Update reveals the biggest cyber scam impacting local government

Business email compromise scams accounted for the most local government cyber incidents in WA this year.

From January 1, 2019 to September 14, 2020, 37 per cent of cyber incidents were business email compromise scams, according to legal firm Clyde & Co. 

Ransomware scams followed (24 per cent), then third party system (18 per cent), other (12 per cent), inadvertent disclosure (6 per cent) and physical loss.

In the month of September (2020), there were the same amount of local government cyber claims as the entirety of 2019. 

Cyber claims have increased 50 per cent compared to the same period last year.

There was also a 233 per cent increase in claims compared to the same time in 2018.

Business email compromise attacks (which made up 37 per cent of incidents):

  • Prey on unsuspecting employees by tricking them into providing passwords and other personal information.
  • Often achieve this by sending a phishing email to several employees.
  • The cyber thief waits for the employee to respond and uses their login to access email server and protected information.
  • The thief can then perform financial transactions and wire transfers.

Ransomware scams (24 per cent of incidents):

  • Usually use malware (short for malicious software) which can be delivered to the victim via a phishing scam (when a malware infected attachment is sent via email hidden as a trusted file).
  • The attacker will threaten to keep access to the victim's hard drive or threaten to publish sensitive information unless a ransom is paid. 

Third party system attacks (18 per cent of incidents):

  • About 60 per cent of data breaches around the world are linked to third parties.
  • In this example, local government is the first party, the vetted and secured businesses they deal with are the second party, and third parties are those that the second party work with.
  • These third parties can have access to data without being subject to internal risk management and vetting.
  • To avoid third party risk, diligence must be used when vetting second party vendors, to ensure they are checking any third parties they deal with.

WA case study

A large metropolitan local government became a target of a high impact ransomware attack.

The ransomware allowed hackers to gain access to their network and completely take over admin privileges. The local government experienced days of near total IT services shutdown, which affected phones, computers and made it near impossible for staff members to work using technology.

The local government, with an IT partner, had invested in data-protection, firewalls, anti-malware, anti-spam, and anti-virus products.

However due to the targeted nature of the attack, these tools were unable to protect them.

LGIS received a claim and paid the costs of a specialist IT investigator.

How to avoid cyber fraud

There are three actions to take to avoid becoming a victim of cyber scams:

  • Identify
  • Verify
  • Authenticate

Tips for combatting CEO fraud:

  • Pick up the phone or speak to the individual in person to verify their request to make a payment.
  • Always check with another manager or supervisor before making a payment and ensure that bank account details are on a verified list.

For safe telephone payments and money transfers:

  • Avoid giving or accepting payment instructions on the phone. 
  • Only accept payment requests in writing on invoices, with a company letterhead, from a known contact in the organisation.
  • Verify payment requests with a call to a known contact.

Email scams and bank account change requests:

  • Check the email address of the sender for spelling mistakes.
  • Do not open emails from unknown senders or people with bizarre titles as they could contain malware and expose the company to a cyber-attack.
  • Always check the email address from known senders. 
  • Use a call back procedure to confirm the email is from a known sender.
  • Check the client history for previous bank change requests or requests to send large sums to new accounts.

Managing vendor and supplier details:

  • Maintain a database with up-to-date phone numbers, point of contact and email addresses.
  • Let them know any bank account change requests should come in writing, on a company letterhead and signed by an approved person.

For any queries about cyber protection contact your account manager or regional risk coordinator.