Use these strategies to protect your government agency from potential payment fraud and keep your assets safe.
Cybercrime has come a long way from easy-to-detect emails asking for a wire transfer of funds to a stranger. Today, cyber criminals deftly impersonate contractors and vendors, changing payment account information through online forms and hoping to intercept payments. They also have a new target: government entities.
"Because governments need to be transparent - unlike the private sector - it's easier for imposters to gain access to vendor and payment information," says Jason Paulnock, U.S. Bank senior vice president and government banking central region manager.
Government agencies from Colorado to Washington have fallen victim to this version of compromised business emails. The scams can be hard to detect, and often organizations don't realize they've been defrauded until days or weeks after the fact. As the COVID-19 pandemic continues to evolve, it’s more important than ever to stay vigilant and be aware of potential payment scams involving government agencies and financial institutions. Fortunately, there are steps you can take to prevent vendor payment fraud and protect your agency, today and in the future.
Business email compromise (BEC) refers to a type of scam in which criminals send fraudulent emails on behalf of a vendor. The scammer impersonates a company that an organization has previously done business with and directs the payer to route payments to the vendor, but instead has the payments routed to the scammer’s account. Such scams have cost organizations $9 billion since 2016, according to a recent advisory from U.S. Financial Crimes Enforcement Network.
While the private sector counts many victims, the latest targets have included dozens of government groups, from municipal offices to foreign national agencies. For example, one scammer managed to defraud a Washington county out of $740,000 by posing as an accountant from a construction firm. The fake email address was similar to the name of a real employee and the emails instructed the county employees to change the deposit information for the pending payments.
Now online enrollment forms are providing a new - and perhaps even easier - way to change vendor payment information. A small town in Colorado inadvertently paid a fraudster posing as a contractor more than $1 million for constructing a new bridge. According to news reports, the suspect submitted an online form to request that the town pay the contractor electronically.
Paulnock says that criminals don't seem to discriminate by government size; they'll target agencies big and small. They take advantage of public notices about government construction projects and contracts that report both the names of companies that won bids and the amounts of their contracts.
What's more, many government agencies have prioritized automation, opting to headquarter ACH forms and payment resources online. That switch makes it relatively easy for bad actors to access payment information and make payment account changes without ever directly emailing the agency's AP or treasury contact. When the real company sends an invoice, the money goes to the new account and no one notices until the original vendor realizes they haven’t been paid.
"Governments need to find a balance between automating the processes and verifying information that comes in via forms," Paulnock says.
If the agency doesn't notice the fraud, it's unlikely the bank will either. That's because the payment instructions are coming to the bank legitimately from the government agency. “Banks may send an alert if there's a dramatic change in the payment pattern but the payments themselves don't constitute a bank error,” Paulnock says.
As with most things, a proactive approach to preventing fraud is the most effective way to reduce its impact. Here are five tips for decreasing your payment fraud risk:
Finally, if you suspect fraud, contact your bank and the FBI immediately. "The sooner we find out about a problem, the better," Paulnock says. The bank can try to reverse the payment and perhaps recover some or all of the funds. The FBI has the ability to freeze receiving accounts so that suspects can't move money out of them.
Bad actors will always be looking for ways to make easy money but by implementing verification strategies and using tools that prevent fraud, you can institute hurdles to payment scams that reduce your risk and protect your organization's assets.
Every day, new information surrounding COVID-19 is released from the CDC and the federal government. Unfortunately, scams are an evolving part of this situation as well. Be aware of the following scams so you can protect yourself during this time.
Ransomware schemes
These scams involve emails that are disguised as being from the CDC or other government sources containing important information on COVID-19. Clicking on the link in the email installs ransomware that locks the computer and demands payment to unlock it. Do not click on any links that come from an unrecognized sender. Seek information on government websites as they are an official and safe source that is constantly updated.
Increase in BEC scams target towards work-from-home employees
With a drastic increase in people working from home during the pandemic, criminals may try and take advantage. Watch for basic hallmarks of a BEC scheme: requests to change bank account information, wire money, and immediate requests from “management” for payments. Employees of businesses should always verify requests by using known contact information. Never reply to the provided email or phone numbers embedded in the message.
Potential impersonation of financial institutions
As banks release important information surrounding your account information or the day-to-day changes in brick-and-mortar bank access, customers are using email to get information from their financial institution more frequently than ever. Be aware of people impersonating your bank in email or telephone communication. Never reply directly to a sender and remember that a bank will never ask you for certain information (such as your online credentials, passwords or passcodes) over electronic correspondence. If you’re feeling uneasy, hang up and call your bank directly.
Visit our COVID-19 site for updates, insights and resources you need to navigate the changing environment.
Related content