Cybersecurity frauds are targeting direct deposit payroll at local governments

A red fraud button on a computer keyboard.Local governments should ensure they protect against cybersecurity frauds in which an employee’s direct deposit payroll gets redirected to a fraudster’s bank account.

In this type of fraud, the fraudulent request to change the bank account uses the government’s change form that is emailed or mailed to payroll. In other cases, the fraudulent request is made in an email that looks like it is from the employee’s email account. The fraudulent bank accounts are frequently associated with out-of-state or internet banks.

We recommend that any request to change a direct deposit bank account include an in-person or verbal verification with the employee before the change is initiated.

We caution you to NOT use email to verify a change request; in some cases, the employee’s email account has been compromised and the fraudster intercepts and responds to the emailed verification.

If your government is a victim of this fraud, you are required to report it to the Office of the Washington State Auditor at portal.sao.wa.gov/saoportal/public.aspx/LossReport.

We also recommend reporting it to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov/complaint/default.aspx

Don’t miss this upcoming free webinar “Cybersecurity Essentials for Local Government Leaders!”

computer_equipment-224824333Presented by the Municipal Research and Services Center (MRSC) and sponsored by the State Auditor’s Office Performance Center, this webinar is for elected officials, managers, information technology and other staff working to keep electronic systems safe from outside interference. Share this information with your co-workers and elected officials in order to get the most out of this opportunity!

This free webinar will help public sector leaders understand what their organization’s greatest vulnerabilities are and the most important investments necessary to reduce risk. You’ll hear from firsthand experience—in agencies both small and midsized—how opportunistic cybercriminals take advantage of system vulnerabilities. You’ll also learn about cybersecurity training that each person with your organization should have and how to get it.

Could a major cybersecurity incident happen to your agency? If it did, how costly could it be? You can’t afford to miss this presentation occurring October 18th at 11am – Register at: mrsc.org/getdoc/27fa135b-50ee-4ab2-ab1d-d9220f9324fe/Cybersecurity-Webinar-2018.aspx.

Recent GAO report underscores the need for cybersecurity auditing

GAOlogoThe federal counterpart to the Office of the Washington State Auditor, the Governmental Accountability Office (GAO) released a report on Tuesday demonstrating the vitally important role of cybersecurity auditing in the information age. Vulnerabilities in government systems can be exploited by criminals looking to harm the public, as detailed in the GAO’s audit findings.

The Office of the Washington State Auditor helps local governments protect themselves from cybersecurity threats through a variety of means, including conducting cybersecurity audits on both the local and state levels. SAO also provides local governments with the training and resources they need to better understand the ever-changing landscape of cybersecurity. Responding to the increased demand for cybersecurity resources by Washington’s local governments, SAO has begun developing a new suite of materials specifically designed to address local government concerns. By partnering with governments across Washington and providing them with our valuable audit services, we help protect Washingtonians from potential cyber harm.

 

Keeping elections safe, one audit at a time

Ballot box with women hand casting a voteToday marks the beginning of October, a month dedicated to the awareness of cybersecurity—a distinction bestowed to October way back in 2003. Here in 2018, 2003 seems light-years away—a dim and distant past when our cybersecurity concerns centered around malicious actors gaining access to our MySpace accounts or Nigerian princes conning us out of our bank account information from the seemingly secure space of a Yahoo email  account. How quaint those concerns seem against the undermining of American democracy, a target of some of today’s cybercriminals. Continue reading

Helping local governments avoid costly cybersecurity breaches

Searching For VirusOur Office is dedicated to helping local and state governments across Washington avoid the potentially devastating effects of cybersecurity attacks. Much of the public data governments hold is sensitive in nature, and needs to be carefully guarded. That’s why we are in the process of developing new, user-centered cybersecurity resources specifically tailored to meet the unique needs of your local government. We want to hear from you about what resources you’d most like to see, and what issues you want us to address. Take our short, anonymous survey to give us your important feedback.

The Office of the Washington State Auditor has put together a handy guide to various organizations that offer cybersecurity resources to local governments like yours—you can find this and other resources you may find helpful on our website.

We are always listening! If you want to start a conversation with us directly, email us at performance@sao.wa.gov.

When it comes to cybersecurity experts, our Office boasts some of the best

2018-07-16_Lulu-for_blog.jpg

Photo courtesy of the Washington Army National Guard

In early July, our Senior IT Security Specialist Sunia (Lulu) Laulile (pictured)participated in the International Collegiate Cyber Defense Invitational at Highline College in Des Moines, Washington. In this exercise, Lulu’s team attacked the systems the students were defending. You can read more about this event on the Washington Army National Guard’s blog.

Our Office has a whole team of highly capable and talented cybersecurity experts like Lulu whose job it is to ensure sensitive public data held by other Washington state governments is secure. We issue reports aimed at helping governments improve their security posture in an era of ever-increasing cyber threat. Read our most recent cybersecurity report on our website.

Local governments turn to Office of the Washington State Auditor for cybersecurity help

cybersecurity_200880859Did you know that the State Auditor offers free, in-depth evaluations of local government’s cybersecurity systems? In an article published today, the Pew Charitable Trust details the cutting-edge role the Washington State Auditor has in ensuring the IT system security of local governments around the state. This service helps protect local governments and their residents’ sensitive data from increasingly sophisticated hacking attempts. Want to learn more about how the Office of the Washington State Auditor is a leader in cyber security work? Check out the City of Mill Creek’s IT security performance audit here.

2017 NSAA IT Conference in Tacoma

WA18We are excited to announce that for the first time in the history of the National State Auditor’s Association (NSAA) IT Conference, Washington is the host state!  This year’s conference takes place October 3rd through 6th at the beautiful and modern Hotel Murano in Tacoma.

If you are a state or local government IT auditor (internal or external), this conference is for you. It will provide participants with valuable IT audit training at an affordable price. Plus, there will be ample opportunities to network with other IT auditors from across the country. Don’t worry if you haven’t yet had much experience in IT auditing–the trainings are designed to span the spectrum of experience.

Be sure to check out NSAA’s website for more information, like a draft agenda when it becomes available. You can also check out the event page on Facebook!

 

School district alert for phishing email attack

During the week of January 9, 2017, malicious hackers conducted phishing attacks from multiple school district employees’ email accounts.

What happened? 

Hackers gained unauthorized access to work-related email accounts belonging to employees of multiple school districts, presumably by having the login name and password of the email account.

The hackers used the employees’ email accounts to send phishing emails to people with whom the employee had previous email contact. The message included instructions to click on a link to open a website. The website directs the email recipient to enter account credentials (email address / user name / password / phone number).

The hackers are also monitoring the victims’ email accounts and are responding to replies from recipients of the phishing email confirming the original request to click on the website link. In some cases, the hackers used the employees’ email signature to make the message appear more authentic. Continue reading

#CyberAware: Creating a strong password

businessman pressing cyber security button on virtual screensPasswords are an everyday part of life whether you’re logging into your work, bank or social media accounts.  You should do everything you can to protect your passwords and use different passwords for different accounts as described in an earlier tip regarding “password reuse.” More importantly, knowing what makes a weak and strong password can reduce the chance a hacker or unauthorized user can guess or crack your password.  At the State Auditor’s Office, our IT department requires a minimum of ten characters that includes at least one upper and lower case letter, a number, a special character. Also, no reuse of previous passwords. Continue reading