Public entities continue to be targets of fraudulent instruction.
This occurs when an employee is deceived into transferring money into a fraudulent account – most often by bad actors posing as legitimate contacts through emails or phone calls.
Below are two ways to help prevent fraudulent instruction in your organization:
- First – have policies in place for how to change and verify changes to payroll and payment information.
- Second – train staff on these policies.
A well-trained staff that follows policies and procedures, verifies instructions by calling the requester at a pre-determined number, and questions things when they don’t look right is the number one way to prevent fraudulent instruction.
Staff should be trained to:
Review email requests for signs of fraud. These include spoofed sender names, overly polite emails, generic writing – including the use of the terms: kindly, Dear Sir or Madam, etc., odd grammar or date formats (DD/MM/YY instead of MM/DD/YY), or a sense of urgency.- Question each request. Did the person contacting you ask to change banks or have you wire money to a new account? Is there a new address involved? Slow down and ask questions. If something doesn’t seem right, don’t hesitate to contact others.
- Don’t react – verify! In-person! If you receive a request to change personal or financial information for an employee or business contact, call that person using the information you already have on file for them. Don’t rely on information that has been provided as part of the request, and do not use email to verify information as the person’s email account may have been compromised. If the requester says they can’t be reached at the phone number on file, call it anyway.
- Have the person you are speaking with verify some personal information you have for them without being prompted. For example, ask them to provide you with their phone number, mailing address, or some other piece of information you possess – that the potential perpetrator would not likely have.
- Wrong: “Are you still at 123 Main Street?” and “Is your phone number still 555-5555?”
- Right: What is your address and phone number?
Staff should require the customer to authenticate their personally identifiable information rather than acknowledge what is on file.
- Share suspicious activity: If someone receives a call/email that sounds suspicious, they should share it with others on the team so that others may be on guard. Many cybercriminals do not stop at just one attempt, and will send the same request to multiple contacts at your organization.
VRSA Resources
VRSA members have access to a variety of cybersecurity resources and services to help you identify and implement controls. With these in-place controls, the likelihood or impact of a cybersecurity incident can be greatly mitigated.
The VRSA Online University, offering free and unlimited courses for members, offers a number of cybersecurity courses including:
- Cybersecurity: Data Privacy and Safe Computing
- Cybersecurity: Best Practices for At-Home Employees
- Preventing Phishing
- Security Awareness
VRSA members also have access to a free cybersecurity assessment with security healthcheck and sample incident response plans, as well as cybersecurity papers and training.
For members experiencing a cybersecurity incident, VRSA provides the services of a cyber defense attorney dedicated to managing each incident to ensure our commitment to service is met. VRSA’s coverage includes privacy liability, network liability, data breach expenses, and social engineering.
For more information on VRSA’s cybersecurity coverages and resources, contact your member services representative.