Local governments should ensure they protect against cybersecurity frauds in which an employee’s direct deposit payroll gets redirected to a fraudster’s bank account.
In this type of fraud, the fraudulent request to change the bank account uses the government’s change form that is emailed or mailed to payroll. In other cases, the fraudulent request is made in an email that looks like it is from the employee’s email account. The fraudulent bank accounts are frequently associated with out-of-state or internet banks.
We recommend that any request to change a direct deposit bank account include an in-person or verbal verification with the employee before the change is initiated.
We caution you to NOT use email to verify a change request; in some cases, the employee’s email account has been compromised and the fraudster intercepts and responds to the emailed verification.
If your government is a victim of this fraud, you are required to report it to the Office of the Washington State Auditor at portal.sao.wa.gov/saoportal/public.aspx/LossReport.
We also recommend reporting it to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov/complaint/default.aspx
Fraudulent disbursements are the most common form of asset misappropriation. This type of disbursement occurs when an employee uses their position to make payment for an inappropriate purpose. They are on-book fraud schemes, which means that money in the form of checks leaves the entity fraudulently, but is recorded on the books and leaves an audit trail. In this way, entities can become victims of fraud, even when no cash is involved. Continue reading
We have learned that not all banking institutions are providing a detailed breakout of cash and checks on bank validated deposit slips. If your banking records do not contain the detailed cash/check composition of your deposit, you will want to take corrective action as soon as possible. Continue reading
While cash transactions might be less frequent than those involving credit or debit cards, or have individual low dollar values, over time small daily losses can add up. According to the Association of Certified Fraud Examiners’ (ACFE) 2016 Report to the Nations, the average median loss when cash was misappropriated ranged from $25,000 to $90,000. Continue reading
What is “Vishing”?
“Vishing” uses techniques that are essentially similar to phishing, the act of acquiring sensitive information via electronic communication while posing as a trusted entity. A vishing attack takes place over the telephone, using call spoofing, and tricks a user into disclosing personal information such as credit card numbers or a three digit security code.
Recent vishing attacks use an automated robo-caller stating that the victim’s security software was breached and requests them to call a number. Calling the number will connect the victim to a human who will attempt to access the victim’s workstation via Citrix remote access. Once they have access to your computer, they can do the following: Continue reading
Credit and procurement cards are easy to use, convenient and efficient. As a result, government use of these cards has increased exponentially over the last decade. Unfortunately, there can be a dark side to using cards: they often bypass standard, established payment controls. The combination of high card usage and weak controls is an environment ripe for fraud. Continue reading
(Audit report published Aug. 11) The Department of Social and Health Services (DSHS) oversees supported living agencies, which provide services to individuals with developmental disabilities. A house manager runs the daily operations of the supported living home such as purchasing food, completing payroll, and paying bills. Continue reading