By now it’s no secret that the pandemic accelerated the adoption of new technologies and propelled us into an era marked by heightened digital interconnectivity. For local governments this has meant new payment channels, new ways of conducting business, and much more. The digital revolution, however, has also exposed weaknesses in local government controls and equipped fraudsters with new tools and resources to exploit those gaps.
The threat of fraud is pervasive
With 71% of organizations being targets of payment fraud in 20211 it begets the question of how exactly did we get here? For local governments fraud has been a longstanding issue, but despite fraud attacks being on the rise, governments have been relatively slow to adopt protection. Fraudsters continue to innovate and adopt new tools. For local governments to protect themselves against this evolving threat, it’s important for public leaders to understand that no municipality is exempt from fraud, and fraud protection is a strategic imperative. Leaders must also understand that even though fraudsters are becoming increasingly sophisticated in their approach, the fraud tactics of today seek to exploit areas that have long been vulnerabilities intrinsic to the very nature of government. By examining fraud threats such as business email compromise (BEC) and ransomware we see how these attacks weaponize public information against local governments. We will also see how government leaders can mitigate their risk to these forms of fraud.
No government is safe from BEC threats
Currently the most prevalent fraud scam is business email compromise (BEC). According to the 2022 AFP Payments Fraud and Control Survey, 68% of organizations that experienced attempted or actual fraud in 2020 did so as a result of BEC.2 BEC remains one of the primary sources of payments fraud against organizations.3 In BEC attacks, fraudsters send phishing emails that impersonate a trusted source such as a vendor or executive to deceive employees into making payments. Some common forms of BEC use authentic invoices to impersonate a vendor or pose as a third party to request changes to payment information. BEC attacks typically target an organization’s accounts payable department, however every part of an organization is at risk. BEC can also target payroll, where for example, a school superintendent’s email is used to request fraudulent changes to payroll. Local governments are not exempt from BEC fraud. With easy access to government contracts, minutes, vendors, and contact information, fraudsters can utilize the transparency requirements of governments to exploit them. From 2018 through 2020, the FBI observed business email actors targeting state, local, tribal, and territorial municipal entities which resulted in losses ranging from $10,000 to $4 million in conjunction with considerable operational impairment.4 In 2020 a county government received an email that included new payment instructions which was determined to be a fraudulent request that resulted in a $1.6 million loss.5 Another example, which resulted in a $3.0 million loss, happened when a small city received an email request to change a payment method from a perceived contractor which was determined to be fraudulent.6 Fraudsters have the ability to leverage publically available information to impersonate a trusted source in order to deceive and defraud governments which makes detecting BEC attacks challenging.
Tips to mitigate BEC risk
The first step to mitigating the risk of BEC starts with education and training. To proactively protect against BEC attacks, local governments should adopt a fraud prevention strategy that includes:7
- Staff training and education on BEC risk across departments
- Policies and controls to validate requests for payment and account changes
- An internal system of record to identify authorized representatives entitled to make changes and an additional layer of authentication to initiate payment changes
Ransomware attacks are costly to governments
State and local governments are visible targets of ransomware attacks. Ransomware is a malicious software or malware that breaks into a computer network and encrypts data to prevent access to it. This encryption disrupts the continuity of an organization’s operations. Fraudsters typically demand a ransom payment to restore access to confidential data.8 Ransomware typically originates from a user clicking on a phishing email or visiting an infected website. For local governments these malware carrying emails can look authentic and personalized depending on the amount of public information available for fraudsters to leverage. Ransomware is costly to local governments and results in significant disruptions to essential services. Comparitech estimated that in 2020, ransomware attacks against governments impacted over 17 million people and cost $18.9 billion.9 The K12 Security Information Exchange reported that ransomware attacks against schools has surpassed data breach attacks as the largest category of cyber-attacks.10 In 2020 in response to ransomware attacks, a Mid-Atlantic school district reported spending $9.7 million, a Midwestern school district reported being down for two days and a Southeastern City reported spending $3.0 million to rebuild their network.11 These are just a few examples that illustrate the financial and operational impact of ransomware attacks on local governments.
Tips to mitigate ransomware risk
Governments must proactively mitigate their exposure to ransomware risk by adopting practices to include:12 13
- Staff training and education on ransomware risk across departments.
- Adopt email filtering to mitigate phishing threats, antivirus on email attachments, and routine backups of critical data
- Enhance defense strategies to include web content filtering, prevention of unapproved software installations, and routine risk assessments to identify threats and patch weaknesses.
Stay vigilant and proactive
The digital revolution has unveiled a wealth of opportunity for local governments to serve their communities in new and efficient ways, however, it has also introduced a new frontier of risk and security. Whether the threat is BEC, ransomware, or other forms of fraud, leaders in local government must understand that since governments are intrinsically transparent fraudsters are likely to target their communities. Government leaders have a fiduciary responsibility which includes exercising prudence in the usage and safety of public funds. As the landscape continues to change governments will be faced with evolving threats. Therefore, it is necessary for leaders to develop and codify their security goals into a strategic plan and identify the right banking partner to stay abreast of latest trends in fraud.
Governments should consider the below questions when looking for an effective banking partnership:
- Is your banker consistently apprising you of new fraud mitigation technologies and developments?
- Does your bank proactively identify fraud gaps on your accounts and bring solutions to your attention?
- Is your banker acting as an advisor by understanding your community’s strategic goals and sharing new ideas?
- Does your bank actively share insight into the fraud trends happening in the municipal space?
- How consistently does your bank provide tips and best practices to mitigate your community’s fraud risk?
These questions are essential to developing the right banking partnership when it comes to fraud. Established banks like Wells Fargo are committed to helping local governments mitigate their fraud risk and leveling the playing field by sharing key insights into the latest trends and fraud protection technologies.
For more information about fraud and security risks to governments and how to safeguard your community, please contact your Wells Fargo representative or fill out the contact us form.
©2022 Wells Fargo Bank, N.A. All rights reserved. Member FDIC.
1Highlights from the AFP 2022 Payments Fraud and Control Report (afponline.org) page 8
2Highlights from the AFP 2022 Payments Fraud and Control Report (afponline.org) page 14
3Ibid page 5
4Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments, Straining Resources (ic3.gov)
7BEC still most prevalent fraud scam – Wells Fargo (wf.com)
8Is your business doing everything it can to protect against ransomware? – Wells Fargo (wf.com)
9Ransomware attacks on US government organizations cost $18.9bn in 2020 – Comparitech
10K-12 Cyber Attacks Fell in 2021 Despite Overall Ransomware Increase (governing.com)
11Not If, But When: Ransomware Attackers Are Targeting Local Governments (governing.com)
12Is your business doing everything it can to protect against ransomware? – Wells Fargo (wf.com)
12Three ways to help reduce the risk of a cyber-attack – Wells Fargo (wf.com)