While municipalities’ susceptibility to ransomware and cyber extortion has attracted national attention in the past year, PACIF members have been more affected by a different kind of crime: fraud conducted by email. In this scenario, the criminal scams an employee into willingly transferring funds or information in a transaction that the employee honestly believes is legitimate. This type of transaction under false pretenses is called business email compromise and is explained in more detail at this FBI link. Because PACIF has seen an increasing number of claims due to business email compromise, it’s especially important for members to detect and avoid predatory emails. There are two common versions of this scam.
Prior to sending out emails, the cyber criminals first accumulate information on a target from publicly available online sources and use it to develop a profile on a targeted organization. For instance, criminals may learn from selectboard meeting minutes when key staff will be on vacation or when a new hire is made. They can learn about contracts awarded to vendors and the individuals involved in those contracts – and even obtain details about specific equipment purchases and costs. They use this collected information to target a potential weakness within the municipality.
Typically, the criminals target an employee who has the authority to transfer or issue funds, then pretend to be a vendor or contractor by “spoofing” the email address of a trusted vendor – making a subtle change that can go unnoticed by the recipient. For example, they could replace the legitimate email of email@example.com with the spoofed email address of firstname.lastname@example.org to contact their target. If the recipient doesn’t notice the slight change in email address, the criminals can continue the communication in the role of the legitimate vendor. The scammers build trust with the contact and eventually arrange for a transfer of funds to “pay” for the original contracted purchase. The problem is that the money being transferred goes to the criminals – not to the legitimate business. In most cases, this money is never recovered.
Another common approach is to establish trust by impersonating a co-worker or senior municipal official. For example, a person in finance may receive an email request from a criminal posing as a municipal manager, finance director, selectboard member, or other senior official who requests payroll and identification information on employees or demands prompt payment of a “vendor invoice.” The message often has a tone of urgency. To avoid falling victim to these ploys, members should always use proper internal financial controls in addition to training employees to use these simple strategies at all times.
- Be skeptical of any request from a senior official that seeks immediate action or is unusual in any way. Call the sender directly using a phone number you know is valid to verify that they sent the request. Never respond to the email because you might be corresponding with the criminal!
- Be wary of any email that requests a transfer of funds, release of personal identifying information, or the like. Look carefully at all of the links by hovering over them – but do not click them! Hovering over an address or hyperlink can reveal the real email or link source. If there is any doubt about whether an email is legitimate, verify it until all doubt is removed.
In all of these instances, the bogus emails and invoices will appear to be legitimate at first look. The sense of urgency the emails convey is an attempt to trick the reader into bypassing normal financial controls. Don’t let this happen to you, your employees, or your organization! To avoid letting the municipality fall victim to these criminal methods, adhere to these best practices:
- Train all employees to thoroughly scrutinize all email requests for wire transfers or protected information to determine if the requests are legitimate. Employee training on phishing, social engineering, business email compromise, and related topics are all available at PACIF Online University.
- Develop and adhere to internal controls for processing payables. Use VLCT’s Internal Financial Controls Checklist as a guidance-filled roadmap. One best practice that can prevent erroneous fund transfers is simply to require that two employees sign off on all wire transfers or ACH payments. Never deviate from established internal controls.
- Confirm all requests for wire transfers or protected information. Double-check email addresses and, when in doubt, contact the apparent sender in person or by using a known phone number. If that person can’t be reached, the recipient should consult with a colleague about the request’s validity. Any unusual request for information or funds transfer should always be suspect.
PACIF members with any questions about how to prevent their municipality from falling prey to email-based fraud should contact their Loss Control Consultant directly or email email@example.com. Send any questions about coverage for these types of claims to a member of the Underwriting staff at firstname.lastname@example.org.
Jim Carrien, Loss Control Supervisor, and
Fred Satink, Deputy Director, Underwriting and Loss Control
VLCT Risk Management Services