits, this is most often used to control debits.

  • Payee positive pay: Helps prevent fraud by creating an additional level of authentication for checks. The bank receives the name, account number and dollar amount for all checks that leave an account and only pay if all three items match. If they don’t, the bank checks with the account holder to determine if the payment is legitimate.

  • Universal payment identification code (UPIC): Allows an account to receive ACH credit payments without revealing the actual bank information. The code can be emailed to vendors and even posted to a website to receive the money directly while maintaining account security.
     

Still, the emerging tools are a complement for the established best practices. Trust but verify, use strong authentication, utilize dual control and always trust your instincts. “Never feel badly about making that extra phone call to verify a request from an email,” Weeks says. “You could be stopping a big problem.” 

Most importantly, remember that time can make a big difference in dealing with BEC attacks. If you believe your organization is a victim of BEC, contact your bank representative immediately to attempt to recover the funds.

 

To learn more about our services for the public sector, contact us or visit our website.

Related content

Money muling 101: Recognizing and avoiding this increasingly common scam

Student loan scams and other common student scams to be aware of

Don’t let an uptick in scams ruin your holidays

How to keep your assets safe

What is CSDR, and how will you be affected?

Evaluating interest rate risk creating risk management strategy

Protecting elderly parents’ finances: 6 steps to follow when managing their money

Risk management strategies for foreign exchange hedging

Webinar: CRE technology trends

Avoiding the pitfalls of warehouse lending

Improve government payments with electronic billing platforms

Access, flexibility and simplicity: How governments can modernize payments to help their citizens

BEC and deepfake fraud

30-day adulting challenge: Financial wellness tasks to complete in a month

The latest on cybersecurity: Mobile fraud and privacy concerns

What is a CLO?

Cryptocurrency custody 6 frequently asked questions

Insource or outsource? 10 considerations

Third-party vendor risk: protecting your company against cyber threats

Best practices on securing cardholder data

Turn risk into opportunity with supply chain finance

Hospitals face cybersecurity risks in surprising new ways

Authenticating cardholder data reduce e-commerce fraud

Post-pandemic fraud prevention lessons for local governments

Webinar: Robotic process automation

Proactive ways to fight vendor fraud

5 Ways to protect your government agency from payment fraud

Fight the battle against payments fraud

Fraud prevention checklist

Complying with changes in fund regulations

Why Know Your Customer (KYC) — for organizations

The password: Enhancing security and usability

How to improve your business network security

Government agency credit card programs and PCI compliance

Cybersecurity – Protecting client data through industry best practices

Business risk management for owners of small companies

BEC: Recognize a scam

Evaluating interest rate risk creating risk management strategy

Navigate changing consumer behavior with service fees

Modernizing fare payment without leaving any riders behind

Tap-to-pay: Modernizing fare payments pays off for transit agencies and riders

Managing the rising costs of payment acceptance with service fees

Increase working capital with Commercial Card Optimization

Ways prepaid cards disburse government funds to the unbanked

3 reasons governments and educational institutions should implement service fees

Understanding and preparing for the new payment experience

5 winning strategies for managing liquidity in volatile times

The future of financial leadership: More strategy, fewer spreadsheets

Work flexibility crucial as municipalities return to office

Webinar: CRE Digital Transformation – Balancing Digitization with cybersecurity risk

Tips for navigating a medical hardship when you’re unable to work

7 ways to teach your children to be scam-savvy

How to prevent fraud

How to avoid student loan scams

How to spot an online scam

What you need to know about identity theft

What is financial fraud?

5 tips for seniors to stay a step ahead of schemers

Recognize. React. Report. Don't fall victim to financial exploitation

Is online banking safe?

How-to guide: What to do if your identity is stolen

How you can prevent identity theft

8 tips and tricks for creating and remembering your PIN

Mobile banking tips for smarter and safer online banking

Disclosures

Start of disclosure content

Loan approval is subject to credit approval and program guidelines. Not all loan programs are available in all states for all loan amounts. Interest rate and program terms are subject to change without notice. Mortgage, Home Equity and Credit products are offered through U.S. Bank National Association. Deposit products are offered through U.S. Bank National Association. Member FDIC.