Where are your payments going this month?
Sep 5, 2019
By Team IT Audit
Estimated reading time: 3 minutes
It is common practice to use automated clearing house (ACH) systems to pay state and local government employees and vendors. The employee or vendor provides their bank account information to allow funds to be automatically transferred into the account. However, frauds associated with ACH systems are rising dramatically, particularly for direct deposit paychecks. Individually, these are small – generally $500 to $5,000. However, the effect on your employee's personal finances and overall trust in the payroll process can be significant. Vendor ACH schemes might be less frequent, but can have a far greater material effect – generally over $100,000 and up to millions of dollars.
How do these frauds happen?
The common factor for both types of compromise is a fraudulent request to change the direct deposit bank account number for your employee or for a vendor. The fraud is detected when the employee or vendor notices that their payment was not deposited in their bank account. By the time the vendor or employee notifies the finance department, it is often too late to stop any payment and the wired transfer cannot be recovered.
These fraudsters use many approaches to get you to change your employee's or vendor's bank account, but the most common method is email. And the attack is basic: “Please send me a direct deposit form. I want to make changes to my bank account.”
What can be done to stop it?
The good news, this is a very easy fraud to prevent. Simply verify EVERY bank account change request that isn't made in person. A phone call to the employee or vendor using the phone number you have on record to confirm the change is all it takes. Do not use the email address or phone number in the email requesting the account change. The fraudster will be happy to confirm the change.
In some cases, employees can modify their own bank account using a web-based portal. We recommend that all web-based employee portals that can access confidential or payment information be protected with two-factor authentication. If this level of security is not in place, the recommendation to verify every bank account change request is the same.
Another thing you can do is to implement a “DMARC” policy. This is a technical policy implemented by your IT Department, or vendor if you use a cloud email solution, that will help to prevent or at least identify when you've received an email from someone who is not the person named on the “From” line in your email (spoofing). This won't stop all of the ACH fraud attempts, but it will significantly reduce them. If DMARC has not been implemented for your government, encourage your IT representative to learn more about it. A good resource for this is the Global Cyber Alliance at https://dmarc.globalcyberalliance.org/.
Help us shut down ACH fraud in Washington!
If your government is the victim of an ACH fraud, you are required to report it to the Office of the Washington State Auditor even if your bank recovers the funds. You can report the fraud at https://portal.sao.wa.gov/saoportal/public/LossReport
If you receive a fraudulent attempt to change an ACH bank account but don't fall for it, congratulations! We applaud your education, awareness and control efforts. You do not have to report the fraud attempt.