JLT
How can social engineering fraud affect your local government?
By: LGIS

​We have recently seen an increase in the frequency of social engineering fraud attempts on WA local governments. 

Social engineering fraud refers to the scams used by fraudsters to trick, deceive and manipulate their victims into releasing confidential information and/or funds.  It relies on abusing the target's trust rather than trying to hack into a secured computer system.

These fraudsters will focus on obtaining important data such as contact lists, organisational charts and other information of workers who have certain responsibilities within the organisation to identify specific targets.  Your local government could be seen as a target due to the wealth of information provided in public documents, including payment lists or financial reports.

The following examples and best practices can help you to mitigate social engineering fraud loss occurring:

Fake person fraud

 

  • Be aware of the language used in the communication.  Would that person write their emails in that manner or tone?
  • Verbally confirm with the person who has supposedly sent the instruction to make a payment.
  • Verify the request with a supervisor or manager and make sure the bank account details are on an approved list.
  • Verify with your supplier-nominated contact on the validity of the instructions.

 

Phone payments and email scams

  • Do not accept payment instructions or change of account details over the phone. 
  • Be aware of the content used in the communication.  Check the sender's name and how the email address is written – also check if there are spelling mistakes or unusual variations.
  • Where an email appears to be from a known person, click on the email address to ensure it's not masking a fake address.
  • Do not open any emails from unknown senders or with suspicious subject titles. 

Requests for fund transfers and change of banking details

  • Only accept the written requests from a known point of contact in that organisation.
  • On receipt of the written request, phone the organisation to confirm it is legitimate.

Managing creditors' details

  • Keep an approved list of creditors, including key contacts with email and phone numbers.
  • Ensure creditors know that any request to change banking details should be sent in writing, by an approved person.
  • Review your files for a recent history of previous requests to change details or send large sums to a new account.

Due to the increasing frequency of social engineering fraud attempts, it is reasonable to suggest that it may only be a matter of time until a worker at your local government is targeted.  It is best practice to adopt the above controls given the potential for loss, and the simplicity and low cost in doing so.