Original published: September 18, 2020
Republished: November 18, 2021
Welcome to readers who found their way here during the 2021 International Fraud Awareness Week! We first posted this article in September 2020, and the threat of bad actors diverting paychecks or vendor payments remains acute since so many of us are working remotely and doing business electronically. Please take a moment to understand how these schemes work, and consider our tips on how to protect your organization.
Automated Clearing House (ACH) frauds have been on the rise for a while, and we want to tell you some simple steps you can take to properly verify ACH and payroll bank account changes before making changes.
A big concern we have been seeing is hackers contacting governments pretending to be an employee or vendor. Next, they ask to change the bank account number for their direct deposit or vendor ACH payments — thereby diverting the payment to the hacker.
Both state and local clients, from small entities to extremely large sophisticated agencies, have been affected by these cyber frauds. We have also seen the bad actors quickly adapt and reinvent the scheme. They started primarily with payroll but quickly realized vendor ACH payments could have a bigger payoff. Frequently, they simply tricked the user into thinking their email was coming from a valid source.
They’ve also become quite successful by hacking either government or vendor email accounts and just watching the email traffic, waiting for the right time to step in. For example, they might watch the email exchange between a grantor and a sub recipient as they discussed a grant reimbursement, then quickly swoop in to say, “Oh, by the way, can you send that reimbursement via ACH?”
In a recent situation at a larger, more complex government agency, the hackers got into the vendor’s email account and simply asked to update the vendor contact information on record. Because they just asked for a contact information update (not bank account information), the agency emailed the known email address on hand to verify the change. But that email account had been hacked, so the fraudster was happy to confirm the contact information change. Once the hacker’s contact information was in the system, they sent the request to change the bank account information to the agency. The agency followed its protocol to call the phone number in the vendor system to confirm, but of course this was the hacker’s number.
What can governments do?
We have been recommending to governments that they call the vendor or employee on a previously known number to verify account changes. But this particular scheme can be caught by:
- Requiring a second-factor approval for all contact changes requested by email
- Keeping a record of vendor/employee requests to change contact information. When the government receives a request to change bank account numbers, consult this log. If the employee/vendor recently asked for a contact change, use multiple other methods to confirm (look up their phone number on their website, contact a different person in the agency, etc.).
In the digital age, it takes extra vigilance to ensure that public funds don’t fall into the wrong hands. Even if it takes a bit more time to verify account changes, it will definitely be a wise investment in the long run for your agency.