Municipalities are often targeted by scammers who use different methods to try to defraud them. In this resource, we will examine the common Electronic Fund Transfer (EFT) Fraud scenarios, what is at risk for the municipality, and most importantly, how to prevent these incidents.
Types of EFT Frauds
There are many types of EFT Frauds. Below is a list of some of the types of fraud you need to be aware of.
Business Email Compromise (BEC) is the most common. In this scenario, the scammer can infiltrate a vendor’s email. They monitor communication and send a fake email to you that looks legitimate, to redirect payment to the scammer.
Account Takeover is where a fraudster gains access to a legitimate user’s bank or online account. The fraudsters then use that information to initiate nefarious transactions like withdrawing funds, making purchases, or securing credit.
Fake Invoicing occurs when a scammer sends a fake invoice to the municipality, requesting payment. The fraudsters usually send ‘updated’ banking information along with the invoice to route the funds to their account.
Phishing or Social Engineering frauds are when a scammer uses fake emails or texts that appear to originate from your bank or other trusted source. Their goal is to get you to divulge personal information such as banking or login credentials. This can also be used to have you inadvertently download malicious files (ransomware).
Payroll Impersonation occurs when employees are tricked into providing their banking information to a fraudster, usually with a spoofed email. The scammer then reroutes the employees’ pay or hijacks their bank account.
Risks to Municipalities
There are several risks to be aware of:
Reputational damage is one of the largest risks a municipality can face. A cyber event could lead to damaged trust and a loss of confidence from the public. Relationships between the municipality and their vendors would also be negatively impacted.
Financial loss occurs when the victim loses money due to the cyber incident. It’s highly unlikely that they will ever recover the funds. When dealing with municipalities, the amounts are seldom small, potentially hundreds of thousands of dollars.
Legal action is possible as well. As the victim has lost money, it is plausible that they may seek litigation to help recover their funds from any liable party associated with the event. In addition to the time and expense of litigation, the risk of being found liable is also prevalent.
Prevention
Staff training is paramount to preventing cyber incidents. Educating staff and warning against phishing will help prevent incidents. Staff should be continually trained on cyber risks and municipal policies and procedures.
Strong internal controls and policies can help identify potential issues before they become major claims. Having a system to independently verify any banking change requests and having management sign off on those changes can decrease the likelihood of a fraudster being successful. Municipalities should also consider having dual authorization for initiating, approving, and reconciling transactions. Employees should also have authority limits and keep up to date records of all transactions.
Cyber security steps should be implemented to detect and prevent cyber issues. Access to financial systems should be controlled with multi-factor authentication (MFA) and data encrypted. Firewalls should be used, software regularly updated, and security patches applied as they are released.
Monitoring your accounts regularly and reporting suspicious activity promptly can assist in thwarting fraudsters. Having a working relationship with your bank and collaborating with them can also help you implement protective features (like automatic alerts) that can protect your organization.
It is important to safeguard your municipality from these types of fraud. RMA is committed to assisting our members through training and education as well as providing insurance solutions. If you would like further information on this or any other topic, please contact your Risk Advisor at risk@rmainsurance.com.