Cybersecurity is an ever moving feast and it seems as fast as new cybersecurity measures, firewalls and other security measures are implemented, new ways and means of defrauding people and businesses are developed by the unscrupulous.
This is particularly relevant with attempts to hit a number of local governments in recent times by unscrupulous hackers who are becoming more and more sophisticated.
One of the more common ways to steal money from an organisation is to hack into emails of the organisation to find the decision-maker in the organisation. The communications of the decision-maker are studied and particularly where it comes to authorizing payments to be made to external parties. When the time is ripe, the hacker will send emails acting as the decision-maker, to request or authorise payments. Invoices from external providers are also intercepted and altered to insert new bank account details which redirects the payments into the hackers’ bank account.
The recommendation has always been to telephone the supplier or contractor before making any payments and particularly in cases where new bank account details are provided on an invoice. To deal with that many organisations implemented a process where the organisation also requests that any change to bank account details must be made in writing.
However, hackers are now getting more cunning. In a recent incident, the hacker not only doctored an invoice from a contractor to insert their own bank account details, but the invoice was also sent via email from a contractor (without their knowledge) to a third-party service provider which had oversight on a local government project. The third-party service provider reviewed the invoice assuming it was legitimate and authorised the payment which was sent to the local government finance team to process. To make it seem even more legitimate, the hacker had also written separately and directly to the local government as if it were the contractor on appropriate letterhead to advise that the bank account details had changed and the new details were included in the letter. In this process, the hacker attempted to dupe not only the local government but separately the third-party service provider and the contractor who were all engaged in the one project.
By the time the invoice was ready to be paid, it had been through a number of checkpoints both with the third party service provider and the local government.
Fortunately in that case, the finance team of the local government followed the process adopted by that local government to the letter and made a telephone call. The contractor confirmed that in fact there had been no change to their bank account details. This circumvented a significant fraudulent payment being made which would have left the contractor significantly out of pocket.
What does this mean for local government?
Local governments generally have sophisticated cybersecurity systems and processes in place and usually a number of checkpoints when invoices are being processed. Provided cybersecurity, the internal process of checks and balances is reviewed, updated and followed with adequate staff training, local governments will have a level of protection against claims being made against them from contractors or third-party service providers where payments have been misdirected or misappropriated through no fault of the local government. Most local governments will hold insurance against loss or damage which results from a cybersecurity breach but this may not protect the local government if it is unable to show that it has appropriate security measures in place which were complied with and regularly monitored, reviewed and updated. Insurance held by a local government will not generally protect contractors or third-party service providers where their own systems have been hacked as they should hold their own insurances against this risk.
What to do?
Be vigilant! Hackers and scammers are sadly becoming quite good at their nefarious work. Regular review of policies and procedures, regular reminders to staff of the process and a quick telephone call if bank account details of a contractor or service provider change, will go a long way in circumventing the unscrupulous activities of these hackers and scammers and protect the interests of the local government and the working relationship with their contractors and service providers.
How can we help?
Preston Law’s experienced team are able to review policies and procedures particularly with respect to privacy and cybersecurity risks and to conduct training on the implementation of policies and procedures to protect the Council’s interests and its third-party service providers.