JLT
Check your processes and beat cyber-criminals
By: Patrika

​Cyber security is all over the media following the large breach of Optus. It's certainly front of mind for local government leaders and LGIS has published 10 articles on cyber-security in the recent past. Check out our cyber hub blog to read all of our articles.

Another LGIS member attacked – check your processes

In September a WA local government became a victim of a cyber-attack, suffering a financial loss in the hundreds of thousands. This is the second recent attack in last two months. In the first attack, hackers posed as suppliers requesting that bank account details be changed, this was done without any human (offline) verification.

As cyber-attacks are becoming more and more frequent with members suffering substantial financial loses, having a proactive approach to cyber-security is a vital part of your cyber-risk management program.

Members are advised to exercise caution particularly when you receive requests from suppliers to amend crucial information like bank account details.

A similar type of attack was reported by one of our regional local government in the past two months where the hackers posed as suppliers (the email was compromised) and requested the staff to change bank details over an email. The loss is estimated in excess of $1M.

There are a range of measures that you can adopt to prevent these losses.

Verification of account details

A key procedure that all LGIS members should adopt is the offline, human, verification of bank account details when a change is requested.  

This step is extremely important in wake of the recent cases. In both scenarios, details were altered after an email request and no cross verification was done with the supplier.

A system should be established to ensure that changes in contact and bank information is done only after human intervention and verification.

Change of bank account process

1.       Receive request to change bank account
This is most commonly done via email however scammers have been known to make requests via text or other online methods.

 2.       Review request
Check the request. If it's from a scammer there will be clues that it may not be legitimate. Most attackers make minor changes to the email like a tiny dot or an extra letter which can go unnoticed. The language may also sound too formal, have errors or simply might not 'sound' like the person who's supposed have sent it.

3.       Verify request.
Contact the supplier using the contact details that you already have on file. Scammers commonly provide bogus email addresses or phone numbers which are directed to them. Do not trust any contact details provided in an emailed request to change bank account details. In addition be cautious of clicking on any links within a suspicious email.

4.       Document it!
Make sure that you document what's happened – whether account details have been changed or not. Detail the process you have followed. This should be available to all relevant staff in the finance and accounting teams.

Finally all staff should be aware of this process. Make sure that it's documented and regular training is received. Finance departments should review their processes on a regular basis to make sure that potential cyber-risks are mitigated.

For support on improving your local government's cyber-security practices contact your account manager.