The city’s finance department receives an invoice marked with the name of one of the city’s vendors, and the department proceeds with issuing payment. The sender of the invoice, however, was fraudulently posing as a representative of the vendor, but now funds have been paid, and cannot be recovered.
This type of scenario is known as wire fraud, in which someone uses some type of electronic communication, such as email, internet, phone or wire transfer, to defraud a victim. As finance offices navigate the busy tax season with its increase in activity involving W-2 and 1099 forms, vendor payments and year-end reconciliations, they face increased risks of fraud as well. Cybercriminals are aware of these additional pressures placed on staff, and they may aim to exploit a sense of urgency in order to bypass internal finance controls.
To help reduce these risks, cities and towns can review their processes for payment changes and fund transfers for vulnerabilities — especially callback procedures, and dual-authorization requirements.
Callback verification
Any request received to establish new payment instructions or modify existing vendor payment information should trigger a mandatory callback verification, which helps determine the legitimacy of payment requests.
Staff should
- Independently contact the vendor using a known and previously verified phone number.
- Never rely on contact information provided within an email.
- Avoid replying directly to emailed requests requesting changes to payment instructions.
Dual authorization
Dual authorization involves requiring approval from two people, and is a valuable safety tool for all financial transactions, especially those involving electronic funds transfers. This layer of oversight can help prevent fraud from occurring because of a single point of failure, and makes impersonation attempts by a would-be fraudster less likely to succeed.
Tiered confirmation and escalation protocols
Staff cannot always immediately verify a payment request, and when this happens, a tiered verification approach can help. If an employee finds that they cannot complete a callback and seeks validation of the payment request’s legitimacy from another employee, then that employee should independently confirm that the city’s set protocols are followed before any payment is remitted. The staff should never bypass the verification process or assume that other employees have handled it.
The city can also establish an escalation process to use in any event where an employee completes a callback, but still has suspicions, or is even uncertain about the payment request. The city would keep the transaction paused until all of the concerns are resolved.
Preventing financial loss requires rules and diligence
Financial controls for verification and authorization, when established and followed consistently, are among the most effective defenses against email compromise and wire fraud schemes. They are designed not only to prevent unauthorized transactions, but also to counter social engineering tactics that rely on urgency, familiarity and trust.
For questions about internal financial controls, contact the Municipal Association of SC Risk Management Services Loss Control at losscontrol@masc.sc.